Microsoft Corp.’s Trustworthy Computing Group today announced the top three finalists of its BlueHat Prize, a competition that awards researchers more than $250,000 in cash and prizes for developing new, innovative computer security protection technologies. Microsoft will announce the grand prize winner at its Researcher Appreciation Party on July 26, 2012, following the Black Hat briefings in Las Vegas.
In an effort to mitigate entire classes of vulnerabilities, Microsoft presented this challenge to the industry last August, spurring some of the brightest security minds across the globe. Microsoft was happy to see participation from across the research community and academia. After in-depth evaluation of the entries, Microsoft selected three finalists who each developed unique solutions that hinder attacks that leverage Return Oriented Programming (ROP). ROP is an advanced technique that attackers use to combine short pieces of benign code, already present in a system, for a malicious purpose.
The following, in alphabetical order, are the three finalists:
Jared DeMott. DeMott is a researcher well-known for teaching a course titled “Application Security: For Hackers and Developers” at security conferences. DeMott submitted a BlueHat Prize entry called /ROP that checks to ensure that target addresses of return instructions, which ROP exploits use, are safe.
Ivan Fratric. Fratric earned a Ph.D. in computer science and is a researcher at the University of Zagreb in Zagreb, Croatia. Fratric’s entry, named ROPGuard, defines a set of checks that can be used to detect when certain functions are being called in the context of malicious ROP code.
Vasilis Pappas. Pappas is a Ph.D. student at Columbia University in the City of New York who actively researches information security. Pappas’ submission, called kBouncer, is a ROP mitigation technique that detects abnormal control transfers using common hardware features.
“Microsoft applauds these researchers who met the challenge and developed defensive solutions that go above and beyond conventional security practices focused on discovering individual issues,” said Mike Reavey, senior director, Microsoft Security Response Center. “We can’t wait to see how this initiative will inspire others to explore defensive technology research in order to potentially mitigate entire classes of vulnerabilities.”
Microsoft will reveal more information on the entries at the company’s Researcher Appreciation Party. The company will award one finalist $200,000 for the grand prize, while the first runner-up will win $50,000 and the second runner-up will win an MSDN Universal subscription valued at $10,000.
“Historically, the security industry has focused on rewarding researchers for identifying and reporting individual vulnerabilities,” said Brad Arkin, senior director, security, Adobe products and services. “The BlueHat Prize represents a new and exciting approach that motivates researchers to come up with solutions that will help mitigate entire classes of attacks against customers.”
The official BlueHat Prize competition rules and guidelines are available at http://www.BlueHatPrize.com. Microsoft accepted 20 contest entries from Aug. 3, 2011, until April 1, 2012, with the final entry being received just eight minutes before the deadline. After all the entries were submitted, a panel of Microsoft security engineers judged the submissions based on the following criteria: practicality and functionality (30 percent); robustness — how easy it would be to bypass the proposed solution (30 percent); and impact (40 percent).
Founded in 1975, Microsoft (Nasdaq “MSFT”) is the worldwide leader in software, services and solutions that help people and businesses realize their full potential.
Note to editors: For more information, news and perspectives from Microsoft, please visit the Microsoft News Center at http://www.microsoft.com/news. Web links, telephone numbers and titles were correct at time of publication, but may have changed. For additional assistance, journalists and analysts may contact Microsoft’s Rapid Response Team or other appropriate contacts listed at http://www.microsoft.com/news/contactpr.mspx.