Pappas was one of three finalist selected by Microsoft; the other finalists were Ivan Fratric, who placed second and received $50,000 for his ROPGuard, a system that can detect and prevent the currently used forms of ROP attacks at runtime, and Jared DeMott, who placed third and received $10,000 for his /ROP, a system that lowers the effect of address space disclosures and mitigates known ROP exploits.
Microsoft launched the BlueHat prize competition at last year’s Black Hat conference in an effort to encourage research in defensive computer security technology.
“We asked the security research community to focus its talent and expertise on defense, to design and prototype novel runtime mitigation technologies to prevent the successful exploitation of memory safety vulnerabilities”, explained Matt Thomlinson, general manager of Trustworthy Computing Security.
“It was interesting to note that all three finalists chose to mitigate the return-oriented programing (ROP) attack technique. This is not an easy problem to solve, as you have to differentiate malicious code from 'good' code, all while not impacting performance or user experience”, he wrote.
As reported by Infosecurity, Microsoft announced that it was incorporating ROP mitigation technology developed by Fratric into its latest Enhanced Mitigation Experience Toolkit (EMET), which can be used by system administrators to mitigate vulnerabilities and detect exploitation attempts.
In addition, Microsoft Security Response Center released its progress report for July 2011 to June 2012. In addition to discussing the BlueHat prize competition and the new EMET tool, the report provided some Patch Tuesday statistics.
During the 12 months ending June 2012, Microsoft released a total of 90 security bulletins to address 203 individual vulnerabilities. Of those vulnerabilities, 50% could allow remote code execution by an attacker, down from 62.8% during the previous 12-month period, the report noted.