Microsoft has awarded over $250,000 to three winners of its first ever BlueHat Prize contest, all of whom submitted solutions designed to counter ROP attacks.
In case you haven't heard of ROP (Return Oriented Programming) it is a very basic attack mechanism. Essentially the attacker takes control of the call stack and uses it to execute pre-existing chunks of code. By picking the right chunks of code it is possible to put together any program the attacker wants without injecting any new code into the machine. In essence the stack pointer becomes a surrogate instruction pointer incremented when each subroutine returns - hence Return Oriented Programming.
The BlueHat Prize was announced at last year's BlackHat security conference and was the first and largest incentive prize ever offered by Microsoft, to be awarded for finding a way to blocking entire classes of attacks on memory vulnerabilities in Windows. Contestants had until 1st April 2012 to submit their entries and over 20 submissions were made by the deadline.
The names of the three finalists and brief descriptions of their solutions were revealed in June as:
- Jared DeMott, a researcher well-known for teaching a course titled "Application Security: For Hackers and Developers" at security conferences. His submission, /ROP, checks to ensure that target addresses of return instructions, which ROP exploits use, are safe.
- Ivan Fratric has a Ph.D. in computer science and is a researcher at the University of Zagreb, Croatia. His submission, ROPGuard, defines a set of checks that can be used to detect when certain functions are being called in the context of malicious ROP code.
- Vasilis Pappas is a Ph.D. student at Columbia University in the City of New York who actively researches information security. His submission, kBouncer, is a ROP mitigation technique that detects abnormal control transfers using common hardware features.
These three developers had to wait a further month to find out which of them was the winner - knowing that there was a big disparity between the prizes: $200,000 for the winner, $50,000 for the runner up and just $10,000 worth of MSDN subscription for the second runner up.
The suspenseful award ceremony took place at the Microsoft Researcher Appreciation Party during BlackHat USA 2012 and can be viewed below:
Jared DeMott was the winner of the MSDN subscription but in the event was also awarded a cash prize of $10,000. Second prize went to Vasilis Papas and Ivan Fratric was the overall winner.
Prior to the award ceremony, Microsoft had announced that the latest Technical Preview version of its Enhanced Mitigation Experience Toolkit (EMET 5.3), a tool that systems administrators can use to help mitigate vulnerabilities and detect exploitation attempts, had already incorporated ROP mitigation's that had come directly from BlueHat submissions.
A technical analysis of the three prizewinning submissions, and details of the judges' scoring has now been posted on the Security Research & Defense TechNet Blog and there are also interviews with the three finalists where they explain their solutions.