Microsoft to hackers: Cash for exploit mitigation inventions

Microsoft to hackers: Cash for exploit mitigation inventions

Summary: Microsoft unveils the Blue Hat Prize, a challenge to the security research community to help solve an open problem in exploit mitigation.

SHARE:

LAS VEGAS -- As the annual Black Hat hacker conference kicks off here, Microsoft is turning to the hacker community to help mitigate the Windows platform.

The world's largest software vendor today announced Blue Hat Prize, an academic challenge aimed at generating new ideas for defensive approaches to support computer security.  This year, Microsoft is offering $250,000 in cash and prizes to researchers who design a novel one-time mitigation for memory safety vulnerabilities.

According to Katie Moussouris (right), senior security strategist lead in Microsoft's Trustworthy Computing group, the overall goal is to "solve an open problem in exploit mitigation or significantly improve the effectiveness of existing mitigation solutions."

Microsoft has used several anti-exploit technologies -- like DEP, ASLR, sandboxes, SEHOP and /SAFESEH -- to put up roadblocks for malicious hackers but, in an evolving cat-and-mouse game, researchers continue to publish bypasses and workarounds to defeat those mitigations.

With the Blue Hat Prize, Microsoft is looking to the security research community to help solve an open problem in exploit mitigation or significantly improve the effectiveness of existing mitigation solutions.

follow Ryan Naraine on twitter

Microsoft referenced the cat an mouse game on its challenge web site:

"Two examples of open problems that are suitable for consideration in this challenge are address space information disclosures and return-oriented programming (ROP)."

Moussouris touted the Blue Hat Prize as the largest ever reward offer for defensive technologies and said the company is hoping hackers and researchers in academia will take on the challenge of building software that is resistant to the threats seen on the Windows platform.

"The BlueHat Prize has the potential to provide enhanced security for the Windows operating system, as well as for the applications that run on it, which positively impacts independent software vendors," the company said.

The raw details on what Microsoft is looking for:

  • Your Prototype must be submitted as a compressed ZIP no larger than 2 MB containing at least one executable file that demonstrates the solution.
  • Your Prototype must solve an open problem in exploit mitigation or significantly improve the effectiveness of existing mitigation solutions. Two examples of open problems that are suitable for consideration in this challenge are address space information disclosures and return-oriented programming (ROP). Note that you are not required to address these and you are not limited to these examples.
  • Your Prototype must be fully functioning and work on Windows and be developed using the Microsoft Windows SDK.
  • The Prototype must have low overhead meaning CPU and Memory cost of no more than 5%
  • Your Prototype must not have any application compatibility or usability regressions

The winner will retain intellectual property ownership of the invention but must agree to offer a royalty-free license to Microsoft.

The judging criteria and technical details on the challenge can be found on the Blue Hat Prize site.

Topics: Microsoft, Operating Systems, Security, Software, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

31 comments
Log in or register to join the discussion
  • RE: Microsoft to hackers: Cash for exploit mitigation inventions

    Sounds like a good idea. Probably should have offered this about 10-15 years ago.
    kstap
    • Good idea??? Hardly...

      @kris_stapley@...

      A good idea would be to remove all the BS restrictions and let the creativity flow. I think they may have just anal-ed themselves out of some good ideas.
      i8thecat3
      • RE: Good idea??? Hardly...

        @i8thecat3

        +1 on loosening restrictions...
        ESPECIALLY this one: "and be developed using the Microsoft Windows SDK."
        DEFleener
  • RE: Microsoft to hackers: Cash for exploit mitigation inventions

    Or Microsoft could, simply, modify the Windows licensing terms to allow one to run disposable Windows VMs in Qubes OS (which uses a Xen hypervisor). And, yes, I'm talking about the desktop.
    Rabid Howler Monkey
    • RE: Microsoft to hackers: Cash for exploit mitigation inventions

      @Rabid Howler Monkey
      Why would you need to modify licensing terms, and why run in a VM.

      Are there problems with Windows that you need to run in a VM?
      daikon
      • RE: Microsoft to hackers: Cash for exploit mitigation inventions

        @daikon Yes Windows is so inherently insecure that it must be run in a VM!
        MSFTWorshipper
      • RE: Microsoft to hackers: Cash for exploit mitigation inventions

        @MSFTWorshipper

        Funny, I haven't has any problems in terms of security since moving onto Windows Vista and off of XP. The Trustworthy Computing Initiative has worked wonders.
        The one and only, Cylon Centurion
      • RE: Microsoft to hackers: Cash for exploit mitigation inventions

        @daikon "Why would you need to modify licensing terms, and why run in a VM.<br><br>A Windows VM for work. A Windows VM for play. A Windows VM for online purchases. A Windows VM for online banking. That's four VMs (in this simple example) all running simultaneously in a Xen hypervisor. Walling off these activity-based VMs from one another enhances security. And what if you want to create another VM to install and run software you want to trial before purchasing? This last VM would be destroyed after one is done with the testing.<br><br>With Microsoft's current licensing paradigm, this would get expensive awful fast as each VM would require a license. Even though it is essentially a desktop PC running Windows.<br><br>@MSFTWorshipper "Windows is so inherently insecure that it must be run in a VM! <br><br>In it's current form (beta), Qubes OS is running Fedora 15. It's not just for Windows.
        Rabid Howler Monkey
      • RE: Microsoft to hackers: Cash for exploit mitigation inventions

        @daikon

        Although on the surface, you appear to be right, the fact of the matter is that there are alternative Windows downloads (that are not pirated versions) that you can get for 60-Day periods (might be mistaken in the amount of time). You would essentially become a "tester" for MS, but, then again--you wouldn't.

        If you install Windows Server 2008, the hypervisor would be your friend. Within your VMs, you could be able to run as many versions of Windows 7 as you like.

        Or, you could simply go the way of the rogue and install pirated versions.

        So, in the end, I agree that MS' licensing structure is quite flawed in regards to running multiple VMs...however, if you're going to go through the trouble of running multiple VMs, 1) You should know enough to take advantage of the "semi-open licenses" offered by Microsoft to run their software for x amount of months, 2) You should know enough to incorporate a sandbox in your security arsenal, 3) You should know enough to not put your computer in an exploitative position.

        I'm sure that MS' inquiry into this added security approach is less about people comfortable enough with computers to even have this conversation, and more about 1) Throwing Apple's security scoff (circa 2005) back in their face, and 2) helping to protect the non-technical computer user while online.

        I agree with kris_... that this should have been their approach years ago. I am at least pleased that with the remnants of their monopolistic empire of the late 90's, that they've begun to use their might for good...at least for now...
        GSystems
      • RE: Microsoft to hackers: Cash for exploit mitigation inventions

        @MSFTWorshipper LOL! Windows is one of the most secure operating systems in existence. It's more secure than OS X, as has been proven by Pwn2Own. Even Apple's own security guru and hacking expert Charlie Miller flat out states Windows and IE are more secure than Apple's offering, and as secure as Linux, if not moreso.

        Windows isn't insecure. Windows is target by malware creators because it controls 90% of the market. It's not worth their time to target OS X and Linux, because their market share is so small. It's not financially worth it. Although they are starting to his OS X.

        So it has nothing to do with being insecure, as Apple is starting to find out.
        JoeHTH
      • RE: Microsoft to hackers: Cash for exploit mitigation inventions

        @G-Systems Windows Server 2008 IS NOT designed to use virtualization in support of a desktop environment. Whereas Qubes OS IS designed to use virtualization in support of a desktop environment.

        Qubes OS has a home page. Why don't you have a look at the FAQ and Architecture documents before going off the handle? You'll also note that there is no mention of piracy wrt Windows. In fact, Qubes OS is currently in beta and runs Fedora 15 VMs. Windows AppVMs *may* be implemented in the future. And I'm sure that Windows licensing will all be above-board if and when it happens.
        Rabid Howler Monkey
      • RE: Microsoft to hackers: Cash for exploit mitigation inventions

        @daikon

        Running any OS in a VM allows you to have and keep a secure version on your hard drive. You can check the status by comparing to a checksum on loading. If a rogue program changes the OS, that change will be gone when you next restart the OS. If you update your OS, or add any program, you just regenerate the checksums before you start a new instance.

        Still not foolproof, but it does add an additional layer of protection.

        Many Linux users do this routinely. These Linux users are professionally paranoid. Sometimes, that is a very good thing.

        For some applications and jobs, paranoia is a job requirement.
        YetAnotherBob
    • RE: Microsoft to hackers: Cash for exploit mitigation inventions

      @Rabid Howler Monkey <br>I am doing that now with OSX as the host OS and running Windows VMs in Virtual Box. I have one VM for Visio, one for all my legacy "requires IE" stuff, and one for outside the firewall which I blow away each time. Of course my employer has an enterprise agreement with MS so it's all legal. It would be cool for MS to offer a "home 'enterprise' license" that would allow me to run VMs on my Mint box using Virtual Box.<br><br>Of course that's just my opinion, I could be wrong.

      [edited to fix a typo]
      914four
    • RE: Microsoft to hackers: Cash for exploit mitigation inventions

      @Rabid Howler Monkey -

      How about "don't allow apps to run as root" and force installed apps to not be part of the OS and execute in completely separate memory space (execute apps in VMs or sandboxes for example, not make OS virtual).
      PollyProteus
      • and the A/V makers would cry foul...

        @PollyProteus
        Just like they did with Windows 7, when they weren't allowed to install themselves as Kernel modules... which meant major restrictions on what they could do.
        shryko
      • RE: Microsoft to hackers: Cash for exploit mitigation inventions

        @PollyProteus All that you mention are very good things and will make each individual VM more secure. However, I'd prefer more isolation amongst work, play and online banking.

        P.S. Qubes OS is considering Windows AppVMs for the future.
        Rabid Howler Monkey
    • RE: Microsoft to hackers: Cash for exploit mitigation inventions

      @Rabid Howler Monkey But blowing away and re-establishing a VM won't help you, if while running it your banking passwords and card numbers were copied by malware.
      peter_erskine
      • RE: Microsoft to hackers: Cash for exploit mitigation inventions

        @peter_erskine@... You are correct that there will always be the risk of malware on the web. The Bank of India hack a few years ago is a good example that should not be forgotten.<br><br>However, in this case, the VM is dedicated solely to online banking. Work-related email, web browsing and downloads occur in the work VM. Personal-related email, web browsing and downloads occur in either the home or online purchases VM, as appropriate.<br><br>An added configuration for the online banking VM that I would implement is to whitelist the URLs of the banking sites I visit. Whitelisting URLs can be done in IE (via a very workable hack) and in Firefox via an add-on. This will foil attempts to redirect the web browser to another site that attempts to either capture one's credentials or download nasties.
        Rabid Howler Monkey
  • RE: Microsoft to hackers: Cash for exploit mitigation inventions

    MS could start by implementing 64-bit ASLR. Currently, even 64-bit processes, have the same randomization amount as 32-bit processes, despite the fact that 64-bit processes could support trillions of random addresses compared to very little for 32-bit (I believe it's 256 for MS' 32-bit implementation.)

    Also MS would have to make 64-bit programs more viable to use, such as adding the JIT compiled javascript engine to the 64-bit engine, currently IE x64 javascript is several times slower than the 32-bit one so hardly anyone would use IE x64. Then other browsers would also have to make 64-bit versions viable, but it could be done and eliminate many exploits.
    jamesrayg
    • RE: Microsoft to hackers: Cash for exploit mitigation inventions

      Keep in mind that what we call 64bit processors are really a modified 32bit processor with 64bit processing extensions added. True 64bit processors (IA64) can't run what we call the 64 bit version of Windows or Linux without recompiling the OS bits for IA64 support.<br><br>For your reading pleasure: <a href="http://en.wikipedia.org/wiki/X86-64" target="_blank" rel="nofollow">http://en.wikipedia.org/wiki/X86-64</a>
      PollyProteus