By Rob Lemos
LAS VEGAS — If Jared DeMott hadn’t been eager to take a different path, he would never be in security, much less a finalist in Microsoft’s search for defensive technologies, known as the Blue Hat Prize.Raised in a manufacturing town, he was accepted to the Air Force Academy in 1996, but instead went to study computer networks at Ferris State University in Michigan. In 2000, he planned to take an offer with State Farm, a popular employer of Ferris’s computer-science graduates, but instead went out to interview, and accept a job, with a government agency about which he knew nothing — the National Security Agency.
And when it came to Microsoft’s Blue Hat contest, DeMott shook off a lot of criticism from friends and colleagues for even considering looking at developing defensive technologies. Like many researchers in the security industry, he had focused on offense, not defense, regularly participating in capture-the-flag competitions. A year ago following the announcement of the contest at the Black Hat security conference, a good friend from his hacking team told him to play to his strengths.
“But then I went home and I started thinking about it more, and I thought, ‘You know, I teach a class on application security, I do a lot more defense than I think I do,’” he says. “The prizes weren’t bad, and it would be neat to see if I could apply myself to defensive technologies.”
DeMott is one of three finalists vying for the $200,000 grand prize, the winner of which will be announced at a party on Thursday night here. In total, Microsoft had 20 qualifying submissions, the majority of which focused on mitigating return-oriented programming attacks — the topic of all three finalists’ research efforts.
ROP allows attackers to create exploits by co-opting legitimate operating system functions and piecing them together to run code. The result of iterative development in the security community for more than a decade, ROP allows an attacker to sidestep more modern operating system defenses, such as non-executable memory — also known as data execution prevention — and code signing.
In this year’s Pwn2Own contest, for example, security consultant Charlie Miller of Accuvant used return-oriented programming to get around non-executable memory on Apple’s iOS mobile operating system to compromise an iPhone through a vulnerability in the Safari Web browser.
“Return oriented programming is the technique that is being used in more and more real-world exploits,” says Mike Reavey, senior director at Microsoft’s Security Response Center. “One of the judging criteria was impact and whether the solution would block real-world impact.”
DeMott’s entry into Blue Hat, known as “/ROP,” checks the target address every time that a procedure returns from executing code on the stack. While its not a perfect defense, it has low overhead, executes quickly, and integrates well with Microsoft software, the company says.
Ivan Fratric, a teaching and research assistant at the University of Zagreb in Croatia, took a different approach. His proposal, known as ROPGuard, monitors a set of critical functions that are frequently used to implement return-oriented programming. When a function is called by a program, ROPGuard checks to see if the reference is legitimate or not.
Fratric, who has been researching security for nearly five years, first got interested in the field as a way to understand how hackers are able to manipulate computer systems. Prior to the Blue Hat contest, he had taken a more offensive approach, focusing on finding vulnerabilities. It took Microsoft’s $200,000 prize and challenge to the security community to have him focus on developing better defenses.
With ROPGuard, Fratric aimed to use as much of the information available at runtime as possible. Figuring out when to do the checks was a major component of his technique. If the attacker is going to use ROP, then he typically calls specific functions to set up the system for his attack, Fratric says. For example, an attacker might call functions that make certain areas of memory executable or load a certain code component.
“These functions are a great place to put these runtime checks,” he says. “My approach uses runtime checks on these processes — some simple, some not so simple.”
Fratric has already succeeded in getting his technology adopted by Microsoft. The software giant has already added four checks from ROPGuard to the Enhanced Mitigation Experience Toolkit, an optional software update used to harden Windows systems.
The last finalist, Columbia University PhD student Vasilis Pappas, has completed nearly six years of security research as part of his doctoral thesis. His submission, kBouncer, is the result of research that he had begun in the year before the Blue Hat announcement. The basic idea is it uses the kernel to police requests made by processes and reject anything that could be return-oriented programming.
“Whenever an application is requesting something from the kernel, kBouncer will check to see if it impacts security, and allow or deny the request,” Pappas says.
Pappas grew up in Greece, attending university there before coming to the United States. A main attraction of the Blue Hat prize was to develop a technology that will be used by millions of people, he says. While researching the technology caused headaches for other finalists, the most difficult part of developing kBbouncer was getting it to run on Windows, Pappas says. He is much more comfortable with Unix-based systems.
The contest has already paid off for each of the finalists and for Microsoft, says Reavey.
“Beyond the money, one of the things (all the contestants) want is to engage more actively in the security researcher community,” Reavey says. “It certainly is good recognition for their efforts that they have been selected as finalists.”