Researchers find bugs in common browsers

Photo courtesy of Mozilla

Recently,  researchers from the College of Computing at Tech who published a paper including information on a certain technique which can be used to detect security flaws were awarded the Internet Defense Award from Facebook along with a $100,000 prize from the social networking site.

The research team, consisting of Ph.D. students Byoungyoung Lee and Chengyu Song, as well as professors Taesoo Kim and Wenke Lee, discovered eleven previously unknown internet browser security flaws. Among these were two flaws in “Firefox” and nine in “libstdc++”.

The researchers’ paper, “Type Casting Verification: Stopping an Emerging Attack Vectory”, identifies an emerging class of security vulnerabilities in C++ programs. Programs written in this code typically use both static and dynamic casts when one data type is changed a different one.

The team of researchers from Tech discovered that certain bad casts can actually create corrupt pointers that can be accessed by hackers and, in turn, be used to corrupt memory processes. The researchers’ paper proposes a novel technique that can be used to detect these types of casting issues.

In fact, the prototype that the researchers have developed already is showing results, having proven capable of locating and recognizing the previously undetected security vulnerabilities in Firefox and libstdc++. Those particular security issues of the browsers that were discovered by the Tech researchers have since been remedied, theoretically making Firefox and libstdc++ safer pieces of software for users.

“It is time for the Internet community to start addressing the more difficult, deeper security problems,” said Wenke Lee. “The security research community has been working on various ways to detect and fix memory safety bugs for decades, and has made progress. Our work studied the much harder and deeper bugs and our tools discovered serious security bugs in widely used software.”

Due to the Tech researchers’ contribution to increasing the safety of browsers used by many, Facebook selected the team from a pool of applicants from all over the world to receive the prize. Additionally, Facebook chose to award the team of researchers a total of $100,000, double the prize money the previous year’s winner received. The social media company felt strongly that this research (and the information gleaned through it) could potentially have far-reaching and very important effects and impacts in the cyber security world.

Facebook first initiated the Internet Defense Prize in 2014 in close partnership with the USENIX Association (officially The Advanced Computing Systems Association) in order to effectively “celebrate contributions to the protection and defense of the internet.” The USENIX Security Awards Committee works in conjunction with certain representatives from Facebook for the purpose of deciding the ultimate winner of the Internet Defense Award prize.