Facebook has awarded $100,000 to a team of researchers at the Georgia Institute of Technology for discovering a new class of security issues for C++ programmes.
Researchers Byoungyoung Lee, Chengyu Song, Taesoo Kim, and Wenke Lee received the company’s Internet Defense Prize (IDP).
The paper, "Type Casting Verification: Stopping an Emerging Attack Vector," by the researchers identified an important emerging class of security issues for C++ programmes.
C++ supports two major static and dynamic types of casting operators to convert one type of information into an other. According to the researchers, the vulnerability in C++ programmes in Chrome and Firefox could lead to "bad casting" or "type confusion" and can allow attackers to corrupt memory in a browser.
They have discovered 11 vulnerabilities which are said to have been confirmed and fixed by vendors.
They have also developed a detection tool called CAVER to find the vulnerabilities which is a run-time detection tool with 7.6 percent – 64.6 percent overhead on browser performance in Chrome and Firefox, respectively.
Georgia Institute of Technology School of Computer Science professor and an adviser to the team Wenke Lee said: "It is time for the Internet community to start addressing the more difficult, deeper security problems.
Content from our partners
"The security research community has been working on various ways to detect and fix memory safety bugs for decades, and have made progress on ‘stack overflow’ and ‘heap overflow’ bugs, but these have now become relatively easy problems.
"Our work studied the much harder and deeper bugs — in particular ‘use-after-free’ and ‘bad casting’ — and our tools discovered serious security bugs in widely used software, such as Firefox and libstdc++."
The IDP recognises and rewards research that makes the internet more secure. This is the second time Facebook has given out an IDP award since its creation in 2014.
The award is a partnership between Facebook and USENIX. It contributes to the protection and defense of the internet.
Successful recipients of the IDP will provide a working prototype that demonstrates contributions to the security of the internet.
Facebook security engineering manager Ioannis Papagiannis said: "Designing defensive security technology has never been more important, and that’s why we are once again offering the Internet Defense Prize to stimulate high quality research in this area.
"The Georgia Tech team’s novel technique for detecting bad type casts in C++ programs is the type of standout approach we want to encourage. We look forward to seeing what the team does next to create broader impact and improve security on the Internet."
