The best way to solve a problem is throw money at it, some people argue.
In IT security one way of doing that is buy offering bug bounties. Facebook — a co-sponsor of the Internet Bug Bounty — is among those trying a different way, sponsoring an Internet Defence Prize for research into making the Web a safer place.
The week the company announced the first US$50,000 prize has gone to two researchers from a German university. Johannes Dahse and Thorsten Holz, two researchers from Ruhr-Universität Bochum were given the award for their paper “Static Detection of Second-Order Vulnerabilities in Web Applications.”
According to a blog by John Flynn, Facebook’s security engineering manager and a member of the award committee, the researchers used static analysis to detect “second-order vulnerabilities” in Web applications that are used to inflict harm after being stored on the Web server ahead of time.
By analyzing reads and writes to memory locations of the Web server, they were able to identify unsanitized data flows by connecting input and output points of data in persistent data stores such as databases or session data, according to an abstract of their work. As a result, they could identify 159 second-order vulnerabilities in six popular Web applications such as the conference management systems HotCRP and Open- Conf. An analysis of Web applications evaluated in related also detected several critical vulnerabilities previously missed.
The technical merit of the paper was strong, Flynn said, “and the committee could see a clear path for applying the award funds to push the research to the next level in order to produce broader impact and encourage people to implement the technology. We’re very excited to see what they do next.”
A status report is due in about a year.
Facebook has partnered with the Usenix advanced computing systems association to evaluate submissions. The award was announced at this week’s Usenix security symposium.