Skip the navigation

Finalists in Microsoft's $250K contest take on 'most-pressing' exploit tactic

All three finalists submit new ways to stymie ROP attacks, used by Stuxnet and other first-class exploits

June 22, 2012 12:15 PM ET

Computerworld - Microsoft yesterday announced that each of the three finalists in its $250,000 BlueHat Prize security contest came up with ways to detect and stymie one of the most effective exploit methods now being used by hackers.

The three finalists -- two from the U.S., the other from Croatia -- took different tacks to block return-oriented programming, or ROP, a technique often used to sidestep DEP, or data execution prevention, one of Windows' primary anti-exploit technologies.

"It's an obvious reflection on the most pressing attack vector hitting systems right now," said Andrew Storms, director of security operations at nCircle Security, commenting on the fact that the ROP technique was the subject of each of the finalists' entries.

Microsoft kicked off the BlueHat Prize competition last August as a way to tap into the expertise of top-notch security researchers without setting up a bug bounty program -- a course of action the company has consistently dismissed.

"It seemed to us that to take an approach to block entire classes was the best way to engage with the research community and protect customers," Katie Moussouris, a senior security strategist at Microsoft, said last year during the news conference at which the contest was announced.

The BlueHat Prize competition features a $200,000 award for first place, $50,000 for second place, and a subscription to Microsoft's developer network, valued at $10,000, for third place. The three finalists will be flown to next month's Black Hat security conference in Las Vegas, where Microsoft will reveal the results July 26.

The finalists announced Thursday are Jared DeMott, a security researcher employed by Florida-based Harris Corp., a major defense and aerospace contractor; Ivan Fratric, a researcher at the University of Zagreb in Croatia; and Vasilis Pappas, a Ph.D. student at Columbia University.

All three worked alone -- contradicting earlier speculation that teams might have an advantage in the competition -- and wrapped up their work one to two weeks before the deadline.

And each researcher tackled the same problem -- ROP -- and explained why in much the same way as Storms.

"I focused on ROP because it is the current state-of-the-art in exploit development and a burning issue in exploit prevention," said Fratric in an email reply to questions. "Furthermore, it is a very difficult problem to solve, so it was an interesting challenge."

DeMott echoed Fratric's sentiments. "I targeted ROP because it is currently the most-used technique to exploit fully-compiled software," he said, also via email.

But while DeMott, Fratric and Pappas all attacked ROP, they came up with different solutions.

DeMott, who calls his technology "/ROP" to match the names of Microsoft-made defenses, such as "/GS" and "/NXCompat," said his answer to ROP checks the target address of each return instruction, whether intended or not, and then compares it to a whitelist.



Our Commenting Policies