Facebook tonight awarded a $100,000 prize to a team of Georgia Tech researchers who found a new class of browser-based memory-corruption vulnerabilities and built a corresponding detection technique. The award brings the social media giant on par with Microsoft and its six-figure payouts for mitigation bypasses and new defensive techniques for those bypasses.
The award, Facebook’s Internet Defense Prize, was handed out at the USENIX Security Symposium in Washington, D.C., and doubles last year’s inaugural payout of $50,000. The prize is an effort to recognize and fund Internet security research in the areas of defense and protection, Facebook said.
“Security research in general celebrates offensive research and less attention is paid to people doing the nitty-gritty work required to keep systems safe and whole classes of vulnerabilities less likely to occur,” said Facebook security engineering manager Ioannis Papagiannis. “We look at work targeting meaningful bugs affecting a lot of people on the Internet.”
Georgia Tech Ph.D. students Byoungyoung Lee and Chengyu Song, and professors Taesoo Kim and Wenke Lee are this year’s winners. Their paper, “Type Casting Verification: Stopping an Emerging Attack Vector,” explains a newly discovered class of C++ vulnerabilities and introduces CaVeR, a runtime bad-casting detection tool.
“It performs program instrumentation at compile time and uses a new runtime type tracing mechanism—the type hierarchy table—to overcome the limitation of existing approaches and efficiently verify type casting dynamically,” the researchers wrote in describing CaVeR.
Papagiannis said Facebook hopes the reward money incentivizes the researchers to continue working CaVeR and make it accessible and reusable on a greater scale.
“They are targeting a real-world security problem that has been used to attack high-profile vulnerabilities,” he said, pointing to a 2013 Chrome type confusion exploit. “This addresses an important problem.”
Type casting, the researchers said, is important in enabling polymorphism in C++ programming in particular.
“However, if not correctly used, it may return unsafe and incorrectly casted values, leading to so-called bad-casting or type-confusion vulnerabilities,” the researchers wrote. “Since a bad-casted pointer violates a programmer’s intended pointer semantics and enables an attacker to corrupt memory, bad-casting has critical security implications similar to those of other memory corruption vulnerabilities. Despite the increasing number of bad-casting vulnerabilities, the bad-casting detection problem has not been addressed by the security community.”
Facebook’s Papagiannis said in a statement that C++ supports static and dynamic casts; static casts are preferred for performance reasons.
“People typically prefer to use static casts because they avoid that overhead, but if you cast to the wrong type using a static cast, the program may end up creating a pointer that can point past the memory allocated to a particular object,” Papagiannis said. “That pointer can then be used to corrupt the memory of the process.”
CaVeR has already paid dividends for the security community; with it, the researchers found two bad casts in Firefox and another nine in libstdc++, the GNU standard C++ library used in the Chrome browser; the vulnerabilities have since been patched.
Last year, Facebook paid $50,000 to Johannes Dahse and Thorsten Holz of Ruhr University in Bochum, Germany for their paper, “Static Detection of Second-Order Vulnerabilities in Web Applications.”
Papagiannis said Facebook will meet Dahse and Holz a month from now in London to assess the progress they’ve made on their defensive tool and whether Facebook would consider using it internally. Papagiannis points out that Facebook makes no claims on any of the research and encourages teams to share their work with the greater community outside of academia.
Payouts of that size have been rare from reward programs. Microsoft’s defense prize, known as the Blue Hat Prize, paid out $200,000 in the summer of 2012 to a Columbia University PhD candidate for his ROP mitigation technology. It has also paid out six-figure prizes to researchers for mitigation bypasses, the most recent being a $125,000 award to HP’s Zero Day Initiative team for new vulnerabilities that enable ASLR bypass; Microsoft said it would not patch the bugs because they did not affect enough users, prompting HP in June to disclose full details and proof of concept code.
The mitigation bypass bounty was launched in June 2013 and featured a $100,000 prize for exploit techniques that bypass Windows mitigations such as DEP, ASLR, SEHOP and others.