Facebook Awards $100,000 to White-Hat Hackers
Facebook’s ‘Internet Defense Prize’, a cash prize of $100,000 was awarded to a team of security researchers who discovered new browser-based vulnerabilities and devised a detection method corresponding to the vulnerabilities.
A team of Georgia Tech security researchers were awarded a $100,000 prize by Facebook on Wednesday night. The researchers had discovered a new category of vulnerabilities directly related to browser-based memory corruption and furthermore, ably developed a technique to detect such vulnerabilities. With the award, Facebook’s grant is now on equal footing with Microsoft’s own six-figure bounty program that rewards security researchers for discovering mitigation bypasses and devising techniques for those bypasses.
The cash prize is a part of Facebook’s “Internet Defense Prize”, handed out at the USENIZ Security Symposium in Washington, D.C. and significantly, the payout has doubled from last year’s inaugural payout of $50,000.
The award is issued in recognition of cybersecurity research in the areas of cyber defenses and protection, according to Facebook.
“As before(the previous inaugural year), we wanted the Internet Defense Prize to go to researchers who could combine a working prototype with significant contributions to the security of the Internet—particularly in the areas of protection and defense. We all benefit from this kind of work—a large part of why Facebook has been successful in serving nearly 1.5 billion people is because we have been quick to introduce and adopt categories of systems and frameworks that prevent whole classes of vulnerabilities at once. As an industry, we need to invest in those kinds of solutions that scale,” said Ioannis Papagiannis, a security engineering manager at Facebook in a blog post.
“Security research, in general, celebrates offensive research and less attention is paid to people doing the nitty-gritty work required to keep systems safe and whole classes of vulnerabilities less likely to occur,” added Papagiannis.
We look at work targeting meaningful bugs affecting a lot of people on the Internet.
Vulnerabilities in C++ and a Brand New Detection Tool
ByoungyoungLee and Chengyu Song, along with professors Taesoo Kim and Wenke Lee are the winners of this year’s Internet Defense Prize. The group discovered a new class of C++ vulnerabilities that are browser-based and also developed CaVeR, a runtime based bad-casting detection tool. The findings and introduction of the new tool are further detailed in their paper, “Type Casting Verification: Stopping an Emerging Attack Vector.”
In describing their detection tool CaVeR, the researchers wrote, “It performs program instrumentation at compile time and uses a new runtime type tracing mechanism—the type hierarchy table—to overcome the limitation of existing approaches and efficiently verify type casting dynamically.”
The tool has already benefited the security community. Security researchers making use of the tool have discovered:
- Two vulnerabilities in Mozilla’s popular Firefox browser.
- Another nine vulnerabilities were discovered in libstdc++, the C++ library used in Google’s Chrome browser.
Crucially, the vulnerabilities discovered in both browsers have since been patched, thanks to the discovery efforts of CaVeR.
“They are targeting a real-world security problem that has been used to attack high-profile vulnerabilities,” Papagiannis noted, pointing to a 2013 Chrome type confusion exploit. “This addresses an important problem,” he added, stressing that Facebook’s hopes are to incentivize the researchers with the reward money in order to enable them to continue working on CaVeR and push for the means to make the discovery tool more accessible and reusable on a wider scale.
Images from Shutterstock.