Speaking at Black Hat USA, Google Project Zero manager Ben Hawkes looked back at five years of the vulnerability research team and deemed the future success of the group to be focused on more groups forming.
Looking back at the formation of Project Zero, Hawkes said that there was a sense that the zero-day was a problem “for Google and society as a whole” and there has since been a shift for zero-days to be beneficial for offensive security. “So after five years, the question to ask is, is zero-day hard yet?”
Hawkes said that Project Zero was founded on principles including “good defense [which] requires a detailed knowledge of offense” and looking at the software that we rely on, not just Google Chrome and Android.
“When you think of Project Zero, autonomy comes to mind,” he added. “We are all bound by a mission and principles, and the key innovation is researchers have individual freedom to pursue their own independent research agenda.”
He explained that the research includes: 54% manual review, 37% fuzzing, and 8% other types of testing. He also said that part of performing vulnerability research is what new methodologies you can create that the researchers did not have access to previously, and by “writing an exploit, you’re walking in the shoes of an attacker.” The development of an exploit requires five steps:
- Ensure that the security impact of the bug is well understood
- Establish an equivalence class of similarly exploitable vulnerabilities
- Generate appropriate amounts of urgency
- Surfaces new and improved exploit techniques
- Allows us to find areas of “fragility” in the exploit
Hawkes said that Project Zero is in a positon “to advocate for change” and a lot of the job is spent working out “how to be an advocate and what the vendor wants to achieve.”
Looking back at some of the research, Hawkes called the work around Spectre and Meltdown as “a moment” as it changed the way we think about hardware security, and led to substantial architecture changes and marked a redoubling effort to invest in security and build up processes and testing.
“On a side note, vulnerability research has been well received and led to structural improvements” and he thanked the vendors and open source community for the work done.
Looking at how to measure the “hard” element of zero-day research, Hawkes said that you can gauge it by the number of vulnerabiltiies, or how many exploits are sold on the “grey market,” or the number of vulnerabilities debugged. “We made an attempt to find something better and more aligned,” he said.
“Instead of marketing it about zero-days being hard, we need to step back and decide what does progress towards hard mean?
“Is it hard? The truth is it is harder, but not hard. If I could stand up and say in five years we are leading to an accomplishment that would be great, but we’re not there yet.”
Hawkes also explained that open attack research “provides the best path for making zero-day hard” and there is “something compelling and powerful in doing work that teaches users to do the right things.”
Looking forward, Hawkes said that we will never finish debating on vulnerability disclosure, and this can be done well “and can be profoundly impactful, but if done poorly there can be systemic risk.” He added that he sees this as an urgent problem, and if people can be promoted and empowered and connected with external researchers, this can “create a pipeline of work that leads to collaboration.”
Concluding, Hawkes said that the way forward is for other companies to follow the Project Zero model, and create their own research teams and “expand the amount of open attack research.”
He said: “We need to focus on our mission and principles and find an area where we see eye to eye as vulnerability disclosure is a distraction, and we need to focus on the common mission and principles.”