Microsoft Rolls BlueHat Prize Finalist’s Concept Into EMET 3.5
By Tony Bradley
Microsoft announced a new version of its EMET (Enhanced Mitigation Experience Toolkit) software at the Blackhat conference in Las Vegas. What’s unique about the EMET 3.5 Technology Preview is that it includes new defenses inspired by one of Microsoft’s BlueHat Prize finalists.
EMET is a free utility from Microsoft that adds an extra layer of defense to prevent vulnerabilities from being successfully exploited. The software is a collection of tools and mitigation techniques that can be applied to protect against attacks.
One class of attacks that previous versions of EMET have not been armed to defend against effectively is Return Oriented Programming (ROP) attacks. Thanks to ROPGuard–a defense technology submitted for Microsoft’s BlueHat contest–EMET 3.5 will have the tools available to defend against ROP attacks.
“In less than three months, we successfully integrated one of the BlueHat Prize finalists’ technologies with EMET 3.5 Technology Preview to help make software significantly more resistant to exploitation,” said Mike Reavey, senior director of the Microsoft Security Response Center at Microsoft in a press release.
Reavey added, “As the risk of criminal attacks on private and government computer systems continues to increase, we’ve been able to accomplish our goal with the BlueHat Prize contest, incentivizing researchers to invest in defensive research and develop technologies that could be put into play to help make the computing ecosystem safer.”
The BlueHat Prize contest is a unique approach to security. Most contests reward the security researchers who find the most serious flaws and vulnerabilities. With BlueHat, Microsoft challenged researchers to flip the model around and focus instead on proactive measures that can guard against new threats rather than simply identifying potential exploits one at a time.
One of the three finalists for the BlueHat Prize contest, Ivan Fratric, submitted the ROPGuard technology. Fratric has a Ph.D. in computer science, and is a security researcher at the University of Zagreb in Croatia.