Researchers get $100k for detecting emerging class of C++ bugs

Facebook has awarded $100,000 to a team of researchers from Georgia Tech for their discovery of a new method for identifying “bad-casting” vulnerabilities that affect programs written in C++.


“Type casting, which converts one type of an object to another, plays an essential role in enabling polymorphism in C++ because it allows a program to utilize certain general or specific implementations in the class hierarchies. However, if not correctly used, it may return unsafe and incorrectly casted values, leading to so-called bad-casting or type-confusion vulnerabilities,” the researchers explained in their paper.

“Since a bad-casted pointer violates a programmer’s intended pointer semantics and enables an attacker to corrupt memory, bad-casting has critical security implications similar to those of other memory corruption vulnerabilities.”

They have created CAVER, a runtime bad-casting detection tool, and have successfully used it to test software such as Chrome and Firefox. The result? They found eleven previously unknown security vulnerabilities, which they shared with the vendors and which have already been fixed.

The Internet Defense Prize program has been started by Facebook to “recognize superior quality research that combines a working prototype with significant contributions to the security of the Internet—particularly in the areas of protection and defense,” and to incentivise researchers to focus on work that actually protects people.

As in the previous year, the award has been given out at the USENIX Security Symposium. The award amount has changed, though, and this year is double the initial one.

The award is given out to help the researchers continue their research, and Facebook does not claim any of it.

According to ThreatPost, last year’s winners Johannes Dahse and Thorsten Holz from Ruhr-Universität Bochum in Germany have been working on a defensive tool that detects “second-order vulnerabilities” in web applications that are used to inflict harm after being stored on the web server ahead of time, and Facebook will soon have a chance to have a look at it and decide if they want to use them themselves.