Microsoft has spent nearly three months whittling down the entries, and on Thursday it announced the three finalists who will compete for its inaugural BlueHat competition crown.
The software giant narrowed down the trio from 20 total entries. The contest, announced last summer at the Black Hat conference in Las Vegas, sought contestants who "could design the most effective ways to prevent the use of memory safety vulnerabilities, a key area of focus for Microsoft."
The three people in the running for the $200,000 grand prize are Jared DeMott,a principal security researcher at Harris Corp.; Ivan Fratric, a researcher at the University of Zagreb in Croatia and Vasilis Pappas, a Ph.D. student at Columbia University in New York.
According to Microsoft, DeMott designed a technology that "lowers the effect of address space disclosures and mitigates known return-oriented programming (ROP) exploits." Fratric created ROPGuard, while Pappas built kBouncer, an ROP mitigation technique.
In a nutshell, ROP allows attackers to execute code in the presence of non executable memory segments and code signing. ROP attackers have control of the call stack to execute instructions ahead of the return instruction in subroutines of code. The execution of instructions from inside a program avoids defensive measures designed to stop execution from user-controlled memory.
Katie Moussouris, a senior security strategist at Microsoft, said the company, which doesn't offer bounties for vulnerability discoveries, believed focusing on incentivizing defensive research was more important.
"While a few vendors and others were offering relatively small cash incentives for security researchers to find and report individual vulnerabilities, we decided that, as a platform provider, Microsoft would be most effective if it sought out new, platform-level, defensive technologies that could possibly help defend against entire classes of vulnerabilities," Moussouris wrote. "These defenses could help protect our own applications, and have the potential to protect third-party applications that run on our platform."
The winner will be announced July 26 during this year's Black Hat show. Top prize is $200,000, while second place earns $50,000 and third place gets a Microsoft Developer Network Platforms (MSDN) subscription, valued at $10,000.
"Also of note, most of the top-rated entries were among those last-minute submissions, perhaps substantiating the old adage that brilliance emerges under the glaring pressure of a looming deadline," Moussouris wrote.