Microsoft will pay up to $ 100,000 for vulnerability in Azure Sphere Linux

People Microsoft he wanted to throw the house out the window with his recent announcement in which he announced that eare willing to pay a reward of up to one hundred thousand dollars to those who come to identify and share with them security gaps in your Azure Sphere IoT platform which is built on the basis of the Linux kernel and using sandbox isolation for basic services and applications.

The award is promised for demonstrating vulnerabilities in the Pluton subsystem (the root of trust implemented in the chip) or Secure World (sandbox). This series of rewards is part of a program of a new three month challenge and offers the highest reward of $ 100,000 to researchers who can run code on Azure Pluto and Azure Secure World.

The Azure Sphere application platform includes Normal World, the Linux equivalent of user mode, and Secure World, which sits under Microsoft's custom Linux kernel, where Security Monitor runs. Only code provided by Microsoft can run in supervisor mode or in Secure World, Microsoft notes.

If you don't know of the Azure Sphere platform, you should know that it is designed to create Internet of Things devices (IoT) created based on low-power microcontrollers (MCU, microcontroller units) with integrated peripheral subsystems.

Azure Sphere too used in retail equipmentFor example, companies like Starbucks. One of the characteristics of the platform is the subsystem Pluton, designed to provide hardware for encryption, store private keys and perform complex cryptographic operations. Pluton includes a separate dedicated processor, crypto engine, hardware random number generator, and isolated keystore.

The initiative is specifically targeted at Azure Sphere OS and does not include cloud subsystems that are already included in a separate reward program.

This new research challenge aims to generate new high-impact security research on Azure Sphere, a comprehensive IoT security solution that delivers end-to-end security across hardware, operating system, and the cloud. While Azure Sphere implements security upfront and by default, Microsoft recognizes that security is not a one-time event.

Risks must be constantly mitigated over the lifespan of an ever-growing range of devices and services. Engaging the security research community to investigate high-impact vulnerabilities before the bad guys do is part of the holistic approach Azure Sphere is taking to minimize risk.

To receive a bonus, it is necessary to demonstrate a vulnerability during a local attack (application commitment) or remote, it could lead to third-party code not authenticated by digital signature, intercepting authentication parameters, increasing privileges, making configuration changes, or bypassing firewall restrictions.

To carry out the study, Microsoft expressed its willingness to provide participants with access to products and services, the Azure Sphere SDK, technical documentation, as well as providing a communication channel with the platform developers.

Microsoft partnered with several technology companies bringing expertise in IoT security research to launch the Azure Sphere Security Research Challenge, these partners include Avira, Baidu International Technology, Bitdefender, Bugcrowd, Cisco Systems (Talos), ESET, FireEye , F-Secure, HackerOne, K7 Computing, McAfee, Palo Alto Networks, and Zscaler.

If you are interested in requesting access to this research program, you must fill in the following application form before May 15, 2020.

Applications will be reviewed weekly and accepted researchers will be notified by email. This research challenge spans from of 1 June 2020  but also the 31 of August of 2020 for researchers accepted through the open application.

Finally, if you are interested in knowing more about it, you can consult the details In the following link. 


The content of the article adheres to our principles of editorial ethics. To report an error click here!.

Be the first to comment

Leave a Comment

Your email address will not be published.

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.