Four researchers have scored US$100,000 from Facebook for revealing 11 bugs affecting platforms including the Chrome and Firefox browsers using novel vulnerability discovery methods.
The Georgia Institute of Technology team of PhD students Byoungyoung Lee and Chengyu Song, and professors Taesoo Kim and Wenke Lee discovered the holes affecting C++ programs.
The Social Network™, together with Usenix, offer up a pool of US$300,000 under the Internet Defense Prize™ first created last year.
The hacks are detailed in the paper Type Casting Verification: Stopping an Emerging Attack Vector (PDF) in which the quartet offered a tool to help detect the bad-casting and type-confusion holes.
Quoth the researchers:
Type casting, which converts one type of an object to another, plays an essential role in enabling polymorphism in C++ because it allows a program to utilize certain general or specific implementations in the class hierarchies. However, if not correctly used, it may return unsafe and incorrectly casted values, leading to so-called bad-casting or type-confusion vulnerabilities.
Since a bad-casted pointer violates a programmer’s intended pointer semantics and enables an attacker to corrupt memory, bad-casting has critical security implications similar to those of other memory corruption vulnerabilities. Despite the increasing number of bad-casting vulnerabilities, the bad-casting detection problem has not been addressed by the security community.
The authors' CaVER vulnerability detection tool found two unknown browser bugs and nine in libstdc++ which have since been pinched.
The team says the dynamic analysis checks cause between a 7.6 percent and whopping 64.6 percent overhead on performance-intensive Chromium and Firefox benchmarks respectively.
A US$50,000 award went to a pair of German researchers who used static analysis to find second-order vulnerabilities in web applications. Facebook says the team used the cash to bring in new researchers and build new features.
Facebook security engineering manager Ioannis Papagiannis says such defensive security research needs to be more common in the academic world.
"We all benefit from this kind of work—a large part of why Facebook has been successful in serving nearly 1.5 billion people is because we have been quick to introduce and adopt categories of systems and frameworks that prevent whole classes of vulnerabilities at once," Papagiannis says in a statement.
"As an industry, we need to invest in those kinds of solutions that scale."
Might that statement be a subtle swipe at Oracle, which this week declared bug bounty programs expensive and ineffectual? There's a comment field down there and you know how to use it. ®