Microsoft will reward security researchers in a contest that come up with new security defenses that will help their software better withstand the powerful assaults hackers bring on a daily basis.
One of the powerful attacks is an assault called ROP (return oriented programming), which is a regular staple of attacks used at the annual Pwn2Own hacker contest. It is also in real-world attacks that install malicious software by exploiting garden-variety bugs in widely used pieces of software. ROP works by rearranging benign pieces of code already present in memory to form a malicious payload.
The popularity of ROP grew because of its ability to bypass another security mitigation known as data execution prevention, which companies added to their software over the past decade.
Microsoft unveiled three possible anti-ROP defenses in a blog post announcing three finalists to its own competition. Microsoft’s initiative will award more than $260,000 in cash and prizes for the development of new security protections to make its software more resistant to hack attacks. The BlueHat contest was unveiled at last year’s Black Hat security conference in Las Vegas, and they will name the grand prize winner next month. Microsoft hasn’t said when it expects the technologies to go live, or exactly which products will use them.
The three finalists include Jared DeMott, a security researcher who submitted an entry called “/ROP.” It checks the security of target addresses of return instructions, which undergo regular exploitation in ROP attacks. Ivan Fratric, who earned a PhD in computer science and is a researcher at the University of Zagreb, is another finalist for his entry of ROPGuard. This defines a set of checks that can detect when certain functions end up used in malicious ways. Columbia University PhD student Vasilis Pappas proposed a ROP mitigation called kBouncer, which detects abnormal control transfers using common hardware features.
The winner will receive a grand prize of $200,000, while the first runner-up will take $50,000 and the second runner-up will get a MSDN Universal subscription worth $10,000. The hope of the program is to develop novel defense mechanisms that can block entire classes of software attacks.
Over the past decade, developers from Microsoft, Apple, Google, Adobe, and elsewhere have fortified their code with a growing number of mitigations. They include address space layout randomization, which randomizes memory locations where code loads. The mitigations also include data execution prevention — which prevents data loaded into memory from executing — and sandboxing. That confines Web content and other untrusted data in a closely guarded perimeter, separate from sensitive operating-system functions such as writing files.