Facebook Awards $100K to Georgia Tech Researchers Who Found 11 Flaws in Firefox, Chrome
“If you can’t beat them, pay them,” seems to be the current theme of the industry’s support of white hat hackers who are exposing company security flaws as part of their own research efforts.
August 19, 2015
“If you can’t beat them, pay them,” seems to be the current theme of the industry’s support of white hat hackers who are exposing company security flaws as part of their own research efforts.
Some of the latest to benefit from this trend are a group of researchers at the Georgia Institute of Technology, who have won $100,000 from Facebook to continue their research on a new cybersecurity analysis method that identified 11 Internet browser security flaws that were previously unknown.
The cash award was part of the Internet Defense Prize, which Facebook offers in partnership with USENIX to individuals or groups that are working to make the Internet safer.
The research of the group—which includes Virginia Tech Ph.D. students Byoungyoung Lee and Chengyu Song, as well as professors Taesoo Kim and Wenke Lee—is called “Type Casting Verification: Stopping an Emerging Attack Vector.” It explores vulnerabilities in C++ programs—such as Chrome and Firefox—that result from what’s called “bad casting” or “type confusion.”
Bad casting enables an attacker to corrupt the memory in a browser so that it follows a malicious logic instead of proper instructions. To catch people using this type of exploit, the researchers developed a new, proprietary detection tool called CAVER—a run-time detection tool with 7.6 percent to 64.6 percent overhead on browser performance on Chrome and Firefox, respectively.
Users of those applications shouldn’t worry, though—the 11 vulnerabilities the team identified have already been fixed, they said.
The 11 vulnerabilities identified by Georgia Tech have been confirmed and fixed by vendors. And this is exactly what researchers want to achieve with their work, along with a better awareness of security issues, said Wenke Lee, professor in the School of Computer Science and a team adviser, in a press release.
“It is time for the Internet community to start addressing the more difficult, deeper security problems,” he said.
While the security research community has been working for decades to detect and fix memory safety bugs for decades, making significant progress on what are called stack overflow and heap overflow bugs, these are just small potatoes compared to the security threats the Internet faces now, Lee said in the release.
“Our work studied the much harder and deeper bugs—in particular ‘use-after-free’ and ‘bad casting’—and our tools discovered serious security bugs in widely used software, such as Firefox and libstdc++,” he said, adding that researchers are grateful to Facebook for its recognition of their work.
Indeed, focusing on these deeper problems is what will determine the future security of the Internet, which is why Facebook was impressed with the team’s work, said Ioannis Papagiannis, security engineering manager at Facebook, in the release.
“The Georgia Tech team’s novel technique for detecting bad type casts in C++ programs is the type of standout approach we want to encourage,” he said. “We look forward to seeing what the team does next to create broader impact and improve security on the Internet.”
About the Author
You May Also Like