Why Bug Bounty program by Microsoft?
Microsoft do no manufacture CPU’s so why bug bounty program by Microsoft? To understand why this $250,000 bug bounty program by Microsoft is being launched we must first understand what was actually discovered in early 2018.
The new year started with vulnerabilities being discovered, by multiple researchers who reported to CPU manufacturers and to all major Operating System vendors over past six months. Many modern processors that are often found in laptops, mobiles, and servers are vulnerable to a new class of attack, security flaws, which can actually expose user’s sensitive information.
This serious Meltdown and Spectre represents a new class of vulnerabilities called “Speculative Execution”. Protecting the devices already been hit by the threat will require both firmware and operating system level patches. It really requires a coordinated response from across Industries to rule out.
What is Speculative Execution?
To improve the performance of modern day microprocessors use a technique of predicting the calculations in a sub-sequential manner to solve the problems in the parallel fashion instead of performing tasks sequentially thereby resulting in enhancing the processing of chains of commands.
These attacks take advantage of this feature of parallel processing, wherein CPU attempts to guess the path of the code and execute the instructions in advance to enhance the performance and productivity. If the prediction proves to be incorrect, the result is discarded, but till the time this happens intruder can use the processor’s cache to leak the information.
Complete information about those speculative commands that are eventually not run is bound to get leaked because modern processors do not take permissions correctly. Because of this, protected parts kernel memory becomes accessible for the user programs. Interaction of Hardware and OS is monitored by Kernel programs and thus they are kept isolated from user’s processor all the time. Since this peeking is taking place, user program can get a glimpse of stored files and passwords.
Being said that the damage has been controlled but there is still some room for mitigation. This could be one reason why Microsoft has rolled out new bug bounty program to discover speculation execution flaws.
Microsoft has really taken this warning seriously, though they do not manufacture CPUs and neither responsible for any vulnerabilities in their firmware. It is assumed that such flaws can actually have a big impact on Microsoft’s security protections already built into windows or for its Azure cloud computing platform.
The $250,000 bug bounty program by Microsoft:
This program is huge and is split into four tiers:
|Tier 1: New categories of speculative execution attacks||Qualifying submissions must identify a novel category of speculative execution attacks that Microsoft and other industry partners are not aware of. An example of a qualifying submission would be a new method of leveraging speculative execution side channels to disclose information across a trust boundary.||$100,000 – $250,000 USD|
|Tier 2: Azure speculative execution mitigation bypass||Qualifying submissions must demonstrate a speculative execution side channel attack that can be used to read sensitive memory that is not allocated to an attacker’s virtual machine on Azure.||$100,000 – $200,000 USD|
|Tier 3: Windows speculative execution mitigation bypass||Qualifying submissions must demonstrate a novel method of bypassing speculative execution mitigations on Windows. Specifically, this would involve bypassing the Windows mitigations for CVE-2017-5715 (branch target injection) and CVE-2017-5754 (rogue data cache load). These bypasses must demonstrate that it is possible to disclose sensitive information when these mitigations are present and enabled.||$100,000 – $200,000 USD|
|Tier 4: Exploitable speculative execution vulnerabilities||Qualifying submissions will identify an instance of a known speculative execution hardware vulnerability (such as CVE-2017- 5753) in Windows 10 or Microsoft Edge. This vulnerability must enable the disclosure of sensitive information across a trust boundary.||$5,000 – $25,000 USD|
“Microsoft does not produce CPUs however, they are offering to pay bounties for bugs found in CPUs,” said Laurie Mercer, solutions engineer at HackerOne, via email. “This is an example of an organization contributing to the safety of the computing ecosystem. Whilst Microsoft themselves will clearly benefit from CPUs being secure, so will their competition, so this could be seen as an act of philanthropy.”
The flaws affect all the Intel processors that have been manufactured in last decade. Microsoft has already patched windows 10 and patches for Windows 7 and 8 are in pipeline too.
Looking for vulnerabilities on computer chips is new, Now that researchers know this is a fruitful area to explore, security researchers, foreign intelligence agencies, and criminals will be on the hunt” said renowned cryptographer and security expert Bruce Schneier.
Note – This bug bounty program will remain open until December 31st, 2018.
We must also note that Microsoft’s bug bounty rolled out when Intel is gearing up to make CPU changes by making serious redesigning and development in its processors and to ensure protection against attacks like Spectre.
Official link where you can find all information about the Microsoft’s bug bounty program is here. Full details.
Other Microsoft’s active bug bounty programs:
|Program Name||Start Date||Ending Date||Eligible Entries||Bounty range|
|Windows Insider Preview||July 26, 2017||Ongoing||Critical and important vulnerabilities in Windows Insider Preview slow||Up to $15,000 USD|
|Windows Defender Application Guard||July 26, 2017||Ongoing||Critical vulnerabilities in Windows Defender Application Guard in WIP slow||Up to $30,000 USD|
|Microsoft Hyper-V Bounty Program||May 31, 2017||Ongoing||Critical remote code execution, information disclosure and denial of services vulnerabilities in Hyper-V||Up to $250,000 USD|
|Microsoft Edge on Windows Insider Preview||August 4, 2016||Ongoing||Critical remote code execution and design issues in Microsoft Edge in Windows Insider Preview slow||Up to $15,000 USD|
|Mitigation Bypass Bounty||June 26, 2013||Ongoing||Novel exploitation techniques against protections built into the latest version of the Windows operating system.||Up to $100,000 USD|
|Bounty for Defense||June 26, 2013||Ongoing||Defensive ideas that accompany a qualifying Mitigation Bypass submission||Up to $100,000 (in addition to any applicable Mitigation Bypass Bounty)|
|Microsoft Office Bounty Program||March 15, 2017||Ongoing||Vulnerabilities on Office Insider||Up to $15,000 USD|
|Microsoft .NET Core and ASP.NET Core Bug Bounty Program||September 1, 2016||Ongoing||Vulnerability reports on .NET Core and ASP.NET Core RTM and future builds (see link for program details)||Up to $15,000 USD|
|Microsoft Cloud Bounty||September 23, 2014||Ongoing||Vulnerability reports on applicable Microsoft cloud services||Up to $15,000 USD|
We would encourage developers from across the world to apply for the bug bounty program’s by Microsoft and win them all. To share your bug bounty program’s story and get it published here, contact the admins.
Check out more about Cyber Kill Chain in our latest article.