A year ago, Facebook Chief Security Officer Alex Stamos (pictured) pledged that the social media giant would issue $1 million in grants to help fund and support internet defense efforts and research. Facebook is, in fact, living up to its pledge, announcing this month the recipients of $1 million in prizes and grants that aim to improve the security of the internet.
On Aug. 16, Facebook announced that it is awarding $200,000 to three research groups for their effort and studies that contribute to internet defense. The $200,000 is being awarded at the USENIX Security Symposium in Baltimore, and follows $800,000 in grants that Facebook announced on Aug. 8 on the sidelines of Black Hat USA.
"This work enables important improvements in the way browsers prevent cross-site attacks and third-party tracking through cookies," Facebook wrote in a post announcing the top prize winner at USENIX. "We believe that improving these safeguards is critical to user privacy on the web."
The announcement of the internet defense prize money comes as a bittersweet moment for Facebook. Stamos announced on Aug. 1 that he will be leaving his post as Facebook CSO, effective Aug. 17. He will be working at Stanford University full-time as a teacher and researcher, starting in September.
The top prize of $100,000 at USENIX was awarded to Gertjan Franken, Tom Van Goethem and Wouter Joosen from KU Leuven for a paper titled, "Who Left Open the Cookie Jar? A Comprehensive Evaluation of Third-Party Cookie Policies." The Belgium research university has reported multiple high-impact vulnerabilities in recent years, including the KRACK WiFi issue in October 2017 and the eFail email flaws in May 2018. More recently, on Aug. 14, KU Leuven researchers were involved in the discovery of the new Intel Foreshadow side-channel memory attack.
The KU Leuven researchers wrote in their winning paper that cookies are widely used on the internet to identify and authenticate users.
"Although protected by the Same Origin Policy, popular browsers include cookies in all requests, even when these are cross-site," the research paper states. "Unfortunately, these third-party cookies enable both cross-site attacks and third-party tracking."
The researchers go on to note that there are various countermeasures in place to help protect against cross site cookie attacks and tracking. In the winning paper, KU Leuven researchers evaluated the effectiveness of the cookie defense mechanisms by leveraging a framework that automatically evaluates the enforcement of the policies imposed to third-party requests.
The second place prize of $60,000 at USENIX was awarded to a team of researchers from Brigham Young University for a paper titled, “The Secure Socket API: TLS as an Operating System Service.”
"This work provides a prototype implementation that makes it easier for application developers to make appropriate use of cryptography," Facebook wrote in a post announcing the award. "We believe safe-by-default libraries and frameworks are an important foundation for more secure software."
Facebook awarded the $40,000 third place prize to a team from The Chinese University of Hong Kong and Sangfor Technologies for a research report titled, “Vetting Single Sign-On SDK Implementations via Symbolic Reasoning."
Secure the Internet Grants
The Secure the Internet Grants, which were awarded on Aug. 8, provide funding for researchers to study critical areas of internet security. Facebook awarded 10 grants in total ranging from $60,000 to $100,000.
Among the grants was one for $100,000 to Jessica Dheere of the Social Media Exchange Association for “Enhancing Online & Offline Safety During Internet Disruptions in Times of War." That project aims to help document services people need during times of conflict and make recommendations on features that Facebook could develop to improve consistency of access to online services and, in turn, user safety and security during armed conflict.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.