The researchers found these holes buried deep in the system through a new cyber-security analysis method. For their efforts, they were rewarded with the Internet Defense Prize, an award presented by Facebook, in partnership with USENIX, at the 24th USENIX Security Symposium that ended Aug. 14. Ph.D. students Byoungyoung Lee and Chengyu Song, with Professors Taesoo Kim and Wenke Lee, of Georgia Tech received $100,000 from Facebook to continue their research and increase its impact to make the Internet safer. Their research, “Type Casting Verification: Stopping an Emerging Attack Vector,” explores vulnerabilities in C++ programs (such as Chrome and Firefox) that result from “bad casting” or “type confusion.” Bad casting enables an attacker to corrupt the memory in a browser so that it follows a malicious logic instead of proper instructions. The researchers developed a new, proprietary detection tool called CAVER to catch them. CAVER is a run-time detection tool with 7.6 percent – 64.6 percent overhead on browser performance (Chrome and Firefox, respectively). The 11 vulnerabilities identified by Georgia Tech have been confirmed by both Mozilla and Google and both the browsers have now been patched. The researchers developed a new, proprietary detection tool called CAVER to catch them. CAVER is a run-time detection tool with 7.6 percent to 64.6 percent overhead on both Chrome and Firefox performance. “Georgia Tech’s award-winning entry exemplifies the groundbreaking security research that has become a hallmark of the USENIX Security Symposium,” said Casey Henderson, executive director of the USENIX Association. “Their trailblazing work stood out among the many outstanding submissions judged by the USENIX Security Awards Committee and Facebook. We look forward to their continued progress enabled by the Internet Defense Prize in the coming year.”
