2022 Pwnie Award Nominees

Best Cryptographic Attack

0 & 00

Dragondoom

Hertzbleed: Turning Power Side-Channel Attacks Into Remote Timing Attacks on x86

Best Desktop Bug

Architecturally Leaking Data from the Microarchitecture

Attacking developer tools

Oh Snap! More Lemmings (Local Privilege Escalation in snap-confine)

Best Mobile Bug

1 byte out-of-bounds write in the Google Titan M chip

FORCEDENTRY

Trust Dies in Darkness

Best Privilege Escalation Bug

Mystique in the House: The Droid Vulnerability Chain That Owns All Your Userspace

SpoolFool

Unprotecting Samsungs TrustZone implementation by smashing the TZASC configuration

Best Remote Code Execution Bug

Microsoft Exchange Server Remote Code Execution Vulnerability

Tesla RCE

Windows RPC Runtime Remote Code Execution (CVE-2022-26809)

Best Song

Dialed Up

Side channels are everywhere – The theme song of the side channel security sitcom

Utku Şen – Fare

Epic Achievement

THAT VIASAT THINGIE

Yuki Chen’s Windows Server-Side RCE Bugs

pwnkit: Local Privilege Escalation in polkit’s pkexec (CVE-2021-4034)

Lamest Vendor Response

Critical vulnerabilities in HCL DX (Previously known as IBM WebSphere Portal)

Google’s top security teams unilaterally shut down a counterterrorism operation

Heroku Silence

Most Epic Fail

HackerOne Employee Caught Stealing Vulnerability Reports for Personal Gains

HiKam – “Hi – I’m (not) your Kam”

Most Innovative Research

Custom Processing Unit: Tracing and Patching Intel Atom Microcode

FirmWire

V-Shuttle: Scalable and Semantics-Aware Hypervisor Virtual Device Fuzzing

Most Under-Hyped Research

Intel BIOS Shared SW Architecture (BSSA) Design for Test (DFT) escalation of privilege

PHP Supply Chain Attack on PEAR

Spoofing IP with IPIP