Archive

Archive for the ‘BlueHat Prize’ Category

An update on the bounty programs

October 8th, 2013 No comments

Back in June of this year, we announced three new bounty programs that will pay researchers for techniques that bypass built-in OS mitigations and protections, for defenses that stop those bypasses and for vulnerabilities in Internet Explorer 11 Preview. This past Friday, we provided some additional details about the results of the IE11 Preview bounty program, which covered the first 30 days of the preview period. Today, we are announcing James Forshaw, a security researcher with Context Information Security, has been awarded the first Mitigation Bypass Bounty, which comes with a prize of $100,000.00. As a reminder, this is an ongoing program, so if you are interested in participating, check out all the details here.

An update on the bounty programs

October 8th, 2013 No comments

Back in June of this year, we announced three new bounty programs that will pay researchers for techniques that bypass built-in OS mitigations and protections, for defenses that stop those bypasses and for vulnerabilities in Internet Explorer 11 Preview. This past Friday, we provided some additional details about the results of the IE11 Preview bounty program, which covered the first 30 days of the preview period. Today, we are announcing James Forshaw, a security researcher with Context Information Security, has been awarded the first Mitigation Bypass Bounty, which comes with a prize of $100,000.00. As a reminder, this is an ongoing program, so if you are interested in participating, check out all the details here.

Announcing the BlueHat Prize winners!

July 27th, 2012 No comments

Minutes ago in Las Vegas at the Microsoft Researcher Appreciation Party, we completed the journey we set out on together at the 2011 Black Hat briefings. There, we asked the security research community to focus its talent and expertise on defense, to design and prototype novel runtime mitigation technologies to prevent the successful exploitation of memory safety vulnerabilities. This was a paradigm shift for many – moving from addressing single vulnerabilities to focusing on ways to mitigate entire classes of vulnerabilities. It was also the first incentive prize Microsoft has ever offered to seek out and reward new ideas in computer security defense. The incentive was significant, too, with over a quarter million dollars in cash and prizes at stake.

We were very happy with the security community’s response! Overall, 20 qualified entries were submitted before the April 1 deadline. From those, the BlueHat Prize Board carefully narrowed the entries to our three finalists; it was interesting to note that all three finalists chose to mitigate the Return-Oriented Programing (ROP) attack technique. This is not an easy problem to solve, as you have to differentiate malicious code from “good” code, all while not impacting performance or user experience. The three finalists took up the challenge and delivered novel submissions with functioning prototypes! So today it’s my honor to announce the winners of the first ever BlueHat Prize:

Grand Prize Winner of $200,000
Vasilis Pappas for kBouncer

Grand Prize Winner of $50,000
Ivan Fratric for ROPGuard

Grand Prize Winner of $10,000
Jared DeMott for “/ROP”

For more technical details of how the BlueHat Prize Board weighed each entry to reach the verdict, I will let them speak for themselves. And if you weren’t able to join us in person for the award ceremony, we’ve got a glimpse for you in this video.

Although we consider this inaugural BlueHat Prize to be a great success, our work isn’t done. Microsoft continues to make investments in our own security science and engineering efforts, and we will continue to work with security researchers and industry partners to provide our customers the best protections available.

It was great to be on hand to award these prizes to the winners, but it was also exciting to celebrate this moment with a community we respect and enjoy collaborating with. On that note, I should mention that Katie Moussouris has shared her thoughts on the conclusion of this BlueHat Prize on the MSRC Ecosystem Strategy Team blog.

Matt Thomlinson
General Manager, Trustworthy Computing Security

Categories: BlueHat Prize Tags:

The BlueHat Prize finalists, in their own words

July 25th, 2012 No comments

In a little less than 24 hours, we will award $200,000 to Jared DeMott, Ivan Fratric, or Vasilis Pappas as we name the inaugural winner of the BlueHat Prize – and we’ll award more than $50,000 for the two runners-up. As excitement builds towards that announcement, I was fortunate enough to sit down with each finalist and get to know them a little bit better. Each of these researchers coincidentally took on the problem of mitigating ROP exploits, but each had different reasons for participating in the contest and each proposed different solutions to the same problem.

Note: Finalists presented in alphabetical order.

Jared DeMott

Ivan Fratric

Vasilis Pappas


We look forward to seeing you Thursday night at our Researcher Appreciation Event.  If you haven’t received your token yet (or just want to say hello and chat), please stop by our booth in the Black Hat Sponsor Hall. 

See you there!

Thanks,
Mike Reavey
Sr. Director, Microsoft Security Response Center

Categories: BlueHat Prize Tags:

BlueHat Prize technology available in Tech Preview

July 25th, 2012 No comments

One year ago this week we challenged the security community to take an unconventional focus on defensive innovation. We called that challenge the BlueHat Prize, and tomorrow night, we will award the grand prize of $200,000 to one of the finalists, either Jared DeMott, Ivan Fratric, or Vasilis Pappas. All three finalists submitted prototype mitigations that help prevent exploits that use Return Oriented Programming (ROP) techniques.

But that’s tomorrow night. Today, I’m excited to announce that we’ve already been able to incorporate one of these winning technologies into our free Enhanced Mitigation Experience Toolkit (EMET) 3.5 technology preview. The new Tech Preview of EMET offers four new checks based on Ivan Fratric’s ROP exploit mitigation to help prevent attacks utilizing ROP techniques. Considering the contest submission period closed April 1, I’m thrilled the team has been able to integrate the technology into EMET so quickly. The fact that the BlueHat Prize has gone from contest announcement to real protection for customers within a single calendar year shows the positive impact of collaboration with the security community. You can get additional details about this technology preview in the SRD blog and in the following video featuring Dustin Childs and Elias Bachaalany.



In the MSRC, we often talk about exploit economics – the idea that increasing the difficulty of attack makes it more expensive (in terms of time and effort) and begins discouraging exploitation. EMET 3.5 is a great example of exploit economics in action as it offers protection for entire classes of vulnerabilities. EMET also provides defenses that protect assets from unknown threats.

This week we also released our annual MSRC progress report, which covers from June 2011 through July 2012. This report highlights our collaboration with the security community and the industry at large through programs like Microsoft Active Protections Program (MAPP) and Microsoft Vulnerability Research (MSVR). Today, information shared through the MAPP community helps protect more than 1 billion customers and significantly reduces the time it takes security vendors to create protections. Through the MSVR program this year, we reported 96 vulnerabilities to 39 different vendors. You can read more about each of these programs (and more!) in the progress report.

I can’t wait to see the conclusion of the first BlueHat Prize tomorrow night, and I’m looking forward to all of the opportunities we’ll have to speak with partners, researchers, and customers at Black Hat. If you have time, swing by the Microsoft booth to say hello. While there, let us know what you think represents the most pressing industry-wide security issue and enter for your chance to win one of four $5,000 prizes as a part of our BlueHat Prize Question Sweepstakes. Check out the rules here.

I look forward to seeing you at Black Hat!

Matt Thomlinson
General Manager
Trustworthy Computing Security

Categories: BlueHat Prize Tags:

Countdown to the BlueHat Prize announcement and a chance for you to win $5000

July 16th, 2012 No comments

Hello,

To mark the start of the 10-day countdown to the BlueHat Prize award ceremony, the MSRC Ecosystem Strategy Team is announcing the BlueHat Prize Question Sweepstakes that will give you a chance to win $5,000 at Black Hat this year! Be sure to check out the official announcement here and the official rules here to see how your input could help us shape a future BlueHat Prize contest. Feel free to start the brainstorming and discussion of security defense questions on Twitter with hashtag #BlueHatPrize, and don’t forget to stop by our booth during Black Hat to enter the sweepstakes!

Thank you,

Yunsun Wee
Director
Microsoft Trustworthy Computing

BlueHat Prize: And now the fun begins

April 4th, 2012 No comments

The entry window for the first annual BlueHat Prize closed at 11:59pm PDT on April 1. We’ve been eagerly awaiting a final entry count from the contest organizers, and senior security strategist Katie Moussouris has just posted that tally on the EcoStrat blog. Congratulations to all participants and good luck to the BlueHat Prize Board, which finds itself eyebrow-deep in exciting new defensive-security ideas as the competition judging process begins.

Angela Gunn
Trustworthy Computing.

Categories: BlueHat Prize Tags:

6…5…4…3…2…

March 26th, 2012 No comments

Nearly nine months after we announced the first annual BlueHat Prize competition for innovations in defensive security technologies, we’re just days away from the submission deadline. On the EcoStrat blog today, Senior Security Strategist Katie Moussouris gives a glimpse into the frantic final days of the competition period. If you’re working on your own entry (deadline April 1!) or simply wondering how the race for “mad loot” is shaping up, be sure to check out her post.

Angela Gunn
Trustworthy Computing.

Categories: BlueHat Prize Tags: