Microsoft to hackers: Cash for exploit mitigation inventions

Summary:Microsoft unveils the Blue Hat Prize, a challenge to the security research community to help solve an open problem in exploit mitigation.

LAS VEGAS -- As the annual Black Hat hacker conference kicks off here, Microsoft is turning to the hacker community to help mitigate the Windows platform.

The world's largest software vendor today announced Blue Hat Prize, an academic challenge aimed at generating new ideas for defensive approaches to support computer security.  This year, Microsoft is offering $250,000 in cash and prizes to researchers who design a novel one-time mitigation for memory safety vulnerabilities.

According to Katie Moussouris (right), senior security strategist lead in Microsoft's Trustworthy Computing group, the overall goal is to "solve an open problem in exploit mitigation or significantly improve the effectiveness of existing mitigation solutions."

Microsoft has used several anti-exploit technologies -- like DEP, ASLR, sandboxes, SEHOP and /SAFESEH -- to put up roadblocks for malicious hackers but, in an evolving cat-and-mouse game, researchers continue to publish bypasses and workarounds to defeat those mitigations.

With the Blue Hat Prize, Microsoft is looking to the security research community to help solve an open problem in exploit mitigation or significantly improve the effectiveness of existing mitigation solutions.

follow Ryan Naraine on twitter

Microsoft referenced the cat an mouse game on its challenge web site:

"Two examples of open problems that are suitable for consideration in this challenge are address space information disclosures and return-oriented programming (ROP)."

Moussouris touted the Blue Hat Prize as the largest ever reward offer for defensive technologies and said the company is hoping hackers and researchers in academia will take on the challenge of building software that is resistant to the threats seen on the Windows platform.

"The BlueHat Prize has the potential to provide enhanced security for the Windows operating system, as well as for the applications that run on it, which positively impacts independent software vendors," the company said.

The raw details on what Microsoft is looking for:

  • Your Prototype must be submitted as a compressed ZIP no larger than 2 MB containing at least one executable file that demonstrates the solution.
  • Your Prototype must solve an open problem in exploit mitigation or significantly improve the effectiveness of existing mitigation solutions. Two examples of open problems that are suitable for consideration in this challenge are address space information disclosures and return-oriented programming (ROP). Note that you are not required to address these and you are not limited to these examples.
  • Your Prototype must be fully functioning and work on Windows and be developed using the Microsoft Windows SDK.
  • The Prototype must have low overhead meaning CPU and Memory cost of no more than 5%
  • Your Prototype must not have any application compatibility or usability regressions

The winner will retain intellectual property ownership of the invention but must agree to offer a royalty-free license to Microsoft.

The judging criteria and technical details on the challenge can be found on the Blue Hat Prize site.

Topics: Microsoft, Operating Systems, Security, Software, Windows

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.