Microsoft to hackers: Cash for exploit mitigation inventions

LAS VEGAS -- As the annual Black Hat hacker conference kicks off here, Microsoft is turning to the hacker community to help mitigate the Windows platform.

The world's largest software vendor today announced Blue Hat Prize, an academic challenge aimed at generating new ideas for defensive approaches to support computer security.  This year, Microsoft is offering $250,000 in cash and prizes to researchers who design a novel one-time mitigation for memory safety vulnerabilities.

According to Katie Moussouris (right), senior security strategist lead in Microsoft's Trustworthy Computing group, the overall goal is to "solve an open problem in exploit mitigation or significantly improve the effectiveness of existing mitigation solutions."

Microsoft has used several anti-exploit technologies -- like DEP, ASLR, sandboxes, SEHOP and /SAFESEH -- to put up roadblocks for malicious hackers but, in an evolving cat-and-mouse game, researchers continue to publish bypasses and workarounds to defeat those mitigations.

With the Blue Hat Prize, Microsoft is looking to the security research community to help solve an open problem in exploit mitigation or significantly improve the effectiveness of existing mitigation solutions.

Microsoft referenced the cat an mouse game on its challenge web site:

"Two examples of open problems that are suitable for consideration in this challenge are address space information disclosures and return-oriented programming (ROP)."

Moussouris touted the Blue Hat Prize as the largest ever reward offer for defensive technologies and said the company is hoping hackers and researchers in academia will take on the challenge of building software that is resistant to the threats seen on the Windows platform.

"The BlueHat Prize has the potential to provide enhanced security for the Windows operating system, as well as for the applications that run on it, which positively impacts independent software vendors," the company said.

The raw details on what Microsoft is looking for:

• Your Prototype must be submitted as a compressed ZIP no larger than 2 MB containing at least one executable file that demonstrates the solution.
• Your Prototype must solve an open problem in exploit mitigation or significantly improve the effectiveness of existing mitigation solutions. Two examples of open problems that are suitable for consideration in this challenge are address space information disclosures and return-oriented programming (ROP). Note that you are not required to address these and you are not limited to these examples.
• Your Prototype must be fully functioning and work on Windows and be developed using the Microsoft Windows SDK.
• The Prototype must have low overhead meaning CPU and Memory cost of no more than 5%
• Your Prototype must not have any application compatibility or usability regressions

The winner will retain intellectual property ownership of the invention but must agree to offer a royalty-free license to Microsoft.

The judging criteria and technical details on the challenge can be found on the Blue Hat Prize site.