The real impact of Microsoft's Blue Hat prize

Guest editorial by Mike Reavey

Summer is a special time of year for us in Microsoft Security Response Center (MSRC). One, we finally start to see glimmers of sunshine in Seattle. Two, we see an increase in vulnerability reports from students that have more free time away from school. And three, it means the security community is converging in Las Vegas for the Black Hat and DEFCON security conferences. This will be my twelfth consecutive Black Hat/DEFCON. I still have the DEFCON cap I bought at my first one 12 years ago, and wear it each year. And while my actual hat hasn’t changed (other than having become pretty tattered), the metaphorical hat I’ve been wearing has definitely evolved over the years.

Initially, I went purely to be educated. I was a member of the US Air Force, charged with protecting Air Force networks. I went to talks and approached the conference in much of the same way many of our customers do – to understand how to protect the networks and systems I was assigned to secure. Later, as a Microsoft employee in the early 2000’s, it was as a participant. I was able to meet, greet, and hear directly from the researchers I’d been working with through the Microsoft Security Response Center (MSRC) throughout the year. We also sponsored the event, threw the first ever researcher appreciation party at Black Hat and even gave a handful of talks. For the last few years I attended as a collaborator, and I hope in some ways, as part of a team viewed as innovators. Black Hat has become the event for Microsoft to launch programs and initiatives aimed directly at working with and harnessing the unique energy present within our community of researchers and defenders.

In this year’s MSRC Progress Report [PDF] we highlight the impact of the programs we launched at Black Hat over the years. MAPP, Exploitability Index, and MSVR were all launched in 2008. Our initial launches featured programs the community hadn’t seen before. We decided to share vulnerability information with security partners before updates were released with a program called the Microsoft Active Protections Program (MAPP). We tried to predict which vulnerabilities are the most likely to (and even scarier--would not) get exploited with a new concept called the Exploitability Index. And we resolved to report vulnerabilities in other company’s products through Microsoft Security Vulnerability Research (MSVR)!

While all were risky, we designed each of those programs based on valuable community feedback and participation, and to better protect our customers. Today, over 1 billion users are safer because of information shared through MAPP each year, and the time it takes security vendors to create protection has reduced at least three fold. In the last year, folks using the Exploitability Index, and running our latest software, can reduce updates they need to rapidly deploy by 76%. Additionally, in just the last 12 months we reported 96 vulnerabilities across 39 different vendors in a safe and coordinated way through MSVR. More detail on each of these programs can be viewed in the progress report itself.

It was also one year ago this week that we took an unconventional approach and announced a challenge to the security researcher community. Instead of focusing on finding shortfalls in products, we attempted to inspire new lines of research and encourage innovative solutions that could help mitigate entire classes of attacks. We called it the BlueHat prize, and last night, we gave $200,000.00 to the inaugural winner, Vasilis Pappas. Additionally, we awarded $50,000.00 to Ivan Fratric and $10,000.00 to Jared DeMott. If you didn’t get a chance to be at the party, you can watch the announcement video we posted this morning.

This contest challenged security researchers to design a novel runtime mitigation technology designed to prevent the exploitation of memory safety vulnerabilities. By the time the contest closed in April 2012, we received 20 qualified entries. Proposals came from all over the world and spanned the entire industry from the research community to academia. In the end, the finalists all chose to create mitigations that prevent Return Oriented Programming (ROP) exploits from succeeding.

To me, this level of participation was amazing, and awarding large cash prizes to the best of the best felt great, but it was really just the first step. On Wednesday, we released an early version of the freely available Enhanced Mitigation Experience Toolkit (EMET) tool that incorporates some of the technology designed by one of our finalists. Our MSRC-E engineers quickly implemented Ivan’s Fratric “ROP Guard,” and it’s now ready to help protect computer-users world-wide through the EMET 3.5 Tech Preview. The fact that the BlueHat Prize has gone from an initial announcement to real protection within a single calendar year shows the positive impact that is possible through collaboration between vendors and the security community.

Security is a tough job, and no one knows that better than the folks in the security researcher community. It’s tough to design great defenses, and it’s tough to make them work in a way that individuals will accept them. Here in the MSRC, we often talk about making insecurity a tough job too. We want to make it as hard as possible for an attacker to get a successful exploit to work (maybe to the point it becomes too expensive in time and effort for them to try), and as easy as possible for our customers to stay protected.

In my opinion, EMET is a major step forward in this effort. As a freely available tool containing advanced protections, it can easily be used on home machines, to protect against known, and unknown, vulnerabilities. And, with the release of EMET 3.0 last May, it can be rolled out across an entire enterprise. EMET will even alert if it has blocked a potential attack in a way that integrates with a corporation’s detection and response process. Even in an enterprise that is fully updated against known vulnerabilities, EMET provides defenses that protect assets from the yet unknown threats and provides administrators breathing room.

Since the day I joined Microsoft, it’s been humbling to think about the sheer number of people that we help protect in our role in the Trustworthy Computing TwC Security group. But we are not alone. By working with the security community, and launching programs like MAPP, MSVR, and more recently, challenges like the BlueHat Prize, we can help build a community of defenders all working tighter to tangibly impact the protections available for our customers.

At Microsoft, we’re committed to improving computer security and the online experience for all of our customers. The BlueHat Prize is just one area where our defensive thinking has led to better protections. But we know our work isn’t done. During Black Hat, we gave away $20,000.00 as part of a sweepstakes where we asked the community what represents the most pressing industry-wide security issue so we can start tacking even more challenges. We will continue to make investments through our own security science and engineering efforts, but we will also continue to work with our industry partners and security researchers.

This type of work isn’t easy, and the current condition of my DEFCON cap proves that if nothing else does, but working together with the community and industry can help make the journey safer for all.

* Mike Reavey is a director of the Microsoft Security Response Center (MSRC).