Participants can earn up to $100,000 for finding severe flaws in Microsoft’s Linux-based Azure Sphere IoT operating system.
Azure Sphere was unveiled in April 2018 as a means to improve security for devices connected to the Internet of Things (IoT). It’s made up of three parts: connected microcontrollers, a Linux-based OS and custom kernel to power them, and a security service to protect the connected devices. Azure Sphere hit general availability in February 2020, and now Microsoft is opening it to researchers.
The Azure Sphere Security Research Challenge builds on an earlier initiative, Azure Security Lab, which Microsoft debuted at Black Hat USA last summer. A group of researchers was invited to test attacks against Internet-as-a-service (IaaS) scenarios using a set of dedicated cloud hosts isolated from Azure customers. At the time, Microsoft doubled the top bounty reward for Azure flaws to $40,000.
The latest research challenge is application-only and will span three months, starting on June 1 and ending on August 31. Researchers must apply before May 15. Microsoft has invited researchers from industry partners participating in the program and will select a total of 50 people, says Sylvie Liu, security program manager at the Microsoft Security Response Center.
If accepted into the Azure Sphere challenge, participants will be provided resources including the Azure Sphere development kit, Azure Sphere product documentation, access to Microsoft products and services for research purposes, and direct communication with Microsoft’s team.
“Working with researchers during the initial phase of the Azure Security Lab, we found that resources, documentation, and more regular connections with the program participants and Microsoft teams were key to successful coordinated vulnerability disclosure,” Liu says. Based on these learnings, Microsoft will offer participants communication channels and weekly office hours with members of the Azure Sphere engineering team.
“We’ve also found that it’s valuable to learn from both the successful attempts and unsuccessful attempts of researchers,” Liu continues. “As a result, we are asking researchers to document and report both successful and unsuccessful attempts in this research challenge.”
Microsoft will award up to $100,000 in rewards for two specific scenarios during the program period. One of these is the ability to execute code on Azure Pluton, the security subsystem built into every Azure Sphere microcontroller unit (MCU). Pluton provides a hardware root of trust for the connected device in which the MCU sits. As part of the chip manufacturing process, a unique key is created to be used as the basis for authentication and cryptography.
Azure Sphere’s application platform supports two operating environments: Normal World and Secure World. Applications run in an application container in Normal World user mode, where they can access Azure Sphere libraries and a limited amount of OS services, Microsoft explains. The underlying Linux kernel runs in Normal World supervisor mode; the Security Monitor runs in Secure World. Only Microsoft-supplied code can run in supervisor mode or Secure World.
Vulnerabilities discovered outside the scope outlined for this research challenge, including the cloud portion, may qualify for rewards under the public Azure Bounty Program. Physical attacks are out of scope both for this challenge and the public program, Microsoft says.
To launch the Azure Sphere Security Research Challenge, Microsoft teamed up with several technology companies that bring expertise in IoT security research. These partners include Avira, Baidu International Technology, Bitdefender, Bugcrowd, Cisco Systems (Talos), ESET, FireEye, F-Secure, HackerOne, K7 Computing, McAfee, Palo Alto Networks, and Zscaler.
Full article attribution is made to its original source and author.