A cool $100,000 is up for grabs for researchers who can crack elements of Microsoft’s custom-built Linux operating system for IoT devices.
Azure Sphere was introduced by Microsoft in 2018, serving as a bespoke platform for internet-connected devices that can be updated, controlled, monitored, and maintained remotely. The OS combines a number of built-in hardware and software security elements designed to make it resilient against spoofing, DDoS and other such attacks, while offering automatic software and security renewals from the cloud.
Key to Azure Sphere’s security are the platform’s Pluton and Secure World elements. The first one acts as a security subsystem, generating cryptographic keys and monitoring the digital signatures of network elements to protect it against tampering. Secure World, meanwhile, is part of Microsoft’s operating environment for applications that run on Azure Sphere devices that executes Microsoft security code.
Now Microsoft is offering $100,000 to researchers who can execute code in either Pluton or Secure World.
Sylvie Liu, security program manager for Microsoft Security Response Center, said: “While Azure Sphere implements security upfront and by default, Microsoft recognizes security is not a one-and-done event.
“Risks need to be mitigated consistently over the lifetime of a constantly growing array of devices and services. Engaging the security research community to research for high-impact vulnerabilities before the bad guys do is part of the holistic approach Azure Sphere is taking to minimize the risk.”
Azure Sphere Security Research Challenge, the bounty program forms an expansion of Microsoft’s Azure Security Lab, announced at Black Hat in August 2019 as a set of dedicated cloud environments for security researchers to test vulnerabilities in Azure. The new research challenge is a three-month, application-only security research challenge offering special bounty awards and providing additional research resources to program participants.
The latest research challenge is focused on the Azure Sphere OS only, said Liu: vulnerabilities found in the Cloud portion of Microsoft’s Azure platform may be eligible for the public Azure Bounty Program awards.
Liu added that “physical attacks” were not welcome for either.
Interested parties have until 15 May 2020 to submit their applications, with the challenge itself running from 1 June through to 31 August. “The security landscape is constantly changing with emerging technology and security threats,” said Liu.
“Microsoft works hard to secure our cloud and software and the help of security researchers amplifies our ability to continually increase security. By discovering and reporting vulnerabilities to Microsoft through Coordinated Vulnerability Disclosure (CVD), security researchers have helped us continue to secure millions of customers.”
