View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
August 17, 2015

Facebook gives $100,000 prize for finding browser flaws

Georgia Institute of Technology researchers worked on casting vulnerabilities.

By CBR Staff Writer

Facebook has awarded $100,000 to a team of researchers at the Georgia Institute of Technology for discovering a new class of security issues for C++ programmes.

Researchers Byoungyoung Lee, Chengyu Song, Taesoo Kim, and Wenke Lee received the company’s Internet Defense Prize (IDP).

The paper, "Type Casting Verification: Stopping an Emerging Attack Vector," by the researchers identified an important emerging class of security issues for C++ programmes.

C++ supports two major static and dynamic types of casting operators to convert one type of information into an other. According to the researchers, the vulnerability in C++ programmes in Chrome and Firefox could lead to "bad casting" or "type confusion" and can allow attackers to corrupt memory in a browser.

They have discovered 11 vulnerabilities which are said to have been confirmed and fixed by vendors.

They have also developed a detection tool called CAVER to find the vulnerabilities which is a run-time detection tool with 7.6 percent – 64.6 percent overhead on browser performance in Chrome and Firefox, respectively.

Georgia Institute of Technology School of Computer Science professor and an adviser to the team Wenke Lee said: "It is time for the Internet community to start addressing the more difficult, deeper security problems.

Content from our partners
Why food manufacturers must pursue greater visibility and agility
How to define an empowered chief data officer
Financial management can be onerous for CFOs, but new tech is helping lighten the load

"The security research community has been working on various ways to detect and fix memory safety bugs for decades, and have made progress on ‘stack overflow’ and ‘heap overflow’ bugs, but these have now become relatively easy problems.

"Our work studied the much harder and deeper bugs — in particular ‘use-after-free’ and ‘bad casting’ — and our tools discovered serious security bugs in widely used software, such as Firefox and libstdc++."

The IDP recognises and rewards research that makes the internet more secure. This is the second time Facebook has given out an IDP award since its creation in 2014.

The award is a partnership between Facebook and USENIX. It contributes to the protection and defense of the internet.

Successful recipients of the IDP will provide a working prototype that demonstrates contributions to the security of the internet.

Facebook security engineering manager Ioannis Papagiannis said: "Designing defensive security technology has never been more important, and that’s why we are once again offering the Internet Defense Prize to stimulate high quality research in this area.

"The Georgia Tech team’s novel technique for detecting bad type casts in C++ programs is the type of standout approach we want to encourage. We look forward to seeing what the team does next to create broader impact and improve security on the Internet."

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU