Microsoft announced the Blue Hat contest to encourage researchers to develop runtime mitigation technologies to prevent attackers from exploiting memory vulnerabilities.
Microsoft announced a contest to encourage security
researchers to think about defensive security technology.
Dubbed the Blue Hat contest, researchers would submit the
"most effective ways to prevent the use of memory safety
vulnerabilities," Microsoft said Aug. 3 at the annual Black Hat security
conference in Las Vegas. The Microsoft BlueHat Prize contest
$250,000 in cash prizes for the best "innovations in runtime mitigation
technologies," according to Microsoft.
Microsoft wants to encourage security experts to think about
"ways to reduce threats to computing devices," Katie Moussouris,
senior security strategist lead for the Microsoft Security Response Center said
at the press conference announcing the contest. BlueHat was a way to
"capture" their imagination and energies to focus on "tough
industry problems" instead of on black hat activities, Moussouris told
Contest submissions must be a runtime mitigation technology
capable of preventing the exploitation of memory safety vulnerabilities,
according to the official contest rules. Those kinds of vulnerabilities, such
as return-oriented programming and just-in-time spraying, are often exploited
as buffer overflows by attackers.
With the increase in criminal attacks on private and
government computer systems, Microsoft wants to focus research in defensive
technology, Moussouris said. The cash prize may encourage security experts to
think about ways to "reduce threats to computing devices," she said.
is another example of Microsoft leading the pack when it comes to information
security milestones," said Andrew Storms, director of security operations
at nCircle, noting the company is already known for Address space layout randomization
(ASLR) and Data Execution Prevention (DEP).
BlueHat is different from bug bounty programs offered by
Google, Mozilla and Facebook
in that Microsoft doesn't want to hear about
vulnerabilities, but wants to get researchers involved in coming up with ways
to fix the issues, Moussouris said.
always talks, so this contest should rally the base of security
researchers," Storms said.
Security was a "cat and mouse" game as attackers
find new holes and defenders close them, Moussouris said, acknowledging that
once a winner was announced, attackers will be focusing on the new technology
to try to find new vulnerabilities. Despite the fact that attackers are finding
holes in ASLR and DEP, overall, these two mitigation technologies have made
modern operating systems more secure.
Since there will "always" be bugs in software,
the ideal scenario is one where "even if a bug is found, it cannot be used
as an attack vector because defensive security technologies prevent it from
being used that way," Storms said. BlueHat would move the industry closer
to that scenario, he said.
Microsoft will accept submissions from Aug. 3 to April 1,
2012. The winners will be announced at Black Hat 2012, Microsoft said. Judges
will rate the submissions on practicality (30 percent), robustness (30 percent)
and impact (40 percent), the company said. Judges will come from security
researchers within Microsoft who are experts in the kinds of threats that could
exploit the vulnerabilities, Moussouris said.
The grand prize winner will receive $200,000 and the second
place $50,000. The third place winner will receive a Universal Subscription to
Microsoft Developer Network platform, valued at $10,000. The inventor retails
ownership of the intellectual property and grants Microsoft a license to the
technology. Researchers who don't win still own their intellectual property.
The prize "should attract plenty of industry talent and
will bring valuable outside, creative approaches to Windows security,"
said Wolfgang Kandek, CTO of Qualys.