{"434021":{"#nid":"434021","#data":{"type":"news","title":"Georgia Tech Finds 11 Security Flaws in Popular Internet Browsers Using New Analysis Method","body":[{"value":"\u003Cp\u003E\u003Cstrong\u003EWASHINGTON, D.C., Aug. 13, 2015\u0026shy;\u003C\/strong\u003E\u2014Researchers from the Georgia Institute of Technology College of Computing developed a new cyber security analysis method that discovered 11 previously unknown Internet browser security flaws, and were honored with the Internet Defense Prize, an award offered by Facebook in partnership with USENIX, on Wednesday evening in Washington, D.C., at the 24\u003Csup\u003Eth\u003C\/sup\u003E USENIX Security Symposium.\u003C\/p\u003E\u003Cp\u003EPh.D. students \u003Cstrong\u003EByoungyoung Lee\u003C\/strong\u003E and \u003Cstrong\u003EChengyu Song\u003C\/strong\u003E, with Professors \u003Ca href=\u0022https:\/\/taesoo.gtisc.gatech.edu\/\u0022 target=\u0022_blank\u0022\u003E\u003Cstrong\u003ETaesoo Kim\u003C\/strong\u003E\u003C\/a\u003E and \u003Ca href=\u0022http:\/\/wenke.gtisc.gatech.edu\/\u0022 target=\u0022_blank\u0022\u003E\u003Cstrong\u003EWenke Lee\u003C\/strong\u003E\u003C\/a\u003E, of Georgia Tech received $100,000 from Facebook to continue their research and increase its impact to make the Internet safer.\u003C\/p\u003E\u003Cp\u003ETheir research, \u201cType Casting Verification: Stopping an Emerging Attack Vector,\u201d explores vulnerabilities in C++ programs (such as Chrome and Firefox) that result from \u201cbad casting\u201d or \u201ctype confusion.\u201d Bad casting enables an attacker to corrupt the memory in a browser so that it follows a malicious logic instead of proper instructions. The researchers developed a new, proprietary detection tool called CAVER to catch them. CAVER is a run-time detection tool with 7.6 percent - 64.6 percent overhead on browser performance (Chrome and Firefox, respectively). The 11 vulnerabilities identified by Georgia Tech have been confirmed and fixed by vendors.\u003C\/p\u003E\u003Cp\u003E\u201cIt is time for the Internet community to start addressing the more difficult, deeper security problems,\u201d says \u003Cstrong\u003EWenke Lee\u003C\/strong\u003E, professor in the School of Computer Science and an adviser to the team. \u201cThe security research community has been working on various ways to detect and fix memory safety bugs for decades, and have made progress on \u2018stack overflow\u2019 and \u2018heap overflow\u2019 bugs, but these have now become relatively easy problems. Our work studied the much harder and deeper bugs\u2014in particular \u2018use-after-free\u2019 and \u2018bad casting\u2019\u2014and our tools discovered serious security bugs in widely used software, such as Firefox and libstdc++. We are grateful to Facebook for this recognition.\u201d\u003C\/p\u003E\u003Cp\u003EThe work was selected for Facebook\u0027s second ever Internet Defense Prize award, which recognizes superior quality research that combines a working prototype with significant contributions to the security of the Internet -- particularly in the areas of protection and defense. The award is meant to recognize the direction of the research and to inspire researchers to focus on high-impact areas.\u003C\/p\u003E\u003Cp\u003E\u201cDesigning defensive security technology has never been more important, and that\u2019s why we are once again offering the Internet Defense Prize to stimulate high quality research in this area,\u201d said Ioannis Papagiannis, Security Engineering Manager at Facebook. \u201cThe Georgia Tech team\u2019s novel technique for detecting bad type casts in C++ programs is the type of standout approach we want to encourage. We look forward to seeing what the team does next to create broader impact and improve security on the Internet.\u201d\u003C\/p\u003E\u003Cp\u003E\u201cGeorgia Tech\u2019s award-winning entry exemplifies the groundbreaking security research that has become a hallmark of the USENIX Security Symposium,\u201d said Casey Henderson, Executive Director of the USENIX Association. \u0022Their trailblazing work stood out among the many outstanding submissions judged by the USENIX Security Awards Committee and Facebook. We look forward to their continued progress enabled by the Internet Defense Prize in the coming year.\u201d\u003C\/p\u003E\u003Cp\u003E\u003Cstrong\u003EAbout the Georgia Tech College of Computing\u003C\/strong\u003E\u003C\/p\u003E\u003Cp\u003EThe Georgia Tech College of Computing is a national leader in the creation of real-world computing breakthroughs that drive social and scientific progress. With its graduate program ranked 9th nationally by \u003Cem\u003EU.S. News and World Report\u003C\/em\u003E, the College\u2019s unconventional approach to education is expanding the horizons of traditional computer science students through interdisciplinary collaboration and a focus on human-centered solutions. For more information about the Georgia Tech College of Computing, its academic divisions and research centers, please visit \u003Ca href=\u0022http:\/\/www.cc.gatech.edu\/\u0022\u003Ewww.cc.gatech.edu\u003C\/a\u003E.\u003C\/p\u003E","summary":null,"format":"limited_html"}],"field_subtitle":[{"value":"Receives $100,000 Internet Defense Prize from Facebook at USENIX Security \u201915"}],"field_summary":[{"value":"\u003Cp\u003ECollege of Computing researchers discovered 11 previously unknown Internet browser security flaws, and were honored with the Internet Defense Prize by Facebook and USENIX.\u003C\/p\u003E","format":"limited_html"}],"field_summary_sentence":[{"value":"Researchers from the College of Computing discovered previously unknown browser security flaws, and were honored with the Internet Defense Prize by Facebook and USENIX on Aug. 12 in Washington, D.C."}],"uid":"27490","created_gmt":"2015-08-13 07:49:55","changed_gmt":"2016-10-08 03:19:22","author":"Tara La Bouff","boilerplate_text":"","field_publication":"","field_article_url":"","dateline":{"date":"2015-08-13T00:00:00-04:00","iso_date":"2015-08-13T00:00:00-04:00","tz":"America\/New_York"},"extras":[],"hg_media":{"434031":{"id":"434031","type":"image","title":"Facebook Winning Team","body":null,"created":"1449256148","gmt_created":"2015-12-04 19:09:08","changed":"1475895174","gmt_changed":"2016-10-08 02:52:54"}},"media_ids":["434031"],"groups":[{"id":"47223","name":"College of Computing"}],"categories":[{"id":"153","name":"Computer Science\/Information Technology and Security"},{"id":"135","name":"Research"}],"keywords":[{"id":"345","name":"cyber security"},{"id":"2678","name":"information security"},{"id":"2229","name":"Internet"}],"core_research_areas":[{"id":"39501","name":"People and Technology"}],"news_room_topics":[],"event_categories":[],"invited_audience":[],"affiliations":[],"classification":[],"areas_of_expertise":[],"news_and_recent_appearances":[],"phone":[],"contact":[{"value":"\u003Cp\u003E\u003Ca href=\u0022mailto:tlabouff@cc.gatech.edu\u0022\u003ETara La Bouff\u003C\/a\u003E\u003Cbr \/\u003ECommunications Manager\u003Cbr \/\u003E404.894.7253\u003C\/p\u003E","format":"limited_html"}],"email":["tlabouff@cc.gatech.edu"],"slides":[],"orientation":[],"userdata":""}}}