Facebook Awards Security Researches $100,000

In 2014, Facebook and USENIX teamed up to create an award called, “The Internet Defence Prize”, which recognizes and rewards research that makes the internet more secure.Last year’s winners, Johannes Dahse and Thorsten Holz, scooped a massive $50,000 for their research titled, “Static detection of second-order vulnerabilities in web applicationsHowever, this year, during the 24th USENIX Security Symposium, Facebook have gone one better and awarded $100,000 to a team of Georgia Tech researchers.This is huge statement from Facebook as they join Microsoft with a six-figure payout for mitigation bypasses and new defensive techniques for those bypasses.“Security research in general celebrates offensive research and less attention is paid to people doing the nitty-gritty work required to keep systems safe and whole classes of vulnerabilities less likely to occur. We look at work targeting meaningful bugs affecting a lot of people on the Internet.” said Facebook Security Engineering Manager, Ioannis PapagiannisThe award of $100,000 was given to Ph.D. students Byoungyoung Lee and Chengyu Song, with Professors Taesoo Kim and Wenke Lee for their paper, “Type Casting Verification: Stopping an Emerging Attack Vector.”

Georgia_Tech

Georgia Tech’s winning team at the 24th USENIX Security Symposium (picture from Facebook)In their paper, they explain a newly exposed class of C++ vulnerabilities and present CAVER, a runtime bad-casting detection tool.“It performs program instrumentation at compile time and uses a new runtime type tracing mechanism—the type hierarchy table—to overcome the limitation of existing approaches and efficiently verify type casting dynamically.We have applied CAVER to largescale software including Chrome and Firefox browsers, and discovered 11 previously unknown security vulnerabilities: nine in GNU libstdc++ and two in Firefox, all of which have been confirmed and subsequently fixed by vendors.Our evaluation showed that CAVER imposes up to 7.6% and 64.6% overhead for performance-intensive benchmarks on the Chromium and Firefox browsers, respectively.”It´s fantastic to see not only rewards given to those in the community who responsibly break in to a system or exploit a piece of technology, but those who develop defensive measures that significantly contribute to the security of the internet.To learn more about the award visit: http://internetdefenseprize.org/

Leave a Reply