In-brief: Facebook said on Wednesday that it was doubling the amount of its Internet Defense Prize, awarding $100,000 to a group of researchers from Georgia Tech for work on static type casting vulnerabilities.
Two days after the software giant Oracle found itself in hot water for questioning the value of independent security researchers, social media giant Facebook sent a drastically different message: doubling the amount of an annual prize rewarding novel security research.
The company said on Wednesday that it was awarding its Internet Defense Prize, and a purse of US $100,000 to a team of Ph.D. students from Georgia Tech University for a paper describing a new method for identifying a class of vulnerabilities in C++ programs centered on the use of so-called “static” type casting in programs.
The paper, “Type Casting Verification: Stopping an Emerging Attack Vector,” by students Byoungyoung Lee and Chengyu Song, with Professors Taesoo Kim and Wenke Lee, describes a new method and a tool for detecting incorrect or bad type casting in C++ programs, including popular web browsers like Chrome and Firefox.
Ioannis Papagiannis, a Security Engineering Manager at Facebook, said that type casting flaws have been well understood for a while and result from application developers choosing a less reliable static type casting method because the alternative, dynamic type casting, incurs a significant performance hit. “A lot of companies go for the ‘fast but insecure’ approach,” he said.
The Georgia Tech researchers developed a tool, dubbed CAVER, that is described as a “runtime bad-casting detection tool” that “performs program instrumentation at compile time and uses a new runtime type tracing mechanism—the type hierarchy table—to overcome the limitation of existing approaches and efficiently verify type casting dynamically.”
The researchers claim to have applied CAVER to the code of the Chromium and Firefox browsers and discovered 11 previously unknown security vulnerabilities: nine in GNU libstdc++ and two in Firefox. Each of those have been confirmed and subsequently fixed by vendors.
Papagiannis said that CAVER makes it possible to have the best of both worlds: using static type casting to improve performance, but identifying type casting vulnerabilities that can then be addressed.
Facebook and the security group USENIX awarded the Internet Defense Prize for the first time in 2014, giving a prize of $50,000 to a pair of German researchers for research on using static analysis methods to detect second order vulnerability. The company is again partnering with USENIX this year. The company decided to double the monetary award in recognition of the value of the research and in hopes that researchers would be able to use the money to continue developing the CAVER tool, Papagiannis said.
“We all benefit from this kind of work,” he wrote in a blog post. “A large part of why Facebook has been successful in serving nearly 1.5 billion people is because we have been quick to introduce and adopt categories of systems and frameworks that prevent whole classes of vulnerabilities at once. As an industry, we need to invest in those kinds of solutions that scale.”