A team of Georgia Tech researchers are probably still out partying after winning Facebook’s coveted Internet Defense Prize Wednesday evening.
The prize was created in 2014 by Facebook, and is meant to “recognize and reward research that meaningfully makes the internet more secure”. The prize is given in partnership with USENIX, and in its inaugural year came with a $50,000 cash reward. This year, the award presented at the USENIX Security Symposium in Washington, D.C.was doubled to $100,000.
“As before(the previous inaugural year), we wanted the Internet Defense Prize to go to researchers who could combine a working prototype with significant contributions to the security of the Internet—particularly in the areas of protection and defense. We all benefit from this kind of work—a large part of why Facebook has been successful in serving nearly 1.5 billion people is because we have been quick to introduce and adopt categories of systems and frameworks that prevent whole classes of vulnerabilities at once. As an industry, we need to invest in those kinds of solutions that scale,” said Ioannis Papagiannis, a security engineering manager at Facebook.
The winning paper, “Type Casting Verification: Stopping an Emerging Attack Vector”, introduces a newly discovered class of browser-based C++ vulnerabilities, and a runtime bad-casting detection tool, called CaVeR. According to the authors, Georgia Tech Ph.D. students Byoungyoung Lee and Chengyu Song, and professors Taesoo Kim and Wenke Lee, CaVeR “performs program instrumentation at compile time and uses a new runtime type tracing mechanism—the type hierarchy table—to overcome the limitation of existing approaches and efficiently verify type casting dynamically.”
CaVeR has already been responsible discovering two Mozilla Firefox vulnerabilities, and nine Google Chrome libstdc++ and C++ library vulnerabilities. All of the vulnerabilities have since been patched. Facebook hopes that they continue working on CaVeR and push to share it with the world when possible.
Congratulations to the winners of the 2015 Internet Defense Prize! Truly amazing work!
For information on how you can prevent your organization from being breached, visit www.miltonsecurity.com or call 714-515-4011.