project zero- making 0day hard(er) by chris evans
TRANSCRIPT
![Page 1: Project Zero- Making 0day hard(er) by Chris Evans](https://reader030.vdocument.in/reader030/viewer/2022032513/55d1fd1abb61eb38718b45a4/html5/thumbnails/1.jpg)
Project ZeroMaking 0day hard(er)
![Page 2: Project Zero- Making 0day hard(er) by Chris Evans](https://reader030.vdocument.in/reader030/viewer/2022032513/55d1fd1abb61eb38718b45a4/html5/thumbnails/2.jpg)
Google Confidential and Proprietary
Industry context
● To understand the formation of Project Zero, we need to understand some industry shifts;
● Not everyone is taking these shifts on board;● Failure to consider these shifts can result in suboptimal decisions.
![Page 3: Project Zero- Making 0day hard(er) by Chris Evans](https://reader030.vdocument.in/reader030/viewer/2022032513/55d1fd1abb61eb38718b45a4/html5/thumbnails/3.jpg)
Google Confidential and Proprietary
Industry context
Observation #1
Offensive security research done in the open is drying up.
![Page 4: Project Zero- Making 0day hard(er) by Chris Evans](https://reader030.vdocument.in/reader030/viewer/2022032513/55d1fd1abb61eb38718b45a4/html5/thumbnails/4.jpg)
Google Confidential and Proprietary
Industry context
Observation #2
Targeted attacks using 0-days are on the increase.
![Page 5: Project Zero- Making 0day hard(er) by Chris Evans](https://reader030.vdocument.in/reader030/viewer/2022032513/55d1fd1abb61eb38718b45a4/html5/thumbnails/5.jpg)
Google Confidential and Proprietary
Industry context
Observation #3
Mass malware 0-days are getting rare.
![Page 6: Project Zero- Making 0day hard(er) by Chris Evans](https://reader030.vdocument.in/reader030/viewer/2022032513/55d1fd1abb61eb38718b45a4/html5/thumbnails/6.jpg)
Google Confidential and Proprietary
Project Zero
The mission statement:
Make 0day hard.
![Page 7: Project Zero- Making 0day hard(er) by Chris Evans](https://reader030.vdocument.in/reader030/viewer/2022032513/55d1fd1abb61eb38718b45a4/html5/thumbnails/7.jpg)
The Project Zero team:
Attack research.
Vulnerability researchExploit developmentExploit mitigations
In public
![Page 8: Project Zero- Making 0day hard(er) by Chris Evans](https://reader030.vdocument.in/reader030/viewer/2022032513/55d1fd1abb61eb38718b45a4/html5/thumbnails/8.jpg)
Google Confidential and Proprietary
Why build this team?
● Provide dream jobs to top-tier offensive security researchers.
● Provide a source of data to the wider defensive community.
● Be a progressive influence on industry wide policies.
![Page 9: Project Zero- Making 0day hard(er) by Chris Evans](https://reader030.vdocument.in/reader030/viewer/2022032513/55d1fd1abb61eb38718b45a4/html5/thumbnails/9.jpg)
Google Confidential and Proprietary
How do we make 0-day hard?
● Tweak the economics, lower supply of “good” bugs.○ Mop up the “obvious” bugs.○ Bug collision!○ Provide a better job for the best offensive researchers.
● Invest in mitigations, tooling and scale.
● Force multiplier: sharing data enable other defenders.
● Industry change.
![Page 10: Project Zero- Making 0day hard(er) by Chris Evans](https://reader030.vdocument.in/reader030/viewer/2022032513/55d1fd1abb61eb38718b45a4/html5/thumbnails/10.jpg)
Google Confidential and Proprietary
Technical strategy
Eliminate low-hanging fruit
● utilize machine resources
● to bring an end to dumb-fuzzing
● of ubiquitous software platforms
Last step of the bug chain
● find surfaces with high contention
● e.g. kernel, sandbox
● use all means possible to find+fix bugs
![Page 11: Project Zero- Making 0day hard(er) by Chris Evans](https://reader030.vdocument.in/reader030/viewer/2022032513/55d1fd1abb61eb38718b45a4/html5/thumbnails/11.jpg)
Google Confidential and Proprietary
Target selection
● Balance of:○ observed attacks○ external feedback○ internal deduction
● As of today, we focus heavily on endpoint client-side attacks○ mobile: Android, iOS○ desktop: Windows, OS X, Linux○ browser: Chrome, Internet Explorer, Firefox○ documents: Office, Reader
![Page 12: Project Zero- Making 0day hard(er) by Chris Evans](https://reader030.vdocument.in/reader030/viewer/2022032513/55d1fd1abb61eb38718b45a4/html5/thumbnails/12.jpg)
Google Confidential and Proprietary
Results
Number of security bugs handled by Project Zero: 427Number of blog posts (primarily on vulnerability exploitation) made by Project Zero: 25
![Page 13: Project Zero- Making 0day hard(er) by Chris Evans](https://reader030.vdocument.in/reader030/viewer/2022032513/55d1fd1abb61eb38718b45a4/html5/thumbnails/13.jpg)
Google Confidential and Proprietary
Disclosure deadlines
● Project Zero uses a disclosure deadline.○ Currently 90 days.
● Starting to become an industry norm.● The goal: faster patch response times.
○ Acknowledging the reality of independent discovery.● Results and data suggest deadlines are effective.
![Page 14: Project Zero- Making 0day hard(er) by Chris Evans](https://reader030.vdocument.in/reader030/viewer/2022032513/55d1fd1abb61eb38718b45a4/html5/thumbnails/14.jpg)
Google Confidential and Proprietary
Results: disclosure deadlines
Up to March 2015
![Page 15: Project Zero- Making 0day hard(er) by Chris Evans](https://reader030.vdocument.in/reader030/viewer/2022032513/55d1fd1abb61eb38718b45a4/html5/thumbnails/15.jpg)
Google Confidential and Proprietary
Results: disclosure deadlines
All issues filed in 2015
![Page 16: Project Zero- Making 0day hard(er) by Chris Evans](https://reader030.vdocument.in/reader030/viewer/2022032513/55d1fd1abb61eb38718b45a4/html5/thumbnails/16.jpg)
Google Confidential and Proprietary
Final thoughts
● Researchers: consider applying a disclosure deadline on your findings. Join us under the Project Zero umbrella.
● Software vendors: explore the idea of building an open and transparent attack research team of your own.
● Progressive companies: consider joining the Project Zero umbrella by spinning up your own teams.
![Page 17: Project Zero- Making 0day hard(er) by Chris Evans](https://reader030.vdocument.in/reader030/viewer/2022032513/55d1fd1abb61eb38718b45a4/html5/thumbnails/17.jpg)
Google Confidential and Proprietary
Follow our blog and bug tracker
http://googleprojectzero.blogspot.com/https://code.google.com/p/google-security-research/
We’re hiring!
Questions?