Security content winners all took aim at return-oriented programming, or ROP, in an effort to eliminate one of the most common attack vectors against Windows.
LAS VEGAS A year ago at the Black Hat 2011
event, Microsoft announced the Blue Hat Prize. The goal is simple: It motivates
security researchers to come up with a new defensive technology for
At the 2012 Black Hat conference, Microsoft
followed up with a new set of Blue Hat prizes that included one winner and a
pair of runners up. These researchers all produced technology that could serve
to eliminate an entire class of attack against Windows.
On July 26, Microsoft awarded the top prize
of $200,000 to researcher Vasilis for his tool called kBouncer. Other researchers
receiving prizes were Ivan Frantric, who won $50,000 for ROPGuard, and Jared
DeMott, who won $10,000 for /ROP.
"We put out a challenge with Blue Hat,
and we didn't want to be reactive," said Yunsun Wee, director, Incident
Response Communication for Trustworthy Computing at Microsoft. "We got
security researchers to focus on defense instead of one-off
ROP, or return-oriented programming, is a key
exploitation technique used in many modern attacks. With ROP, the attacker is
able to execute code within the normal parameter of a running program, making
it difficult to stop. That's why all three finalists won for ROP-related
efforts, as it's something that Microsoft is keen on eliminating as a threat
kBouncer is an efficient and fully
transparent ROP mitigation technique, according to Microsoft. While kBouncer
was the winning idea, Microsoft is already making full use of the second prize
winner's ROPGuard in a product shipping to millions of users worldwide today.
Earlier this week, Microsoft released version
3.5, which includes the ROPGuard technology. While the Blue Hat prize winners
were just announced, the contest actually ended in April, and Microsoft was
eager to take advantage of the technology.
Dustin Childs, group manager, Response
Communications for Trustworthy Computing at Microsoft, said that when ROPGuard
was incorporated into EMET, it was unknown if that technology would be the winner
of the Blue Hat Prize.
Childs explained that ROPGuard provides some
additional checks to see if a program is pulling code that it shouldn't be
"When you have an exploit that uses ROP,
the program touches stuff that it shouldn't," said Childs. "So this
checks to see if the calls are legitimate and if it sees something suspicious
and there is a potential vulnerability, it will kill the call before the system
Another interesting part about ROPGuard is
that it isn't necessarily aware of what the root vulnerability is. Wee added
that ROP uses legitimate calls but with ROPGuard, and Microsoft users are able
to get protection against issues that otherwise might be unknown.