Wednesday, August 10, 2011

Comments about the $200,000 BlueHat prize

Microsoft is now offering a reward for certain cybersecurity technologies, as described here. It’s offering a reward of $200,000 (and a second place reward of $50,000) for the best solution to memory corruption bugs.

As expected, there are ravings from Linux geeks in response to anything Microsoft does. Those ravings are so egregious I thought I’d clarify them.


RUN-TIME NOT COMPILE-TIME

Many have made the assumption that this is way to protect against exploitation of bugs in Microsoft’s own software. In fact, Microsoft has suggested just the opposite: they are looking for a technology that can protect against bugs in other people’s software.

Right now, the leading cause of Chinese hackers breaking into the DoD is by exploiting Flash, an add-on from Adobe that lives inside browsers, including Chrome, Firefox, and Safari. Microsoft wants to stop this.

The distinction is important. They aren’t looking for “compiler" technologies that can be added to Microsoft’s software when they create it, but “run-time" technologies that can be applied to Adobe’s software when they run it.

Specifically, I think they are looking for technologies that can easily be applied, like their "Enhanced Mitigation Experience Toolkit, which turns on DEP, ASLR, and SEH protection for those applications that otherwise don’t have it.


ROP+JITspray

The above ravings call “return oriented progamming" the same as “return-to-libc". It’s not, they are very different.

In the past, the “C runtime" (libc) functions were called by pushing parameters on the stack and jumping to the function. Thus, you could fill up the stack with parameters and function “return" address that entered those functions.

But then 64-bit happened, where parameters are passed via registers instead of the stack, and that model stopped working. But there’s another way. Instead of “returning" to the function entry point, you could “return" to any fragment of code, even into the middle of an instruction. The sequence of bytes simply had to end in something like 0xC3, the x86 RET instruction. This got sophisticated so they could do LOOPS for gosh’s sake (ROP programming is really really cool).

But, with the appropriate use of ASLR, you could in theory randomize the location of code, to protect against this. But then came along JavaScript JIT in things like Adobe Flash. You could write JavaScript to write more JavaScript, that would predictably be “just-in-time" compiled into x86 code, and fill memory with this JITted code. That way, you could reliably “return" and find the code you are looking for at that address.

When you return to JITted code, you aren’t going anywhere near libc. Of course, ROP is a lot more complicated than just JITspray, too: the point is simply that there's more to it than just return-to-libc.


YOU AREN’T THAT SMART

The above ravings point to all the ways Microsoft can screw you, and take all your ideas. It points to these sections of the rules:
...understand and acknowledge that the Sponsor(s) may have developed or commissioned materials similar or identical to your submission and you waive any claims you may have resulting from any similarities to your entry...

...By entering this Contest, you agree that use of information in our representatives' unaided memories in the development or deployment of our products or services does not create liability for us under this agreement or copyright or trade secret law...

...are agreeing to license IP and patent rights in your submission to Microsoft...

The ravings interpret this as: “means in non-attorney-speak that Microsoft may forget about your submission and by means of cryptomnesia implement it sometime in the foreseeable future as the new DEP-in-shining-armor."

What it means in non-attorney speech is this: If you submit an idea to them, you can’t charge Microsoft money for it. That’s the ONLY right you lose. You still retain full rights to charge other people money for it, retain credit for inventing it, and so. You can still put it into the Linux kernel or Firefox, for example.

The reality is that Microsoft employs some of the smartest engineers in the industry. Most of the submissions will overlap ideas Microsoft engineers have already thought of, either completely or partially. These ideas are either stuck because the prototypes don’t work quite as well as your submission, or more likely, because it’s mired inside the politics at Microsoft and the poor communication skills of engineers. All this legaleze is trying to say is this: just because somebody submits an idea doesn’t mean we (Microsoft) lose rights over a similar idea we already came up with.

Whatever idea you have isn’t going to be all that unique. It’s going to look a lot like sandboxing, a lot like randomization, a lot like patching running code, and so on. Indeed, once you walk away with your $200,000, you might discover a paper written in Russian written two years ago that describes exactly what you sold to Microsoft.

BTW, I mention the EMET tool above because it’s a copy (although a better one) of stuff that we did at ErrataSec. Maybe they copied our idea, maybe they independently created it. It doesn’t matter, the idea is obvious. Also, we didn’t lose anything: we could never have sold it for money, or sold it to Microsoft: while useful, it’s just not that smart of an idea.

CONCLUSION

I wrote this mostly because of the amusing phrase “ Return-to-libc, as most of us know it" in the ravings from Linux geeks I mentioned above. It’s just not just because they are technically behind the times not understanding JITspray, but their willful misunderstanding of the purpose of the contest and the legalese of the contest rules.

If you’ve got an idea that you think you can charge Microsoft for, or charge its users, then don’t submit it. But you don’t. No matter how useful an idea, it’s almost certain that the $200,000 is the most you can hope to earn for it.

No comments: