Yang Yu is no stranger to writing mitigation bypasses for Microsoft Windows products.
A year ago at the CanSecWest conference in Vancouver, the 35-year-old security researcher from Beijing did an extensive presentation on bypassing Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) without return-oriented programming. ASLR and DEP are memory protection and code execution mitigations native to the Windows operating system.
Within five months, Microsoft had patched the vulnerability Yu had disclosed during the conference, marking the first time a mitigation bypass was treated as a vulnerability. Less than a year later, Yu’s research had paid off in a bigger way. On Friday, Microsoft announced that it had awarded Yu a $100,000 bounty for his submission of three variants on his bypasses. This was the second $100,000 payout since its program kicked off last summer.
“I do this for three reasons: the passion for technology; the love of challenge; and the bounty,” Yu said.
Microsoft has invested significant resources building exploit mitigations into not only Windows, but Internet Explorer as well. The mitigations target memory-corruption vulnerabilities such as buffer overflows that ultimately give hackers free run on the underlying system to run code of their choosing. The company’s bounty program rolled out in June 2013, challenging coders and defenders to come up with bypasses for mitigations such as ASLR and DEP which are then rolled into the Windows or IE codebase as a security enhancement.
Submissions for the bypass bounty, one of three offered by Microsoft, must demonstrate a new way of exploiting a remote code execution bug in Windows, making use of stack- and heap-corruption mitigations; there are seven criteria the submissions must meet.
Yu, who works for NSFOCUS, a security company in Beijing, said the techniques he submitted to Microsoft completely bypass DEP and ASLR, even under the watch of Microsoft Enhanced Mitigation Experience Toolkit (EMET). Ironically, last April, Yu found and reported a critical vulnerability in EMET v4 Beta, which was patched in June.
“[The mitigation bypasses are] Windows version independent, software version independent, even CPU independent in some cases,” Yu said. “I also submitted the relevant mitigation recommendations.”
The mitigation bypass bounty is one of three offered by Microsoft. Microsoft also awards the Blue Hat Bonus for Defense and previously, the Internet Explorer 11 Preview Bug Bounty. The Blue Hat Bonus for Defense pays up to $50,000 for defensive ideas that accompany a mitigation bypass; the IE bounty paid out up to $11,000 for critical vulnerabilities in the beta version of IE 11. The program was closed July 27.
The previous $100,000 winner, James Forshaw, won his prize in October. He collected for a bypass he developed that also eluded Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP).
“I think vulnerabilities are like bullets, and mitigation bypass techniques are like guns,” Yu said. “Trying to stop so [many] bullets is never better than destroying the gun.”
