Google’s Project Zero is frightening and reassuring in equal measure
This crack team of security researchers are doing work we should all be grateful for
The search giant has long since been just a search giant, but one area in which Google excels is in threat discovery. Project Zero is a team of security researchers. If Marks and Spencer did cyber security research then these would be the calibre of hackers it employed. Seriously, the Project Zero researchers are drawn from some of the best in their respective fields. Which is why when it issues reports, they’re well worth reading.
Take the analysis of zero-days disclosed by Project Zero across 2021. The obvious headline takeaway is that 2021 broke the record for number of zero-days across multiple platforms, 58 if you care about such things, and ditto for those impacting Google Chrome, at 14. Another potential takeaway is that despite the maturity of Google’s security ecosystem, a team of truly “elite” researchers can still find this number of zero-days.
Another possible takeaway is that the vast majority of them fell into the same-old-same-old category of memory corruption vulnerabilities enabling the exploits. Although this is a tried and tested method, it’s not a tired one. Indeed, that so many zero-day exploits were going down that route demonstrates how important this class of vulnerability is and how much further there is to travel for DevSec folk.
“Memory corruption vulnerabilities have been the standard for attacking software for the last few decades, and it’s still how attackers are having success,” said Maddie Stone, the Project Zero researcher behind the analysis. Stone also made the point that while it’s great finding zero-days, and the improvement amongst researchers in being able to do so, there’s a “lot more improving to be done”.
That attackers are, on the whole, sticking to legacy exploit techniques should be a huge concern to the tech industry as a whole, but it’s also a huge opportunity to close them out by putting a greater focus on closing those rogue code gaps.
Storage's role in addressing the challenges of ensuring cyber resilience
Understanding the role of data storage in cyber resiliency
What really stood out to me from the 58 zero-days detailed in this report was that only two of them made the researchers go “wow”, and that they avoided the memory corruption methodology completely. Both targeted Apple users, via iOS and iMessage respectively, and both invested in novel exploit techniques with great impact. How great? If I said “NSO Pegasus” that should be enough to get your head spinning into overdrive.
The two exploits were singled out as, firstly an iOS security sandbox escape that only used logic bugs to work and, secondly, a zero-click iMessage exploit in reality rather than the realm of hyperbolic headlines. The Project Zero researchers described the latter as being “one of the most technically sophisticated exploits” they had ever seen, according to the report.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
“Using over 70,000 segment commands defining logical bit operations, they define a small computer architecture with features such as registers and a full 64-bit adder and comparator which they use to search memory and perform arithmetic operations,” the report said. “It’s not as fast as JavaScript, but it’s fundamentally computationally equivalent.”
I’ll add my wow into the mix at this point.
Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.
Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.
You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.