Facebook awards Internet Defense Prize of $100,000 for a tool designed to detect problems in C++

A team of security researchers from Georgia Tech were awarded $100,000 prize for their work in the security of C++ programs. The team comprising of Ph.D students, Byoungyoung Lee and Chengyu Song, along with Professors Taesoo Kim and Wenke Lee from Georgia Tech were awarded the cash prize for discovering new browser-based susceptibilities and for inventing a detection tool that deals with the vulnerabilities.

Developed by Facebook, the “Internet Defense Prize” is a scheme to reward researchers for projects and prototypes that encourage the safety of the Internet. A part of Facebook’s “Internet Defense Prize“, the cash prize is given at the USENIZ Security Symposium in Washington, D.C.

Most importantly, the payout has doubled from last year’s inaugural payout of $50,000, which was awarded to German researchers. The won the prize for their work on using static analysis to identify “second-order vulnerabilities” in applications used to compromise users after being stored in web servers before time.

In a blog post on Thursday, Facebook Security Engineering Manager Ioannis Papagiannis said due to the success of last year, the social media giant partnered again with USENIX in a call for submissions for the prize, won this year by a team from Georgia Tech in Atlanta, Georgia.

The Georgia Tech group discovered a new class of C++ vulnerabilities that are browser-based. The research paper, titled “Type Casting Verification: Stopping an Emerging Attack Vector,” inspects in detail a variety of security problems in C++, which is used in applications such as the Chrome and Firefox browser. As explained by Papagiannis,

C++ supports two major different types of casting operators to convert one type of data into another: static and dynamic casts. Dynamic casts are checked at runtime for correctness, but they also incur a performance overhead.

People typically prefer to use static casts because they avoid that overhead, but if you cast to the wrong type using a static cast, the program may end up creating a pointer that can point past the memory allocated to a particular object. That pointer can then be used to corrupt the memory of the process.

This, in turn can lead to bad-casting or type-confusion susceptibilities. Hence, the group also developed CaVeR, a runtime based bad-casting detection tool. The findings and introduction of the new tool are further detailed in their research paper.

The researchers while describing their detection tool CaVeR wrote, “It performs program instrumentation at compile time and uses a new runtime type tracing mechanism—the type hierarchy table—to overcome the limitation of existing approaches and efficiently verify type casting dynamically.”

In the team’s experiments, CAVER detected 11 previously unknown vulnerabilities — nine in GNU libstdc++ and two in Firefox, which have now been patched by the vendors.

The prize was awarded at the 24th USENIX Security Symposium. Papagiannis said:

We all benefit from this kind of work — a large part of why Facebook has been successful in serving nearly 1.5 billion people is because we have been quick to introduce and adopt categories of systems and frameworks that prevent whole classes of vulnerabilities at once. As an industry, we need to invest in those kinds of solutions that scale.”


Please enter your comment!
Please enter your name here