Vulnerabilities / Threats
10:55 AM
Connect Directly
Repost This

Microsoft Names Finalists In Contest For New Security Defenses

Three BlueHat Prize contestants invented ways to mitigate attacks exploiting memory-safety vulnerabilities

Microsoft today named the three finalists among 20 contestants for its first-ever BlueHat Prize for the most innovative defense technique against memory-safety exploitation attacks.

BlueHat is Microsoft's alternative to bug bounties, instead challenging researchers to come up with new ways to mitigate exploits rather than find new bugs. Microsoft first announced the contest at Black Hat 2011 in Las Vegas, saying it would offer more than $250,000 in cash and prizes to contestants who came up with new ways to mitigate exploits specifically aimed at memory-safety vulnerabilities.

The top three contestants submitted entries to thwart attacks that leverage return-oriented programming (ROP), a method used by attackers to employ short snippets of benign code in a system for nefarious purposes. The grand prize winner will be named during Microsoft's Researcher Appreciation Party on July 26 at Black Hat USA in Las Vegas.

Researcher Jared DeMott, who teaches a popular application security course at security conferences, came up with a method called "/ROP," which vets the target addresses of the return instructions to ensure they aren't malicious. Computer scientist and researcher Ivan Fratric of the University of Zagreb in Croatia submitted "ROPGuard," which specifies a set of checks for detecting when certain functions are being called by ROP code. And Vasilis Pappas, a Ph.D. student at Columbia University in New York, created "kBouncer," which detects abnormal control transfers using common hardware features, according to Microsoft.

"Microsoft applauds these researchers who met the challenge and developed defensive solutions that go above and beyond conventional security practices focused on discovering individual issues," said Mike Reavey, senior director, Microsoft Security Response Center. "We can’t wait to see how this initiative will inspire others to explore defensive technology research in order to potentially mitigate entire classes of vulnerabilities."

Critics argued that the contest was merely a way for Microsoft to get others to fix its vulnerability problems. But the winner retains ownership of the intellectual property and grants Microsoft a license to use it. Researchers whose technology isn't selected by Microsoft also still own their intellectual property.

The grand prize is $200,000; second place, $50,000; and third place, an MSDN Universal subscription valued at $10,000.

"The Microsoft BlueHat contest has definitely encouraged my research into protection technologies," DeMott says.

Pappas concurs. "[The BlueHat Prize] motivated me to implement/evaluate this project idea I had. It’s definitely a very good move, especially because it motivates research on practical defenses."

Microsoft will provide more details on the entries at Black Hat, but has posted the abstracts here .

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web