Finalists in Microsoft's $250K contest take on 'most-pressing' exploit tactic
All three finalists submit new ways to stymie ROP attacks, used by Stuxnet and other first-class exploits
Computerworld - Microsoft yesterday announced that each of the three finalists in its $250,000 BlueHat Prize security contest came up with ways to detect and stymie one of the most effective exploit methods now being used by hackers.
The three finalists -- two from the U.S., the other from Croatia -- took different tacks to block return-oriented programming, or ROP, a technique often used to sidestep DEP, or data execution prevention, one of Windows' primary anti-exploit technologies.
"It's an obvious reflection on the most pressing attack vector hitting systems right now," said Andrew Storms, director of security operations at nCircle Security, commenting on the fact that the ROP technique was the subject of each of the finalists' entries.
Microsoft kicked off the BlueHat Prize competition last August as a way to tap into the expertise of top-notch security researchers without setting up a bug bounty program -- a course of action the company has consistently dismissed.
"It seemed to us that to take an approach to block entire classes was the best way to engage with the research community and protect customers," Katie Moussouris, a senior security strategist at Microsoft, said last year during the news conference at which the contest was announced.
The BlueHat Prize competition features a $200,000 award for first place, $50,000 for second place, and a subscription to Microsoft's developer network, valued at $10,000, for third place. The three finalists will be flown to next month's Black Hat security conference in Las Vegas, where Microsoft will reveal the results July 26.
The finalists announced Thursday are Jared DeMott, a security researcher employed by Florida-based Harris Corp., a major defense and aerospace contractor; Ivan Fratric, a researcher at the University of Zagreb in Croatia; and Vasilis Pappas, a Ph.D. student at Columbia University.
All three worked alone -- contradicting earlier speculation that teams might have an advantage in the competition -- and wrapped up their work one to two weeks before the deadline.
And each researcher tackled the same problem -- ROP -- and explained why in much the same way as Storms.
"I focused on ROP because it is the current state-of-the-art in exploit development and a burning issue in exploit prevention," said Fratric in an email reply to questions. "Furthermore, it is a very difficult problem to solve, so it was an interesting challenge."
DeMott echoed Fratric's sentiments. "I targeted ROP because it is currently the most-used technique to exploit fully-compiled software," he said, also via email.
But while DeMott, Fratric and Pappas all attacked ROP, they came up with different solutions.
DeMott, who calls his technology "/ROP" to match the names of Microsoft-made defenses, such as "/GS" and "/NXCompat," said his answer to ROP checks the target address of each return instruction, whether intended or not, and then compares it to a whitelist.
- Deep Security +VMware vSphere with Operations Management Most midsize organizations are highly virtualized on VMware, and while this has produced significant savings, it also has created new challenges when it...
- 3 Questions to Ask Your DNS Host about Lowering DDoS Risks Neustar has had wide-ranging conversations with clients wanting to know how they can optimize protection as DDoS attacks increase in frequency and size.
- The Danger Deepens: 2014 Neustar Annual DDoS Attacks and Impact Report This report compares DDoS findings from 2013 to 2012, based on a survey of 440 North American companies, including 139 businesses delivering technology...
- DDoS Infographic: How Are Attacks Evolving? For the third consecutive year, Neustar surveyed businesses across major industries to track the evolution of DDoS attacks. Are they more frequent? Larger?...
- How to Use Crowd-Sourced Threat Intelligence to Stop Malware in its Tracks Threat sharing networks have been around for a long time, however they have typically been "invitation-only", available to only large companies, or those...
- An Incident Response Playbook: From Monitoring to Operations As cyber-attacks grow more sophisticated, many organizations are investing more into incident detection and response capabilities. In this webcast, learn how to develop... All Malware and Vulnerabilities White Papers | Webcasts