Participants can earn up to $100,000 for finding severe flaws in Microsoft's Linux-based Azure Sphere IoT operating system.

Kelly Sheridan, Former Senior Editor, Dark Reading

May 5, 2020

3 Min Read

Azure Sphere was unveiled in April 2018 as a means to improve security for devices connected to the Internet of Things (IoT). It's made up of three parts: connected microcontrollers, a Linux-based OS and custom kernel to power them, and a security service to protect the connected devices. Azure Sphere hit general availability in February 2020, and now Microsoft is opening it to researchers. 

The Azure Sphere Security Research Challenge builds on an earlier initiative, Azure Security Lab, which Microsoft debuted at Black Hat USA last summer. A group of researchers was invited to test attacks against Internet-as-a-service (IaaS) scenarios using a set of dedicated cloud hosts isolated from Azure customers. At the time, Microsoft doubled the top bounty reward for Azure flaws to $40,000.

The latest research challenge is application-only and will span three months, starting on June 1 and ending on August 31. Researchers must apply before May 15. Microsoft has invited researchers from industry partners participating in the program and will select a total of 50 people, says Sylvie Liu, security program manager at the Microsoft Security Response Center.

If accepted into the Azure Sphere challenge, participants will be provided resources including the Azure Sphere development kit, Azure Sphere product documentation, access to Microsoft products and services for research purposes, and direct communication with Microsoft's team.

"Working with researchers during the initial phase of the Azure Security Lab, we found that resources, documentation, and more regular connections with the program participants and Microsoft teams were key to successful coordinated vulnerability disclosure," Liu says. Based on these learnings, Microsoft will offer participants communication channels and weekly office hours with members of the Azure Sphere engineering team.

"We've also found that it's valuable to learn from both the successful attempts and unsuccessful attempts of researchers," Liu continues. "As a result, we are asking researchers to document and report both successful and unsuccessful attempts in this research challenge."

Microsoft will award up to $100,000 in rewards for two specific scenarios during the program period. One of these is the ability to execute code on Azure Pluton, the security subsystem built into every Azure Sphere microcontroller unit (MCU). Pluton provides a hardware root of trust for the connected device in which the MCU sits. As part of the chip manufacturing process, a unique key is created to be used as the basis for authentication and cryptography.

Azure Sphere's application platform supports two operating environments: Normal World and Secure World. Applications run in an application container in Normal World user mode, where they can access Azure Sphere libraries and a limited amount of OS services, Microsoft explains. The underlying Linux kernel runs in Normal World supervisor mode; the Security Monitor runs in Secure World. Only Microsoft-supplied code can run in supervisor mode or Secure World.

Vulnerabilities discovered outside the scope outlined for this research challenge, including the cloud portion, may qualify for rewards under the public Azure Bounty Program. Physical attacks are out of scope both for this challenge and the public program, Microsoft says.

To launch the Azure Sphere Security Research Challenge, Microsoft teamed up with several technology companies that bring expertise in IoT security research. These partners include Avira, Baidu International Technology, Bitdefender, Bugcrowd, Cisco Systems (Talos), ESET, FireEye, F-Secure, HackerOne, K7 Computing, McAfee, Palo Alto Networks, and Zscaler.

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "How InfoSec Pros Can Help Healthcare During the Coronavirus Pandemic."

 

About the Author(s)

Kelly Sheridan

Former Senior Editor, Dark Reading

Kelly Sheridan was formerly a Staff Editor at Dark Reading, where she focused on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial services. Sheridan earned her BA in English at Villanova University. You can follow her on Twitter @kellymsheridan.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights