Researcher wins $200,000 prize from Microsoft for new exploit mitigation technology

Security researcher and Columbia University PhD student Vasilis Pappas was announced the winner of the Microsoft BlueHat Prize contest for an exploit mitigation technology called “kBouncer” which is designed to detect and prevent return-oriented programming (ROP), a popular vulnerability exploitation technique.

Microsoft launched the BlueHat Prize contest one year ago at the Black Hat USA 2011 security conference in order to motivate security researchers to develop new anti-exploitation techniques. Pappas received a check for US$200,000 during the award ceremony event in Las Vegas on Thursday.

As part of the contest rules, Microsoft received a royalty-free license to use any of the submitted technologies, but their creators retain the intellectual property rights over them.

ROP is frequently used in exploits that target memory safety vulnerabilities like buffer overflows, which can result in the unauthorized execution of arbitrary code.

The technique makes exploits more reliable and allows attackers to get around security mechanisms present in modern operating systems, like Data Execution Prevention (DEP) or Address Space Layout Randomization (ASLR), said Carsten Eiram, chief security specialist at vulnerability research firm Secunia.

Kbouncer was one of the three exploit mitigation technologies selected by Microsoft for the BlueHat Prize finals from a total of 20 entries that qualified.

Pappas worked on other exploit mitigation technologies in the past and already had the idea behind kBouncer in his head, he said. The BlueHat contest provided an opportunity to put it into practice.

The researcher doesn’t have any concrete plans yet for the technology or the $200,000 prize money that he received from Microsoft.

The other two technologies that made into the final also focused on ROP prevention. They were developed by security researchers Jared DeMott and Ivan Fratric.

Fratric won second place and a $50,000 prize with his concept called “ROPGuard,” while DeMott won an MSDN subscription valued at $10,000 and an additional $10,000 for his approach called “/ROP”.

All three technologies proposed by the finalists should make it harder for attackers to exploit certain types of vulnerabilities, Carsten said. However, it will take time for them to be implemented properly and vulnerability researchers will probably come up with different exploit approaches by then, he said.

Fratric’s “ROPGuard” idea has already been implemented in the 3.5 Technology Preview version of Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) — a specialized security tool that can be used by system administrators to apply exploit mitigation technologies to other applications at runtime.

One of Microsoft’s core strategies is to implement exploit mitigations in its products, said Mike Reavey, senior director of the Microsoft Security Response Center. It’s already been done with Ivan Fratric’s technique and the other ideas are being evaluated, he said.

Microsoft intends to have a second edition of the BlueHat Prize contest, but the details are still being worked out, said Yunsun Wee, a director in the Trustworthy Computing Group at Microsoft.

The company conducted a survey at this year’s edition of the Black Hat security conference in order to determine what attendees feel are some of the biggest security issues at the moment. The answers could be used to set the focus for the next BlueHat Prize contest.