Researchers Earn $100 000 For Detecting Vulnerabilities and Creating a Tool To Fix Them
Facebook’s Internet Defence Prize is an initiative created by Facebook to reward and fund internet security research focusing on defence and protection. Last year a prize of $50 000 was paid to 2 individuals of Ruhr University in Bochum, Germany for their paper on “Static Detection of Second-Order Vulnerabilities in Web Applications”.
The team, consisting of two Ph.D. students and two professors from Georgia Tech identified new memory-corruption vulnerabilities in browsers and developed techniques for detecting them. The team’s paper, titled “Type Casting Verification: Stopping an Emerging Attack Vector” “explains a newly discovered class of C++ vulnerabilities and introduces CaVeR, a runtime bad-casting detection tool” according to an article by Threatpost.
Type casting is a form of data type conversion and it allows the implied conversion of one data type to another. CaVeR’s purpose is to monitor the level of a browser’s performance and make use of a new mechanism (the type hierarchy table) that traces the active browser to overcome the problems of existing approaches and to verify type-casting dynamically.
Facebook hopes the prize money encourages the team to continue working with CaVeR and make it accessible and reusable on a greater scale. The program has already identified two bad casts in Firefox and another in libstdc++, the GNU (a free operating system) standard C++ library used in the Chrome browser, thus resulting in the vulnerabilities being patched. They also hope that it will encourage more research targeting meaningful bugs affecting a lot of people on the internet.