Microsoft Kicks Off $250,000 Security Contest

Microsoft today launched a $250,000 contest for researchers who develop defensive security technologies that deal with entire classes of exploits.

Microsoft today launched a $250,000 contest for researchers who develop defensive security technologies that deal with entire classes of exploits.

The total cash awards for Microsoft's "BlueHat Prize" contest easily dwarfs any bug bounty that's been given by rivals.

Google, for instance, which pays for Chrome vulnerability reports, has spent just over $110,000 so far this year, putting it on a pace to hand out about $190,000 in 2011.

Microsoft said the competition is an effort to tap researchers' brains for something bigger than a vulnerability here, a bug there.

"We want to make it more costly and difficult for criminals to exploit vulnerabilities," said Katie Moussouris, a senior security strategist lead at Microsoft, in a news conference today. "We want to inspire researchers to focus their expertise on defensive security technologies."

The company announced the contest as this year's Black Hat security conference got under way today in Las Vegas.

Moussouris said that Microsoft rejected the idea of a bug bounty program , and instead came up with the contest, which kicks off today and runs through April 1, 2012. Winners will be announced at next year's Black Hat security conference.

"Overall, it seemed to us that to take an approach to block entire classes was the best way to engage with the research community and protect customers," said Moussouris when asked by Computerworld why the company did not institute a bug bounty program instead.

Moussouris cited statistics today that showed Microsoft does not need a bug bounty program similar to the one that Google operates for its Chrome browser, or that HP TippingPoint runs to acquire vulnerabilities on multiple operating systems, including Windows and Mac OS X, or Microsoft or third-party applications.

According to Moussouris, 90% of security researchers who privately report vulnerabilities to Microsoft do so directly rather than submitting them to a bug broker such as TippingPoint.

She also argued that bounties -- which for Google max out at just over $3,000 -- are a far cry from the money to be made by selling them on the black market.

Andrew Storms, the director of security operations at nCircle Security, called the contest "a fabulous idea" as he agreed with Moussouris. "Historically, most of the bugs are coming directly to them, so a bug bounty wouldn't be the best use of their money at the moment," said Storms.

And he applauded Microsoft for thinking outside the box.

"They're taking a forward-looking thought process here, and putting money behind it," said Storms. "I'm bullish on this because it's something new and different, and the security industry needs more new and different. We're sort of in a hamster cage right now with bugs."

The BlueHat Prize will award $200,000 to the first-place winner, $50,000 for second place, and a subscription to Microsoft's developer network as the third-place award. The three winners will be flown to next year's Black Hat by Microsoft, which will announce the contest results then.

Microsoft has posted contest details on its website, where it said it was hoping researchers would come up with "a novel runtime mitigation technology designed to prevent the exploitation of memory safety vulnerabilities."

For Storms, that sounded like Microsoft was looking for a technology or technique to mitigate so-called "return-oriented programming," or ROP vulnerabilities.

ROP is a focus of researchers right now, said Storms, because it can be used by attackers to sidestep current Windows security technologies like ASLR, or address space layout randomization. ASLR is an anti-exploit technology used in Windows to make it more difficult for hackers to predict available blocks of memory that are available to execute their malicious code.

Storms described ROP as piecing together function calls in ways that are not intended, and can be used for some advantage to the attacker in order to load code into memory.

"There's always going to be some bit of memory that could be useful for ROP," said Storms. "If Microsoft is able to do away with the ROP method of execution, that's a big win."

BlueHat Prize winners will retain the intellectual rights to their invention, but must license it to Microsoft on a royalty-free basis, said Moussouris. Eligible entries must provide a prototype that runs on Windows and be developed using the Windows SDK (software developer kit), according to the contest rules .

A panel of Microsoft employees from the Microsoft Security Response Center (MSRC), the Windows group and Microsoft's research arm will judge the entries.

"Microsoft knows there will always be bugs in its code, but a defensive technology to add to ASLR and DEP [data execution prevention, another anti-exploit safeguard in Windows] will prevent those bugs from being actionable," said Storms.

But the contest's payback could be years down the road.

"I think [the technology] could show up in Windows 9, or maybe in a version of IE, like IE 11 or IE 12," said Storms. "Windows 8 is already over the hump in their production cycle."

It's possible Microsoft would be able to integrate the winning technology in a service pack for Windows 8, which is expected to debut next year, perhaps as early as April or as late as next fall, Storms added.

"It's one thing for someone to come up with the idea and prototype, it's another for Microsoft to actually implement it in Windows," Storms said.

Microsoft hasn't committed to rerunning the contest next year, but said today that it would evaluate this first run, then determine how or if the competition changes in the future.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer , on Google+ or subscribe to Gregg's RSS feed . His e-mail address is .

See more articles by Gregg Keizer .

Read more about security in Computerworld's Security Topic Center.

Copyright © 2011 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.