LAS VEGAS A year ago at the Black Hat 2011 event, Microsoft announced the Blue Hat Prize. The goal is simple: It motivates security researchers to come up with a new defensive technology for Windows.
At the 2012 Black Hat conference, Microsoft followed up with a new set of Blue Hat prizes that included one winner and a pair of runners up. These researchers all produced technology that could serve to eliminate an entire class of attack against Windows.
On July 26, Microsoft awarded the top prize of $200,000 to researcher Vasilis for his tool called kBouncer. Other researchers receiving prizes were Ivan Frantric, who won $50,000 for ROPGuard, and Jared DeMott, who won $10,000 for /ROP.
“We put out a challenge with Blue Hat, and we didn’t want to be reactive,” said Yunsun Wee, director, Incident Response Communication for Trustworthy Computing at Microsoft. “We got security researchers to focus on defense instead of one-off vulnerabilities.”
ROP, or return-oriented programming, is a key exploitation technique used in many modern attacks. With ROP, the attacker is able to execute code within the normal parameter of a running program, making it difficult to stop. That’s why all three finalists won for ROP-related efforts, as it’s something that Microsoft is keen on eliminating as a threat vector.
kBouncer is an efficient and fully transparent ROP mitigation technique, according to Microsoft. While kBouncer was the winning idea, Microsoft is already making full use of the second prize winner’s ROPGuard in a product shipping to millions of users worldwide today.
Earlier this week, Microsoft released version 3.5, which includes the ROPGuard technology. While the Blue Hat prize winners were just announced, the contest actually ended in April, and Microsoft was eager to take advantage of the technology.
Dustin Childs, group manager, Response Communications for Trustworthy Computing at Microsoft, said that when ROPGuard was incorporated into EMET, it was unknown if that technology would be the winner of the Blue Hat Prize.
Childs explained that ROPGuard provides some additional checks to see if a program is pulling code that it shouldn’t be pulling.
“When you have an exploit that uses ROP, the program touches stuff that it shouldn’t,” said Childs. “So this checks to see if the calls are legitimate and if it sees something suspicious and there is a potential vulnerability, it will kill the call before the system is exploited.”
Another interesting part about ROPGuard is that it isn’t necessarily aware of what the root vulnerability is. Wee added that ROP uses legitimate calls but with ROPGuard, and Microsoft users are able to get protection against issues that otherwise might be unknown.