LAS VEGAS--For more than five years, a small, high-powered team at Google made up of some of the top security researchers in the world has been systematically breaking a wide variety of applications. The results have been remarkable, and now the Project Zero team is calling on other vendors, academic institutions, and NGOs to follow suit and create their own open attack research teams, with the ultimate goal being to form a coalition of like-minded teams to share methodologies and data.
Google’s Project Zero team, established in 2014, was not the first of its kind; software and security companies have had vulnerability research teams going after external apps and operating systems for years. But Project Zero differs in a few ways, particularly in the way that its shares results and information, and its goal to help drive structural improvements in the broader software and hardware ecosystems. The Project Zero team counts some of the more prolific and accomplished security researchers among its members, including Natalie Silvanovich, Ian Beer, Ben Hawkes, and Tavis Ormandy, and recently added Maddie Stone, an ace Android reverse engineer. The team has a long track record of finding vulnerabilities, both in high-profile targets and more prosaic ones. Among the notable successes is Ian Beer’s discovery of several of the variants of the Spectre and Meltdown weaknesses.
The idea behind Project Zero wasn’t just to find bugs and get them fixed. The goal also was to help software and hardware makers improve their security processes and find new ways to implement systemic changes that defeat entire bug classes and force attackers to change their tactics. It’s the kind of work that requires people to think like attackers and understand their behavior, motives, and tendencies.
“Good defense requires a detailed knowledge of offense. We approach vulnerability research the way that an attacker does,” Hawkes said during a talk at the Black Hat USA conference here Thursday.
“By writing an exploit, you’re really walking in the shoes of the attacker and you face the same anxieties that an attacker does.”
“The question is, have we made zero-day hard? The truth is, it’s harder, but it’s not hard."
The founding ideal of Project Zero was to “make 0-day hard”. In other words, drive up the amount of time, effort, and resources it takes for an attacker to find and exploit a new vulnerability. It’s simply stated, but not so simply accomplished. Even a team with the technical firepower and resources of Project Zero can’t accomplish that goal on its own. So the team is putting out a call for help and encouraging other vendors and interested organizations to establish their own public attack research teams and join them in a common effort.
“The question is, have we made zero-day hard? The truth is, it’s harder, but it’s not hard. I don’t quite think we’re there yet. I suspect we will know when we’ve gotten to the state of zero-day being hard, bit I’m not sure we will recognize the threshold when we pass it,” he said.
“I think we have enough evidence and insight of how this type of attack research works that we know this approach works. But there’s a risk that the public state-of-the-art understanding of how attacks work diverges from the private state-of-the-art, because the value for an attacker of a zero-day outweighs the value for the defender. The attacker is incentivized to keep information private and mislead us.”
To help multiply the force of what Project Zero has been doing, and hopes to do in the future, Hawkes raised the idea of forming a coalition of public attack research teams. The idea would be for the teams to collaborate on research methodologies and techniques, share information on what’s working, and also share data on vulnerabilities and exploits. This could take a number of forms--Hawkes mentioned a website and potentially even a small summit--but the goal would be to surface more public attack research and make life harder for the adversaries. One of the hurdles to this kind of work right now is that publicly available information on attacks and attackers is necessarily limited, so defenders are hamstrung.
Hawkes hopes a larger community of public attack research teams could change that.
“If you’re making decisions based purely on the data that’s available to you about attacker behavior, by definition those decisions will be suboptimal. You really need to model attacker behavior,” he said.
“Maybe hard is a relative term, or maybe it’s an absolute term. We can look at whether it takes more time to build a reliable exploit chain now than it did last year, but that’s not quite enough. Attackers can swallow a small amount of extra cost and pass it on to their customers. But does that lead to a shift in the meta game for attackers? Do they have to move on to a different kind of exploit? If we’re shifting the meta game at a high level, then we get the sense that we’re moving toward hard.”