Facebook awards $100,000 to German researchers for their work on the ERIM security idea

The Internet Defence Prize is a partnership between Facebook and the USENIX security conference

Facebook has awarded a cash prize of $100,000 to a team of German academics for their innovative work on the ERIM encryption technique.

The award, named the Internet Defence Prize, is a partnership between Facebook and USENIX, given to researchers that devise the most innovative approaches to making the internet more secure.

The USENIX security conference is held each year in August.

This year, the first prize was awarded to six researchers from Germany-based Max Planck Institute for Software Systems, Saarland Informatics Campus, for developing a technique that can protect sensitive data being processed inside a CPU.

The names of the prize winners are: Anjo Vahldiek-Oberwagner, Nuno O. Duarte, Eslam Elnikety, Michael Sammler, Deepak Garg and Peter Druschel.

https://twitter.com/USENIXSecurity/status/1162134907281391616?ref\\_src=twsrc%5Etfw

Isolating sensitive data within software during programme execution has always been an issue for security researchers. While numerous methods have been suggested over the years to deal with the issue, all those methods come with significant performance costs.

However, the new technique proposed by the German researchers demonstrates little performance overhead and makes it ideal for use in real-world production environments.

Dubbed ERIM, this technique makes use of a combination of both software and hardware security features. It works by leveraging Intel's hardware-based security feature named memory protection keys (MPKs).

Using MPK approach, the data being processed inside an Intel CPU is split across several CPU memory virtual pages. Each page is then signed by a 4-bit domain ID, which allows an application's process space to be further split into even smaller domains where data can be securely processed.

But, the major issue with MPK method is the performance overhead that occurs due to slowing down of thee speed at which a software programme can read desired data.

With ERIM, the performance overhead comes to near zero, the researchers claim, which makes it a cost-effective technique to safeguard sensitive data such as session or encryption keys on some web servers.

According to researchers, their new technique doesn't need changes in compilers and can also be executed on a stock Linux kernel.

The details of the research are available in the ERIM white paper [PDF], entitled "ERIM: Secure, Efficient In-process Isolation with Protection Keys (MPK)," which was presented at USENIX conference last week.

For the past several years, almost all major tech companies have been offering cash rewards to security researchers for finding bugs in their products.

Last week, Apple announced that it was increasing its top bug bounty reward from $200,000 to $1m for operating system security flaws.

Microsoft also opened up a bug bounty programme last year for finding major, Meltdown and Spectre-level security bugs.

Google also updated its highly regarded bug bounty scheme last year by tweaking the criteria and increasing the financial rewards.