LAS VEGAS -- A year ago this week, Microsoft announced a startup-style contest with serious reward money called BlueHat to get security researchers to apply their expertise to innovative defenses. Today, the company revealed that the efforts of one of the three BlueHat finalists would be incorporated into its Enhanced Mitigation Experience Toolkit tool.
Mike Reavey, the senior director of Microsoft's Security Response Center, explained that the BlueHat contest process was a big win for Microsoft. "In less than a year, we were able to solicit for ideas, receive them, implement them, and get them to customers," he said during a phone call with CNET last week.
The new version of EMET, as the tool is known, will soon ship with Return Oriented Programming (ROP) defenses "inspired" by the work of BlueHat finalist Ivan Fratric, Microsoft said in a press release announcing the tool upgrade. "ROP is an advanced technique that attackers use to combine short pieces of benign code, already present in a system, for a malicious purpose," Microsoft explained.
The EMET 3.5 Technology Preview is available for download now with Fratric's ROP defenses incorporated. His entry to the BlueHat contest was a tool called ROPGuard which makes a set of checks against ROP-style attacks, and then can help block those attacks.
Fratric is a Croatian researcher at the University of Zagreb with a PhD in computer science. Despite the adoption of his results, he has not been named the winner of the BlueHat contest, which comes with a $200,000 first prize and a $50,000 second prize. "All (the contestants) went after ROP. All the major exploits in recent history are ROP-based," said Reavey, noting the Pwn2Own 2012 exploit as being based in ROP. "It's difficult to mitigate against [ROP] because it's repurposing code for bad things that normally can be used for good things."
The name "BlueHat" is a reference to the Black Hat conference and Microsoft's corporate color of choice. It was first coined in 2005, as a somewhat-secretive, Redmond-based, Microsoft-sponsored hackathon for independent security researchers.