Google’s Project Zero is frightening and reassuring in equal measure

The search giant has long since been just a search giant, but one area in which Google excels is in threat discovery. Project Zero is a team of security researchers. If Marks and Spencer did cyber security research then these would be the calibre of hackers it employed. Seriously, the Project Zero researchers are drawn from some of the best in their respective fields. Which is why when it issues reports, they’re well worth reading.

Take the analysis of zero-days disclosed by Project Zero across 2021. The obvious headline takeaway is that 2021 broke the record for number of zero-days across multiple platforms, 58 if you care about such things, and ditto for those impacting Google Chrome, at 14. Another potential takeaway is that despite the maturity of Google’s security ecosystem, a team of truly “elite” researchers can still find this number of zero-days.

Another possible takeaway is that the vast majority of them fell into the same-old-same-old category of memory corruption vulnerabilities enabling the exploits. Although this is a tried and tested method, it’s not a tired one. Indeed, that so many zero-day exploits were going down that route demonstrates how important this class of vulnerability is and how much further there is to travel for DevSec folk.

“Memory corruption vulnerabilities have been the standard for attacking software for the last few decades, and it’s still how attackers are having success,” said Maddie Stone, the Project Zero researcher behind the analysis. Stone also made the point that while it’s great finding zero-days, and the improvement amongst researchers in being able to do so, there’s a “lot more improving to be done”.

That attackers are, on the whole, sticking to legacy exploit techniques should be a huge concern to the tech industry as a whole, but it’s also a huge opportunity to close them out by putting a greater focus on closing those rogue code gaps.

What really stood out to me from the 58 zero-days detailed in this report was that only two of them made the researchers go “wow”, and that they avoided the memory corruption methodology completely. Both targeted Apple users, via iOS and iMessage respectively, and both invested in novel exploit techniques with great impact. How great? If I said “NSO Pegasus” that should be enough to get your head spinning into overdrive.

The two exploits were singled out as, firstly an iOS security sandbox escape that only used logic bugs to work and, secondly, a zero-click iMessage exploit in reality rather than the realm of hyperbolic headlines. The Project Zero researchers described the latter as being “one of the most technically sophisticated exploits” they had ever seen, according to the report.

“Using over 70,000 segment commands defining logical bit operations, they define a small computer architecture with features such as registers and a full 64-bit adder and comparator which they use to search memory and perform arithmetic operations,” the report said. “It’s not as fast as JavaScript, but it’s fundamentally computationally equivalent.”

I’ll add my wow into the mix at this point.