Header Ads

Facebook and Usenix Award $50,000 for two researchers from Ruhr-Universität Bochum in Germany

Facebook and Usenix have together implemented the Internet Defense Prize — an award recognizing superior quality research that combines a working prototype with great contributions to securing the Internet, Facebook announced Thursday at the annual USENIX Security Symposium in San Diego.
Along with a dream to make Internet access available to everyone across the world, Facebook founder Mark Zuckerberg is working to make the Internet a more secure place as well.
 Applying that model beyond Facebook,also helped create the Internet Bug Bounty to reward bugs found in open source software projects, contributed to initiatives like the Core Infrastructure Initiative that fund critical security software needs, and released open source software to help other developers incorporate security by default (Conceal, MIDAS)

The Internet Bug Bounty is hosted by HackerOne, which also includes other large companies such as Microsoft and Google. Which in some cases will pay $5,000 or more per vulnerability, is sponsored by Microsoft and Facebook. The program was unveiled Wednesday, and it builds off a growing number of similar initiatives. Last November 7 2013, Google announced rewards as high as $3,133.70 for software updates that improve the security of OpenSSL, OpenSSH, BIND, and several other open-source packages. Additionally, Google, Facebook, Microsoft, eBay, Mozilla, and several other software or service providers pay cash in return for private reports of security vulnerabilities that threaten their users.

Facebook announced the first award under its Internet Defense Prize, and crowned a pair of German researchers for their paper, “Static Detection of Second-Order Vulnerabilities in Web Applications” — a seemingly viable approach to detecting vulnerabilities in web applications.
The duo used static approach to detect “Second-order vulnerabilities” in web applications that are used to impose harm after being stored on the web server ahead of time. Second-order vulnerabilities involve uploading malicious script/payload to the targeted web servers, allowing an attacker to exploit it remotely.

Internet Defense Prize, an award to recognize superior quality research that combines a working prototype with significant contributions to the security of the Internet—particularly in the areas of protection and defense. To kick things off, we approached USENIX, an organization respected for their depth in the academic community and their commitment to meaningful security research. After receiving an enthusiastic response from USENIX, we assembled members of the Award Committee for the annual USENIX Security Symposium to join me in evaluating the submissions they received this year. 

It is very difficult to detect Second-order vulnerabilities when analyzing the source code statically, but "By analysing reads and writes to memory locations of the web server, we are able to identify unsanitized data flows by connecting input and output points of data in persistent data stores such as databases or session data," said researchers, who revealed 159 second-order vulnerabilities in six popular web applications including several critical zero-day holes.

The researchers, Johannes Dahse and Thorsten Holz of Ruhr University in Bochum, Germany, received $50,000 prize money by an award committee made up of Facebook and USENIX representatives. The committee saw a "clear path" for using the money to build the research into technology that could be implemented in the real world.
The Internet Defense Prize is an ongoing program and the committee is soliciting new entries for a future prize, according to John “Four” Flynn, a security engineering manager at Facebook who served on the Award Committee for the Internet Defense Prize.

 Source: https://www.facebook.com/notes/protect-the-graph/internet-defense-prize-awarded-at-23rd-usenix-security-symposium/1491475121092634

No comments

blogmytuts. Powered by Blogger.