Microsoft awards $250,000 prize for new mitigation features
Microsoft has announced the winners of the BlueHat Prize, an award that was created last year to promote the development of new mitigation features that prevent the exploitation of vulnerabilities. The main $250,000 prize was awarded to researcher Vasilis Pappas for kBouncer, a concept that is designed to offer efficient protection against Return Oriented Programming (ROP) attacks.
The main challenge when detecting attacks that use ROP is that such exploits use existing, legitimate code fragments, which makes it necessary to analyse the context in which the code is executed. kBouncer uses the "Last Branch Recording (LBR)" feature of commercial Intel processors to check whether a critical system function has been called legitimately. Since LBR is a CPU hardware feature, kBouncer is said to have virtually no effect on system performance.
Ivan Fratric's ROPGuard concept won second place and provides five further checks when calling critical system functions. The concept is designed to verify that the functions have actually been activated via CALL, rather than, for example, the closing RET at the end of a "ROP gadget".
Another component, called "Execution Flow Simulation Mitigation", simulates the first 15 commands that would be executed after the successful completion of the current function. It is also designed to detect and block ROP gadgets and typical shell code. ROPGuard also attempts to detect certain stack manipulations made by exploits to position their list of gadget addresses in the right place.
The researcher won second place and a $50,000 prize. He has also been awarded a special honour: Microsoft has already integrated four of his checks into the free Enhanced Mitigation Experience Toolkit (EMET) 3.5 technology preview. A blog post by the Security Research & Defence team explains the details. The new anti-ROP technologies are currently disabled by default; users can activate them via the EMET frontend or appropriate configuration files. However, the current version may still produce unwanted side effects.
Third place was awarded to Jared DeMott, whose /ROP technology also aims to mitigate ROP attacks. His idea is based on a whitelist of legitimate return addresses that the compiler can send with a program. The researcher received an MSDN subscription worth $10,000 and a cheque for the same amount.
- EMET exploit mitigation tool reports the cause of a crash, a report from The H.
- Damage limitation - Mitigating exploits with Microsoft's EMET, a feature from The H.