Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Facebook hands hackers $100k for breaking browsers

Internet Defense Prize™ handed out, bugs broken. Hello Oracle?

Four researchers have scored US$100,000 from Facebook for revealing 11 bugs affecting platforms including the Chrome and Firefox browsers using novel vulnerability discovery methods.

The Georgia Institute of Technology team of PhD students Byoungyoung Lee and Chengyu Song, and professors Taesoo Kim and Wenke Lee discovered the holes affecting C++ programs.

The Social Network™, together with Usenix, offer up a pool of US$300,000 under the Internet Defense Prize™ first created last year.

The hacks are detailed in the paper Type Casting Verification: Stopping an Emerging Attack Vector (PDF) in which the quartet offered a tool to help detect the bad-casting and type-confusion holes.

Quoth the researchers:

Type casting, which converts one type of an object to another, plays an essential role in enabling polymorphism in C++ because it allows a program to utilize certain general or specific implementations in the class hierarchies. However, if not correctly used, it may return unsafe and incorrectly casted values, leading to so-called bad-casting or type-confusion vulnerabilities.

Since a bad-casted pointer violates a programmer’s intended pointer semantics and enables an attacker to corrupt memory, bad-casting has critical security implications similar to those of other memory corruption vulnerabilities. Despite the increasing number of bad-casting vulnerabilities, the bad-casting detection problem has not been addressed by the security community.

The authors' CaVER vulnerability detection tool found two unknown browser bugs and nine in libstdc++ which have since been pinched.

The team says the dynamic analysis checks cause between a 7.6 percent and whopping 64.6 percent overhead on performance-intensive Chromium and Firefox benchmarks respectively.

A US$50,000 award went to a pair of German researchers who used static analysis to find second-order vulnerabilities in web applications. Facebook says the team used the cash to bring in new researchers and build new features.

Facebook security engineering manager Ioannis Papagiannis says such defensive security research needs to be more common in the academic world.

"We all benefit from this kind of work—a large part of why Facebook has been successful in serving nearly 1.5 billion people is because we have been quick to introduce and adopt categories of systems and frameworks that prevent whole classes of vulnerabilities at once," Papagiannis says in a statement.

"As an industry, we need to invest in those kinds of solutions that scale."

Might that statement be a subtle swipe at Oracle, which this week declared bug bounty programs expensive and ineffectual? There's a comment field down there and you know how to use it. ®

Similar topics

TIP US OFF

Send us news


Other stories you might like