ROP mitigations top contenders for Microsoft's BlueHat Prize

Microsoft has announced the three finalists of its inaugural BlueHat innovative security protections competition

The three finalists of Microsoft's inaugural BlueHat competition, to develop innovative computer security protection technologies, have been announced.

The competition, which ran from 3 August 2011 to 1 April 2012, is aimed at stimulating research in defensive computer security technology.

Fighting it out for top spot and $200,000 will be researchers Jared DeMott and Ivan Fratric, and student Vasilis Pappas.

The second prize is $50,000 and third prize is an MSDN Universal subscription valued at $10,000.

Winners will retain IP ownership of their work and will grant Microsoft a licence to use it in its products.

Each finalist developed unique solutions that hinder attacks that use return-oriented programming (ROP), which combines short pieces of benign code in a system for a malicious purpose.

DeMott's entry, called /ROP, checks the safety of target addresses of return instructions, which ROP exploits use.

Fratric's submission, named ROPGuard, defines a set to checks that can be used to detect when certain functions are being called in the context of malicious ROP code.

Pappas's entry, dubbed kBouncer, is an ROP mitigation technique that detects abnormal control transfers using common hardware features.

A panel of Microsoft security engineers judged the entries on: practicality and functionality (30% of the final score); robustness or how easy it was to bypass the solution (30%); and impact (40%).

"We can't wait to see how this how this initiative will inspire others to explore defensive technology research to potentially mitigate entire classes of vulnerabilities," said Mike Reavey, senior director, Microsoft Security Response Center.

Brad Arkin, senior director of security at Adobe, said the security industry had historically focused on rewarding researchers for identifying and reporting individual vulnerabilities.

"The BlueHat Prize represents a new and exciting approach that motivates researchers to come up with solutions to mitigate attacks," Arkin said.

Microsoft is to announce the winner at the company's researcher appreciation party on 26 July after BlackHat 2012 in Las Vegas.

Read more on Hackers and cybercrime prevention