Facebook has awarded $100,000 to Georgia Tech Ph.D. students Byoungyoung Lee and Chengyu Song, who identified an important emerging class of security issues for C++ programs.
Along with Professors Taesoo Kim and Wenke Lee, Song and Lee’s paper, “Type Casting Verification: Stopping an Emerging Attack Vector,” showcased how C++ supports two major different types of casting operators to convert one type of data into another: static and dynamic casts. Dynamic casts are checked at runtime for correctness, but they also incur a performance overhead. People typically prefer to use static casts because they avoid that overhead, but if you cast to the wrong type using a static cast, the program may end up creating a pointer that can point past the memory allocated to a particular object. That pointer can then be used to corrupt the memory of the process.
The authors suggested a novel technique for detecting bad type casts by combining both static and dynamic analysis. Their prototype substantially improved upon the state of the art, offering better coverage and compatibility with existing applications. Their results were also very strong — their prototype discovered two bad casts in Firefox and 9 bad casts in libstdc++, all of which have been fixed by the vendors.
The Internet Defense Prize was created by the social network to showcase superior defensive security research “that needs to find its way out of the academic world more often to create impact in our industry and beyond,” according to Ioannis Papagiannis, a security engineering manager at Facebook.
He added, “The spotlight continues to shine on the information security industry as companies become victims of attacks, governments draft laws, and lots of people start throwing up their hands wondering what they can do. In this environment, outsize attention goes to members of our community who demonstrate their latest method for breaking into a system or exploiting a piece of technology. As we've seen before, defensive measures typically get the short shrift.”
The prize goes to researchers who combine a working prototype with significant contributions to the security of the Internet — particularly in the areas of protection and defense. Last year, Facebook gave $50,000 to a pair of German researchers for their work using static analysis to detect “second-order vulnerabilities” in web applications that are used to inflict harm after being stored on the web server ahead of time.