Quick Hits

Microsoft Names Finalists In Contest For New Security Defenses

Three BlueHat Prize contestants invented ways to mitigate attacks exploiting memory-safety vulnerabilities
Microsoft today named the three finalists among 20 contestants for its first-ever BlueHat Prize for the most innovative defense technique against memory-safety exploitation attacks.

BlueHat is Microsoft's alternative to bug bounties, instead challenging researchers to come up with new ways to mitigate exploits rather than find new bugs. Microsoft first announced the contest at Black Hat 2011 in Las Vegas, saying it would offer more than $250,000 in cash and prizes to contestants who came up with new ways to mitigate exploits specifically aimed at memory-safety vulnerabilities.

The top three contestants submitted entries to thwart attacks that leverage return-oriented programming (ROP), a method used by attackers to employ short snippets of benign code in a system for nefarious purposes. The grand prize winner will be named during Microsoft's Researcher Appreciation Party on July 26 at Black Hat USA in Las Vegas.

Researcher Jared DeMott, who teaches a popular application security course at security conferences, came up with a method called "/ROP," which vets the target addresses of the return instructions to ensure they aren't malicious. Computer scientist and researcher Ivan Fratric of the University of Zagreb in Croatia submitted "ROPGuard," which specifies a set of checks for detecting when certain functions are being called by ROP code. And Vasilis Pappas, a Ph.D. student at Columbia University in New York, created "kBouncer," which detects abnormal control transfers using common hardware features, according to Microsoft.

"Microsoft applauds these researchers who met the challenge and developed defensive solutions that go above and beyond conventional security practices focused on discovering individual issues," said Mike Reavey, senior director, Microsoft Security Response Center. "We can’t wait to see how this initiative will inspire others to explore defensive technology research in order to potentially mitigate entire classes of vulnerabilities."

Critics argued that the contest was merely a way for Microsoft to get others to fix its vulnerability problems. But the winner retains ownership of the intellectual property and grants Microsoft a license to use it. Researchers whose technology isn't selected by Microsoft also still own their intellectual property.

The grand prize is $200,000; second place, $50,000; and third place, an MSDN Universal subscription valued at $10,000.

"The Microsoft BlueHat contest has definitely encouraged my research into protection technologies," DeMott says.

Pappas concurs. "[The BlueHat Prize] motivated me to implement/evaluate this project idea I had. It’s definitely a very good move, especially because it motivates research on practical defenses."

Microsoft will provide more details on the entries at Black Hat, but has posted the abstracts here .

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.