In 2014, Facebook and USENIX teamed up to create an award called, “The Internet Defence Prize,” which recognizes and rewards research that makes the Internet more secure.
Last year’s winners, Johannes Dahse and Thorsten Holz, scooped a massive $50,000 for their research titled “Static detection of second-order vulnerabilities in web applications.”
This year, however, during the 24th USENIX Security Symposium, Facebook awarded an impressive $100,000 to a team of Georgia Tech researchers.
This is huge statement from Facebook as they join Microsoft with a six-figure payout for mitigation bypasses and new defensive techniques.
“Security research in general celebrates offensive research and less attention is paid to people doing the nitty-gritty work required to keep systems safe and whole classes of vulnerabilities less likely to occur. We look at work targeting meaningful bugs affecting a lot of people on the Internet,” said Facebook Security Engineering Manager, Ioannis Papagiannis.
The award was received by Ph.D. students Byoungyoung Lee and Chengyu Song, with Professors Taesoo Kim and Wenke Lee for their paper, “Type Casting Verification: Stopping an Emerging Attack Vector,” in which they reveal newly exposed class of C++ vulnerabilities and present CAVER, a runtime bad-casting detection tool.
The researchers explained:
“It performs program instrumentation at compile time and uses a new runtime type tracing mechanism—the type hierarchy table—to overcome the limitation of existing approaches and efficiently verify type casting dynamically.
We have applied CAVER to largescale software including Chrome and Firefox browsers, and discovered 11 previously unknown security vulnerabilities: nine in GNU libstdc++ and two in Firefox, all of which have been confirmed and subsequently fixed by vendors.
Our evaluation showed that CAVER imposes up to 7.6% and 64.6% overhead for performance-intensive benchmarks on the Chromium and Firefox browsers, respectively.”
It’s truly motivating to see rewards given not only to those in the community who responsibly break in to a system or exploit a piece of technology, but also those who develop defensive measures that significantly contribute to the security of the Internet.
To learn more about the award, visit: http://internetdefenseprize.org/