Facebook issues Internet Defense Prize for vulnerability discovery tool

Facebook has awarded researchers $100,000 for a tool designed to detect problems in C++.
Written by Charlie Osborne, Contributing Writer

Facebook has awarded $100,000 to a pair of Ph.D students for their work in the security of C++ programs which resulted in the detection and patching of zero-day vulnerabilities.

The Internet Defense Prize is a scheme developed by Facebook to reward researchers for projects and prototypes that boost the safety of the Internet. Last year, $50,00 was awarded to German researchers for their work using static analysis to detect "second-order vulnerabilities" in applications used to compromise users after being stored in web servers ahead of time.

In a blog post on Thursday, Facebook Security Engineering Manager Ioannis Papagiannis said due to the success of last year, the social media giant partnered again with USENIX in a call for submissions for the prize, won this year by a team from Georgia Tech in Atlanta, Georgia.

Ph.D. students Byoungyoung Lee and Chengyu Song, with Professors Taesoo Kim and Wenke Lee from Georgia Tech have been awarded $100,000 for their research into security problems associated with C++ programs.

The research paper, titled "Type Casting Verification: Stopping an Emerging Attack Vector," examines a variety of security problems in C++, which is used in applications such as the Chrome and Firefox browser. As explained by Papagiannis:

"C++ supports two major different types of casting operators to convert one type of data into another: static and dynamic casts. Dynamic casts are checked at runtime for correctness, but they also incur a performance overhead.
People typically prefer to use static casts because they avoid that overhead, but if you cast to the wrong type using a static cast, the program may end up creating a pointer that can point past the memory allocated to a particular object. That pointer can then be used to corrupt the memory of the process."

This, in turn can lead to bad-casting or type-confusion vulnerabilities.

The researchers proposed a technique for detecting bad type casts by combining both static and dynamic analysis. According to Facebook, the prototype 'CAVER' bad-casting detection tool offers better coverage and compatibility with existing applications. In the team's experiments, CAVER detected 11 previously unknown vulnerabilities -- nine in GNU libstdc++ and two in Firefox, which have now been fixed by vendors.

The prize was awarded at the 24th USENIX Security Symposium. Papagiannis said:

"We all benefit from this kind of work -- a large part of why Facebook has been successful in serving nearly 1.5 billion people is because we have been quick to introduce and adopt categories of systems and frameworks that prevent whole classes of vulnerabilities at once. As an industry, we need to invest in those kinds of solutions that scale."

In related news, Boston.com reports that Harvard student Aran Khanna lost his chance of a summer internship at Facebook after launching a Chrome extension called Marauder's Map which capitalized on a privacy flaw within the network and was able to map users' geographical data when they sent messages through Facebook messenger.

20 must-have back to school, college gadgets and gifts

Read on: Top picks

In pictures:

Editorial standards