Facebook Awards Tech Researchers 100 000 For Vulnerability Discovery Tool For C

Developed by Facebook, the “Internet Defense Prize” is a scheme to reward researchers for projects and prototypes that encourage the safety of the Internet. A part of Facebook’s “Internet Defense Prize“, the cash prize is given at the USENIZ Security Symposium in Washington, D.C. Most importantly, the payout has doubled from last year’s inaugural payout of $50,000, which was awarded to German researchers. The won the prize for their work on using static analysis to identify “second-order vulnerabilities” in applications used to compromise users after being stored in web servers before time. In a blog post on Thursday, Facebook Security Engineering Manager Ioannis Papagiannis said due to the success of last year, the social media giant partnered again with USENIX in a call for submissions for the prize, won this year by a team from Georgia Tech in Atlanta, Georgia. The Georgia Tech group discovered a new class of C++ vulnerabilities that are browser-based. The research paper, titled “Type Casting Verification: Stopping an Emerging Attack Vector,” inspects in detail a variety of security problems in C++, which is used in applications such as the Chrome and Firefox browser. As explained by Papagiannis, This, in turn can lead to bad-casting or type-confusion susceptibilities. Hence, the group also developed CaVeR, a runtime based bad-casting detection tool. The findings and introduction of the new tool are further detailed in their research paper. People typically prefer to use static casts because they avoid that overhead, but if you cast to the wrong type using a static cast, the program may end up creating a pointer that can point past the memory allocated to a particular object. That pointer can then be used to corrupt the memory of the process.“ The researchers while describing their detection tool CaVeR wrote, “It performs program instrumentation at compile time and uses a new runtime type tracing mechanism—the type hierarchy table—to overcome the limitation of existing approaches and efficiently verify type casting dynamically.” In the team’s experiments, CAVER detected 11 previously unknown vulnerabilities — nine in GNU libstdc++ and two in Firefox, which have now been patched by the vendors. The prize was awarded at the 24th USENIX Security Symposium. Papagiannis said: