Microsoft has announced the three finalists for its $200,000 Blue Hat Prize contest and all three of the researchers in the running for the win submitted technologies designed to defeat ROP (return-oriented programming) exploits. Each of the entrants takes a different tack with his ROP defense and it will be another month before Microsoft announces at Black Hat which of them will take home the $200,000 top prize.
The Blue Hat Prize, whcih Microsoft announced at Black Hat last summer, offers researchers cash prizes for innovative defensive technologies. In some ways, it is Microsoft’s response to all of the bug-bounty programs that other vendors have started in the last couple of years. Companies such as Google, Barracuda, Firefox and others have been paying researchers varying amounts for vulnerabilities that researchers disclose to them privately. Microsoft officials have said repeatedly that the company will not pay bug bounties and instead introduced Blue Hat Prize to spur innovation in defensive technologies.
“When we looked at the various economic incentive models, the bug bounty was among them. But when we looked at what researchers were doing with the bugs they found in our products across the board, we found that there were a lot more motivations for researchers than just money,” Katie Moussouris, senior security strategist in Microsoft’s Trustworthy Computing Group, said at the time of the initial announcement last year. “There’s recognition and there’s what I call the pursuit of intellectual happiness, just the act of finding these issues.”
One of the problems that Microsoft officials mentioned as being ripe for innovations is that of ROP exploits. The three finalists for the first Blue Hat Prize are Jared DeMott, Ivan Fratric and Vasillis Pappas. Each of them submitted techniques for defeating or mitigating ROP exploits. Under the rules of the contest, the researcher who wins the top prize will have to agree to license the technology to Microsoft, but he will retain the rights to the technology, as well.
“We received 20 entries to our inaugural BlueHat Prize contest, a response and participation from the security research community that exceeded our expectations. We now know contestants emerged from different areas of the security community – some from academia, some recognized names in the hacker community, and some from other venues entirely,” Moussouris wrote on Thursday.
The winner, who will get $200,000, will be announced at the company’s party at Black Hat in July. The second prize winner will get $50,000 and the third-prize winner gets an MSDN subscription. All three will fly to Las Vegas on Microsoft’s dime for the announcement.