Internet Defense Prize goes to researchers from the Georgia Institute of Technology for designing a tool that detects a new class of C++ vulnerabilities.
A team of researchers from the Georgia Institute of Technology in the US have picked up this year’s Internet Defense Prize for their work on identifying a new class of C++ vulnerabilities through a new detection tool.
PhD students Byoungyoung Lee and Chengyu Song, along with professors Taesoo Kim and Wenke Lee, picked up a $100,000 cheque for their efforts. The prize money is double the amount that was given in 2014 (the inaugural year of the award).
Their winning paper, titled Type Casting Verification: Stopping an Emerging Attack Vector, was commended by Facebook and USENIX – the award’s founders – for shedding new light on this emerging class of security issues for C++ programs, which are used in popular web browsers.
“C++ supports two major different types of casting operators to convert one type of data into another: static and dynamic casts,” explained Ioannis Papagiannis, a security engineering manager at the social network and a member of this year’s Internet Defense Prize committee.
“Dynamic casts are checked at runtime for correctness, but they also incur a performance overhead. People typically prefer to use static casts because they avoid that overhead, but if you cast to the wrong type using a static cast, the program may end up creating a pointer that can point past the memory allocated to a particular object.”
The result, the expert went on to say, is that this pointer can then be used by an attacker to “corrupt the memory of the process”, resulting in serious security issues.
However, the authors of the study state that their runtime bad-casting detection tool, named CAVER, offers a “novel” solution to this. By combining both static and dynamic analyses, flaws, that may otherwise go unnoticed, are picked up.
They team demonstrated this in their paper. They reported, for example, that CAVER detected nine bad casts in GNU libstdc++ – the standard used Chrome – and two in Firefox. These have since been fixed by the respective vendors.