Microsoft offers quarter-million in prizes to improve Windows security

If the security of your system depends on users making intelligent security decisions then you're basically doomed. After all these years of experience with end users on the Internet we know that they can't be trusted to make those decisions correctly. At least not often enough.

That's why the best security technologies are the ones that happen in spite of the user. These have been a focus for Microsoft over the last 10 years and remain the last, best hope of userdom.

And that's why Microsoft launched the Blue Hat Prize this year at BlackHat. The prize will be awarded each year for advances in defensive security technology. Existing examples of these are ASLR and DEP, which stop exploits of vulnerabilities automatically.

A quick review of these technologies is in order:

DEP (Data Execution Prevention). This goes back to Windows XP SP2 I believe. Windows uses CPU features to mark data areas of the program as non-executable. Many exploits rely on generating code in data areas and executing it.

ASLR (Address Space Layout Randomization). Many exploits rely on specific programs or instructions being at known, fixed locations in memory. ASLR randomizes the location of parts of the program at load time making these exploits difficult or impossible. This is sometimes known as the "return to LIBC" problem or ROP for Return-Oriented Programming. First included in Vista.

Stack Checking. This is a feature used by programmers either at compile time (/Gs in Visual Studio) or inside the code (#pragma check_stack) and does not rely on operating system support. It generates tests in function call stacks to detect if the stack has been damaged (overflowed) by code in the function. Also known as stack cookies or stack canaries. First introduced in Visual Studio .NET 2003.

SAFESEH (Safe Structured Exception Handlers), a.k.a. SEHOP (Structured Exception Handling Overwrite Protection). This blocks exploits which overwrite structured exception handlers, a programming construct to handle errors. First included in Vista SP1.

Other systems implement some or all of these features. The recently-released OS X 10.7 (Lion) is the first to fully implement ASLR and now, as a result, experts generally consider base security feature support roughly equivalent between Windows and OS X.

Eyes on the Prize

The top prize in Blue Hat will be $200,000, second prize $50,000 and third an MSDN Universal subscription valued at $10,000. MSDN Universal gives you developer access to almost everything Microsoft makes, so it's really useful, and I don't have to tell you how useful $200,000 is.

Every now and then you read about new exploits which bypass ASLR, DEP and other defenses, and a lot of this is true. But they don't have to be perfect in every instance in order to be really useful. There are a lot of vulnerabilities which are much less severe because of these features, and I'd argue that some (like DEP) make programs better in general by making subtle bugs more evident in testing. ASLR and DEP also reinforce each other, in that most attempts to bypass DEP run afoul of ASLR and vice-versa.

The first year's contest will be for "a novel runtime mitigation technology designed to prevent the exploitation of memory safety vulnerabilities." There are many kinds of memory safety vulnerabilities, such as format string errors, dangling pointers (which point into freed memory) or double-freed pointers. Many languages, C and C++ among them, require the programmer to protect against these errors and it's really easy to fail to do so. In the interim, Microsoft has dealt with some of these problems by banning certain C library calls from the SDL- (Security Development Lifecycle) approved list.

Entries will be judged by a group within Microsoft for practicability of implementation, robustness against attack, and their impact on security. Winners agree to license the technology royalty-free to Microsoft, but they retain any intellectual property for the solution and may license it to others as they see fit.

Don't be surprised if the contestants come up short. A general mitigation for these sorts of bugs would be quite an accomplishment, especially one which doesn't impose an unacceptable burden on the system. It may very well be that if it was possible it would have been thought of already. But to Microsoft it's easily worth a quarter million dollars to try.

Larry Seltzer is a freelance writer and consultant, dealing mostly with security matters. He has written recently for Infoworld, eWEEK, Dr. Dobb's Journal, and is a Contributing Editor at PC Magazine and author of their Security Watch blog. He has also written for Symantec Authentication (formerly VeriSign) and Lumension's Intelligent Whitelisting site.