Vulnerabilities / Threats
10:55 AM
Connect Directly

Microsoft Names Finalists In Contest For New Security Defenses

Three BlueHat Prize contestants invented ways to mitigate attacks exploiting memory-safety vulnerabilities

Microsoft today named the three finalists among 20 contestants for its first-ever BlueHat Prize for the most innovative defense technique against memory-safety exploitation attacks.

BlueHat is Microsoft's alternative to bug bounties, instead challenging researchers to come up with new ways to mitigate exploits rather than find new bugs. Microsoft first announced the contest at Black Hat 2011 in Las Vegas, saying it would offer more than $250,000 in cash and prizes to contestants who came up with new ways to mitigate exploits specifically aimed at memory-safety vulnerabilities.

The top three contestants submitted entries to thwart attacks that leverage return-oriented programming (ROP), a method used by attackers to employ short snippets of benign code in a system for nefarious purposes. The grand prize winner will be named during Microsoft's Researcher Appreciation Party on July 26 at Black Hat USA in Las Vegas.

Researcher Jared DeMott, who teaches a popular application security course at security conferences, came up with a method called "/ROP," which vets the target addresses of the return instructions to ensure they aren't malicious. Computer scientist and researcher Ivan Fratric of the University of Zagreb in Croatia submitted "ROPGuard," which specifies a set of checks for detecting when certain functions are being called by ROP code. And Vasilis Pappas, a Ph.D. student at Columbia University in New York, created "kBouncer," which detects abnormal control transfers using common hardware features, according to Microsoft.

"Microsoft applauds these researchers who met the challenge and developed defensive solutions that go above and beyond conventional security practices focused on discovering individual issues," said Mike Reavey, senior director, Microsoft Security Response Center. "We can’t wait to see how this initiative will inspire others to explore defensive technology research in order to potentially mitigate entire classes of vulnerabilities."

Critics argued that the contest was merely a way for Microsoft to get others to fix its vulnerability problems. But the winner retains ownership of the intellectual property and grants Microsoft a license to use it. Researchers whose technology isn't selected by Microsoft also still own their intellectual property.

The grand prize is $200,000; second place, $50,000; and third place, an MSDN Universal subscription valued at $10,000.

"The Microsoft BlueHat contest has definitely encouraged my research into protection technologies," DeMott says.

Pappas concurs. "[The BlueHat Prize] motivated me to implement/evaluate this project idea I had. It’s definitely a very good move, especially because it motivates research on practical defenses."

Microsoft will provide more details on the entries at Black Hat, but has posted the abstracts here .

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.