Microsoft has received 20 submissions in the $268,000 contest
it hopes will result in new security technologies being baked into Windows, a
company security strategist said Tuesday. The "BlueHat
Prize" contest, which debuted in August 2011,offers $200,000 as a first prize, $50,000 for second,
and a subscription to Microsoft's developer network for third place. The three
winners will be flown to Las Vegas this July, when Microsoft will announce the
results at the Black Hat security conference. Microsoft collected 20 entries
before the April 1 deadline, said Katie Moussouris, a senior security
strategist lead at Microsoft, on a company blog yesterday.
Between now and Black Hat -- which runs July 21-24 -- Microsoft
will evaluate the submissions and pick winners, Moussouris said. BlueHat Prize
was not a bug bounty system, where vulnerability experts are rewarded for
uncovering specific flaws in software -- but instead was designed to prod
researchers to invent novel technologies that would protect Windows from entire
classes of memory bugs. When Microsoft rolled out BlueHat Prize last year, some
experts assumed that the company was after a technology or technique to defeat
or at least deflect exploits of "return-oriented programming," or ROP
vulnerabilities. ROP bugs can be used by attackers to sidestep current Windows
anti-exploit technologies like ASLR, or address space layout randomization. All
submitters -- not just the winners -- will retain intellectual property rights
to their work, but must license their technologies to Microsoft on a
royalty-free basis. Entries had to provide a prototype 2MB or smaller that ran
on Windows and was developed using the Windows SDK (software developer kit).
The licensing provision makes BlueHat Prize an economical way
for Microsoft to acquire new security ideas. Even if half of the entries are
duplicates or simply not up to snuff, Microsoft could procure 10 technologies
or techniques for under $27,000 each, or less than a quarter what Google paid two researchers last month for vulnerabilities and associated
exploits in its Chrome browser. "It's a cheap way to pay someone else to
innovate," said Andrew Storms, director of security operations at nCircle
Security, in an interview today. "Google and others pay for
vulnerabilities," added Storms. "Microsoft has never done that.
Instead they're pay for innovation. So instead of paying someone to break their
stuff, they are paying someone to make it better." A panel of Microsoft
employees from the Microsoft Security Response Center (MSRC), the Windows group
and Microsoft's research arm will judge the entries. In another blog last
week, Moussouris said that the quantity and quality of the entries -- up to at
that point only 10 -- had "exceeded our expectations." She did not
name the participants, but did say that they included security researchers
"with great track records," individuals or teams from academia, and
others. From her account, most contributors worked close to the April 1
deadline: Half of the 20 total submissions were filed in the last nine days of
the contest, and one squeezed in under the wire with just nine minutes to spare
last Saturday. In fact, Microsoft rejected a submission that missed the
deadline by just eight minutes. Moussouris cited "fairness to the
others" as well as Washington State contest rules as the reasons why the
company wouldn't bend. Although there's virtually no chance that anything
Microsoft receives from BlueHat Prize could make it into Windows 8 -- this
year's upgrade will likely reach the "release to manufacturing" milestone just weeks after the contest winners
are revealed -- the company could roll some of the technologies into a Windows
8 service pack next year, Storms said in a 2011 interview when BlueHat Prize
debuted. Microsoft has done something similar in the past: In mid-2004, it
revamped Windows XP's security with Service Pack 2 (SP2).
No comments:
Post a Comment