Microsoft engineers plan to award $260,000 worth of prizes for new security defenses that could help their software better withstand a powerful exploitation technique hackers are increasingly using to install malware on end users' computers.
The technique, known as ROP (return oriented programming), is a regular staple of attacks used at the annual Pwn2Own hacker contest. It's also found in real-world attacks that install malicious software by exploiting garden-variety bugs in widely used pieces of software. It works by rearranging benign pieces of code already present in memory to form a malicious payload. Ironically, the popularity of ROP grew because of its ability to bypass another security mitigation known as data execution prevention, which has been added to software from Microsoft, Apple, and others over the past decade.
Microsoft unveiled three possible anti-ROP defenses on Thursday morning in a blog post announcing three finalists to its own competition. Microsoft's initiative will award more than $260,000 in cash and prizes for the development of new security protections to make its software more resistant to hack attacks. The BlueHat contest was unveiled at last year's Black Hat security conference in Las Vegas, and the grand prize winner will be announced next month. Microsoft hasn't said when it expects the technologies to go live, or exactly which products will use them.