A three-month Azure Sphere bug-bounty challenge will offer top rewards for compromising Pluton or Secure World within Microsoft’s IoT security suite.
Microsoft has launched a bug-bounty program for its Azure Sphere offering, which is a security suite for the internet of things (IoT) that encompasses hardware, OS and cloud elements. The top reward will come in at $100,000.
The Azure Sphere Security Research Challenge is an expansion of a program unveiled at Black Hat last August. That program, Azure Security Lab, was an invite-only affair for researchers, who were asked to mimic criminal hackers within a special, non-customer-touching cloud environment.
This time around, the challenge will run for three months, and will be application based: Bug-hunters need to submit an application to participate by May 15. The actual challenge then starts June 1 and will run through the end of August.
Pluton is a secure boot hardware root of trust governing firmware and hardware. Pluton is also incidentally part of Microsoft’s firmware protection for the Xbox gaming system.
Secure World meanwhile is one of two operating environments found in the application processor’s ARM Cortex-A subsystem, responsible for executing the operating system, applications and services (the other is called “Normal World”). Secure World executes only the Microsoft-supplied Security Monitor and other code.
Other exploitation scenarios will earn existing public Azure Bounty Program awards, with a 20 percent bonus for finding critical bugs and a 10 percent bonus for vulnerabilities rated important.
Microsoft said that eligible exploits include: The ability to either locally or remotely execute code on NetworkD; anything allowing execution of unsigned code that isn’t pure return-oriented programming (ROP); ability to spoof device authentication; elevation of privilege outside of the capabilities described in the application manifest (e.g. changing user ID, adding access to a binary); ability to modify software and configuration options (except full device reset) on a device in the manufacturing state; and the ability to alter the firewall allowing communication out to other domains not in the app manifest (but not DNS poisoning).
Microsoft is offering various resources to program participants, including the Azure Sphere development kit (DevKit); product documentation; direct communication channels with the Microsoft team; and other Microsoft products and services if needed.
“Microsoft recognizes security is not a one-and-done event,” wrote Sylvie Liu, security program manager at the Microsoft Security Response Center, in announcing the challenge this week. “Risks need to be mitigated consistently over the lifetime of a constantly growing array of devices and services. Engaging the security research community to research for high-impact vulnerabilities before the bad guys do is part of the holistic approach Azure Sphere is taking to minimize the risk.”
Microsoft is also collaborating with a raft of partners on the program, including Avira, Baidu, Bitdefender, Bugcrowd, Cisco Talos, ESET, FireEye, F-Secure, HackerOne, K7 Computing, McAfee, Palo Alto Networks and Zscaler.
Microsoft continues to roll out bug-bounty programs. Last year, the computing giant released a program designed to sniff out flaws in Azure DevOps; kicked off a program with payouts as high as $100,000 for holes in identity services and implementations of the OpenID standard, Microsoft Account and Azure Active Directory; and in the wake of the Meltdown and Spectre flaws, Microsoft started a new bug bounty program targeting speculative execution side-channel vulnerabilities that offered up to $250,000 for identifying new categories of speculative execution attacks that Microsoft and other industry partners are not yet aware of.