There is a new cyber security analysis method that discovered 11 previously unknown Internet browser security flaws.
This new method explores vulnerabilities in C++ programs (such as Chrome and Firefox) that result from “bad casting” or “type confusion.” Bad casting enables an attacker to corrupt the memory in a browser so it follows a malicious logic instead of proper instructions.
Ph.D. students Byoungyoung Lee and Chengyu Song, with Professors Taesoo Kim and Wenke Lee, of Georgia Tech wrote a paper on the topic entitled, “Type Casting Verification: Stopping an Emerging Attack Vector.” Their findings earned them the Internet Defense Prize, an award presented by Facebook in partnership with USENIX. They received $100,000 from Facebook to continue their research and increase its impact to make the Internet safer.
As a part of their research, the team developed a new, proprietary detection tool called CAVER to catch them. CAVER is a run-time detection tool with 7.6 percent — 64.6 percent overhead on browser performance (Chrome and Firefox, respectively). The vendors confirmed and fixed the 11 vulnerabilities identified by Georgia Tech.
“It is time for the Internet community to start addressing the more difficult, deeper security problems,” said Wenke Lee, professor in the School of Computer Science and an adviser to the team. “The security research community has been working on various ways to detect and fix memory safety bugs for decades, and have made progress on ‘stack overflow’ and ‘heap overflow’ bugs, but these have now become relatively easy problems. Our work studied the much harder and deeper bugs — in particular ‘use-after-free’ and ‘bad casting’ — and our tools discovered serious security bugs in widely used software, such as Firefox and libstdc++.”
The work ended up selected for Facebook’s second ever Internet Defense Prize award, which recognizes quality research that combines a working prototype with significant contributions to the security of the Internet — particularly in the areas of protection and defense. The award recognizes the direction of the research and to inspire researchers to focus on high-impact areas.
“Designing defensive security technology has never been more important, and that’s why we are once again offering the Internet Defense Prize to stimulate high quality research in this area,” said Ioannis Papagiannis, security engineering manager at Facebook. “The Georgia Tech team’s novel technique for detecting bad type casts in C++ programs is the type of standout approach we want to encourage. We look forward to seeing what the team does next to create broader impact and improve security on the Internet.”