Microsoft is seeking new ways to block attackers from targeting weaknesses in Windows and other products and hopes a new contest could help fuel innovative security defenses.
The software giant’s BlueHat Prize, a year-long contest, aims to foster research into new technologies that prevent attackers from targeting memory safety vulnerabilities, an area the company says has been its main focus. The contest was announced against the backdrop of the Black Hat 2011 security conference, where independent researchers and other infosec pros highly praised it.
“Even people critical of Microsoft are seeing this as the company putting money behind the idea of trying to prevent problems in creative ways,” says Jack Daniel, a noted security expert and product manager at Tenable Network Security. “This moves us from thinking that maybe the bad guys know about a vulnerability to actually hardening systems before they are shipped, so it’s aiming in the right direction and should be encouraged.”
The top three winners of the Microsoft BlueHat competition will earn cash prizes, which will be given out at Black Hat 2012. The first-place winner will receive $200,000, second place will earn $50,000 and third place will get an MSDN Universal subscription valued at $10,000. A team of engineers will evaluate each entry to determine which technology is the most practical and how easily it can be bypassed by attackers.
Microsoft, which has long dismissed the notion of starting a bug bounty program to compensate security researchers for finding vulnerabilities in its products, says the new contest will help build new protections into Windows as well as applications that run on the operating system. The protections could help lower the threat level of coding errors by making them off-limits to attackers.
The company has two major memory protection features, but researchers have demonstrated ways to bypass them. Data execution prevention forces memory to be non-executable unless an application sets it as an executable, while Address Space Layout Randomization randomizes the location where system executables are loaded in memory to prevent buffer-overflow attacks.
Gary McGraw, CTO of Dulles, Va.-based software security consultancy Cigital, says the competition has the potential of helping address a whole class of vulnerabilities at once. While not fully dismissive of bug hunters, McGraw says organizations shouldn’t rely on them; instead, they should pay their own engineers to find and correct serious flaws. However, that’s a labor intensive process that usually isn’t very efficient, he says.
“The problem has always been fixing coding issues, not finding them,” McGraw says. “Microsoft has great processes in place and is always constantly refining them. The competition itself shows great foresight on how to address the problem.”
McGraw and others say it’s impossible to predict how many entries Microsoft will get over the course of the competition. A potential stumbling block is whether researchers will want to give a perpetual license to Microsoft for the new technology. Under the contest rules, researchers who submit entries will retain the intellectual property rights, but agree to license the technology to Microsoft royalty free.
Slightly more critical of the contest was HD Moore, creator of the Metasploit penetration testing platform and CSO of Rapid7, who says defensive technologies ultimately won’t solve the issue of detecting and correcting coding errors and design flaws that create hidden weaknesses. Ultimately, an attacker will find a way around a defensive technology, Moore says.
“They need to spend more time finding and fixing vulnerabilities,” he says.
Robert Westervelt is the news editor of SearchSecurity.com. Send comments on this article to firstname.lastname@example.org