Facebook and USENIX announce the winners of the 2021 Internet Defense Prize

Today, Facebook and USENIX awarded a total of $200,000 to the top three winners of the Internet Defense Prize. Funded by Facebook and offered in partnership with USENIX, the award celebrates security research contributions to the protection and defense of the internet. In this post, we share details on the research we awarded today and also on the upcoming changes to how the Prize will operate in the future. 

Award recipients

We awarded our first-place prize of $100,000 to winners Ofek Kirzner and Adam Morrison of Tel Aviv University for their work titled “An Analysis of Speculative Type Confusion Vulnerabilities in the Wild.” The paper defines “speculative type confusion,” an issue where branch mispredictions cause a victim program to execute with variables holding values of the wrong type. The impact in this scenario is that the victim program leaks sensitive memory content.

Second-place prize winner Nicholas Carlini of Google was awarded $60,000 for their paper “Poisoning the Unlabeled Dataset of Semi-Supervised Learning.” The paper looks at the “data set poisoning” problem: If an attacker can control (“poison”) a portion of the training set for a machine learning model, how much can the attacker force the model to incorrectly classify? The research shows that in the “semi supervised” setting where models include training on unlabeled data, poisoning as little as 0.1% of the unlabeled training data enables controlling the model’s output.

The third-place prize of $40,000 awarded to a team of researchers, including Kevin Bock (University of Maryland), Abdulrahman Alaraj (University of Colorado Boulder), Eric Wustrow (University of Colorado Boulder), Yair Fax (University of Maryland), Kyle Hurley (University of Maryland), and Dave Levin (University of Maryland). Their research “Weaponizing Middleboxes for TCP Reflected Amplification” looked at the problem of an attacker amplifying network traffic to cause a distributed denial of service attack previously believed to be a class called “reflective amplification,” which would work only for UDP-based protocols. The authors showed that, in fact, TCP-based protocols can be used in reflective amplification. Then, they scanned the entire IPv4 internet to demonstrate that there are hundreds of thousands of IP addresses hosting potential amplifiers.

We congratulate the 2021 winners of the Internet Defense Prize and thank them for their contributions to help make the internet more secure. To be considered for the Prize in 2022, submit a paper to USENIX Security 2022 here.

Starting in 2022, the USENIX Security Awards Committee will begin independently determining the prize, to be distributed by USENIX. Facebook will continue to fund the Internet Defense Prize as a founding partner.


See the Facebook post here.