LAS VEGAS–Microsoft on Thursday handed out three rather large checks to a trio of security researchers, the largest one–$200,000–going to Vasillis Pappas who won the company’s first Blue Hat Prize competition for defensive technologies. Pappas’s kBouncer ROP mitigation technology edged out ROP-related submissions from the two other finalists, and will be integrated by Microsoft in the near future.
The company announced Pappas as the winner of the contest at its annual party at the end of the Black Hat conference here with a splashy American Idol-style reveal, complete with blaring music and a massive confetti shower. Pappas, a PhD candidate at Columbia University, has been focused on the research for his submission for more than a year. His kBouncer technology uses the kernel to enforce restrictions about what processes can do, and prevents anything that looks like return-oriented programming from running.
In addition to the $200,000 that Pappas won, Ivan Fratric was awarded $50,000 for his ROPGuard technology and Jared DeMott won $10,000 and an MSDN subscription for his /ROP submission. Microsoft officials said they were quite happy with the quality of the submissions for the contest and accomplished their stated goal of identifying innovative defensive technologies.
“Running the BlueHat Prize contest allowed us insight into a greater number of people who are doing some deep thinking in the areas of security mitigation technology. This not only helps Microsoft find and work with talented people, but the spotlight that we can help shine on all of these contestants will hopefully help them market their ideas and talent so that the entire security industry can benefit and improve,” Katie Moussouris of Microsoft said in a blog post on the contest.
Microsoft officials have said repeatedly in the lest few years that the company does not plan to offer bug bounties to security researchers who discover vulnerabilities in Microsoft products. Google, Mozilla and several other companies have such programs, and the Blue Hat prize was Microsoft’s way of responding and attempting to focus the energy of researchers on defensive technologies instead of finding bugs.
“One thing is certain – we will continue to invest in security defense at Microsoft, and we will continue to offer cash incentives to the security community for helping Microsoft, and the rest of the industry, to help improve the state of security for the entire ecosystem. In sports, as in life, a great team understands both offense and defense. To address the security threats of today and tomorrow, we as an industry need to appreciate both,” Moussouris said.