|BlueHat Prizes Awarded|
|Written by Sue Gee|
|Monday, 30 July 2012|
Microsoft has awarded over $250,000 to three winners of its first ever BlueHat Prize contest, all of whom submitted solutions designed to counter ROP attacks.
In case you haven't heard of ROP (Return Oriented Programming) it is a very basic attack mechanism. Essentially the attacker takes control of the call stack and uses it to execute pre-existing chunks of code. By picking the right chunks of code it is possible to put together any program the attacker wants without injecting any new code into the machine. In essence the stack pointer becomes a surrogate instruction pointer incremented when each subroutine returns - hence Return Oriented Programming.
The BlueHat Prize was announced at last year's BlackHat security conference and was the first and largest incentive prize ever offered by Microsoft, to be awarded for finding a way to blocking entire classes of attacks on memory vulnerabilities in Windows. Contestants had until 1st April 2012 to submit their entries and over 20 submissions were made by the deadline.
The names of the three finalists and brief descriptions of their solutions were revealed in June as:
These three developers had to wait a further month to find out which of them was the winner - knowing that there was a big disparity between the prizes: $200,000 for the winner, $50,000 for the runner up and just $10,000 worth of MSDN subscription for the second runner up.
The suspenseful award ceremony took place at the Microsoft Researcher Appreciation Party during BlackHat USA 2012 and can be viewed below:
Jared DeMott was the winner of the MSDN subscription but in the event was also awarded a cash prize of $10,000. Second prize went to Vasilis Papas and Ivan Fratric was the overall winner.
Prior to the award ceremony, Microsoft had announced that the latest Technical Preview version of its Enhanced Mitigation Experience Toolkit (EMET 5.3), a tool that systems administrators can use to help mitigate vulnerabilities and detect exploitation attempts, had already incorporated ROP mitigation's that had come directly from BlueHat submissions.
A technical analysis of the three prizewinning submissions, and details of the judges' scoring has now been posted on the Security Research & Defense TechNet Blog and there are also interviews with the three finalists where they explain their solutions.
or email your comment to: firstname.lastname@example.org
To be informed about new articles on I Programmer, install the I Programmer Toolbar, subscribe to the RSS feed, follow us on, Twitter, Facebook, Google+ or Linkedin, or sign up for our weekly newsletter.
|Last Updated ( Monday, 30 July 2012 )|