Project Zero

Last updated

Project Zero is a team of security analysts employed by Google tasked with finding zero-day vulnerabilities. [1] It was announced on 15 July 2014. [2]

Contents

History

After finding a number of flaws in software used by many end-users while researching other problems, such as the critical "Heartbleed" vulnerability, Google decided to form a full-time team dedicated to finding such vulnerabilities, not only in Google software but any software used by its users. The new project was announced on 15 July 2014 on Google's security blog. [2] When it launched, one of the principal innovations that Project Zero provided was a strict 90-day disclosure deadline along with a publicly visible bugtracker where the vulnerability disclosure process is documented. [3]

While the idea for Project Zero can be traced back to 2010, its establishment fits into the larger trend of Google's counter-surveillance initiatives in the wake of the 2013 global surveillance disclosures by Edward Snowden. The team was formerly headed by Chris Evans, previously head of Google's Chrome security team, who subsequently joined Tesla Motors. [4] Other notable members include security researchers Ben Hawkes, Ian Beer and Tavis Ormandy. [5] Hawkes eventually became the team's manager and then resigned on 4 May 2022.

The team's focus is not just on finding bugs and novel attacks, but also on researching and publicly documenting how such flaws could be exploited in practice. This is done to ensure that defenders have sufficient understanding of attacks; the team keeps an extensive research blog with articles that describe individual attacks in detail. [6]

Bug finding and reporting

Bugs found by the Project Zero team are reported to the manufacturer and only made publicly visible once a patch has been released [2] or if 90 days have passed without a patch being released. [7] The 90-day-deadline is Google's way of implementing responsible disclosure, giving software companies 90 days to fix a problem before informing the public so that users themselves can take necessary steps to avoid attacks. [7] There have been cases where the vendor does not produce any solution for the discovered flaws within 90 days, before the public disclosure by the team, increasing the risk to already-vulnerable users. [8]

Notable members

Past members

Notable discoveries

See also

Related Research Articles

In the field of computer security, independent researchers often discover flaws in software that can be abused to cause unintended behaviour; these flaws are called vulnerabilities. The process by which the analysis of these vulnerabilities is shared with third parties is the subject of much debate, and is referred to as the researcher's disclosure policy. Full disclosure is the practice of publishing analysis of software vulnerabilities as early as possible, making the data accessible to everyone without restriction. The primary purpose of widely disseminating information about vulnerabilities is so that potential victims are as knowledgeable as those who attack them.

An over-the-air update, also known as over-the-air programming, is an update to an embedded system that is delivered through a wireless network, such as Wi-Fi or a cellular network. These embedded systems include mobile phones, tablets, set-top boxes, cars and telecommunications equipment. OTA updates for cars and internet of things devices can also be called firmware over-the-air (FOTA). Various components may be updated OTA, including the device's operating system, applications, configuration settings, or parameters like encryption keys.

The Pwnie Awards recognize both excellence and incompetence in the field of information security. Winners are selected by a committee of security industry professionals from nominations collected from the information security community. Nominees are announced yearly at Summercon, and the awards themselves are presented at the Black Hat Security Conference.

Pwn2Own is a computer hacking contest held annually at the CanSecWest security conference. First held in April 2007 in Vancouver, the contest is now held twice a year, most recently in March 2024. Contestants are challenged to exploit widely used software and mobile devices with previously unknown vulnerabilities. Winners of the contest receive the device that they exploited and a cash prize. The Pwn2Own contest serves to demonstrate the vulnerability of devices and software in widespread use while also providing a checkpoint on the progress made in security since the previous year.

The Java software platform provides a number of features designed for improving the security of Java applications. This includes enforcing runtime constraints through the use of the Java Virtual Machine (JVM), a security manager that sandboxes untrusted code from the rest of the operating system, and a suite of security APIs that Java developers can utilise. Despite this, criticism has been directed at the programming language, and Oracle, due to an increase in malicious programs that revealed security vulnerabilities in the JVM, which were subsequently not properly addressed by Oracle in a timely manner.

A bug bounty program is a deal offered by many websites, organizations, and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to security exploits and vulnerabilities.

<span class="mw-page-title-main">Heartbleed</span> Security bug in OpenSSL

Heartbleed is a security bug in some outdated versions of the OpenSSL cryptography library, which is a widely used implementation of the Transport Layer Security (TLS) protocol. It was introduced into the software in 2012 and publicly disclosed in April 2014. Heartbleed could be exploited regardless of whether the vulnerable OpenSSL instance is running as a TLS server or client. It resulted from improper input validation in the implementation of the TLS heartbeat extension. Thus, the bug's name derived from heartbeat. The vulnerability was classified as a buffer over-read, a situation where more data can be read than should be allowed.

POODLE is a security vulnerability which takes advantage of the fallback to SSL 3.0. If attackers successfully exploit this vulnerability, on average, they only need to make 256 SSL 3.0 requests to reveal one byte of encrypted messages. Bodo Möller, Thai Duong and Krzysztof Kotowicz from the Google Security Team discovered this vulnerability; they disclosed the vulnerability publicly on October 14, 2014. On December 8, 2014, a variation of the POODLE vulnerability that affected TLS was announced.

Tavis Ormandy is an English computer security white hat hacker. He is currently employed by Google and was formerly part of Google's Project Zero team.

<span class="mw-page-title-main">Stagefright (bug)</span> Software bug in Android

Stagefright is the name given to a group of software bugs that affect versions from 2.2 "Froyo" up until 5.1.1 "Lollipop" of the Android operating system exposing an estimated 950 million devices at the time. The name is taken from the affected library, which among other things, is used to unpack MMS messages. Exploitation of the bug allows an attacker to perform arbitrary operations on the victim's device through remote code execution and privilege escalation. Security researchers demonstrate the bugs with a proof of concept that sends specially crafted MMS messages to the victim device and in most cases requires no end-user actions upon message reception to succeed—the user doesn't have to do anything to 'accept' exploits using the bug; it happens in the background. A phone number is the only information needed to carry out the attack.

<span class="mw-page-title-main">Benjamin Kunz Mejri</span> German IT security specialist and penetration tester

Benjamin Kunz Mejri is a German IT security specialist and penetration tester. His areas of research include vulnerabilities in computer systems, bug bounties, the security of e-payment payment services and privacy protection. Mejri is known for uncovering new zero-day vulnerabilities and making them transparent to the public.

Pegasus is a spyware developed by the Israeli cyber-arms company NSO Group that is designed to be covertly and remotely installed on mobile phones running iOS and Android. While NSO Group markets Pegasus as a product for fighting crime and terrorism, governments around the world have routinely used the spyware to surveil journalists, lawyers, political dissidents, and human rights activists. The sale of Pegasus licenses to foreign governments must be approved by the Israeli Ministry of Defense.

<span class="mw-page-title-main">Avast Secure Browser</span> Chromium-based browser made by Avast

Avast Secure Browser is an Avast Software web browser included for optional installation in the Avast Antivirus installer since 2016, but it is also available on its website. It is based on the open source Chromium project. It is available for Microsoft Windows, macOS, iOS, and Android.

Cloudbleed was a Cloudflare buffer overflow disclosed by Project Zero on February 17, 2017. Cloudflare's code disclosed the contents of memory that contained the private information of other customers, such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data. As a result, data from Cloudflare customers was leaked to all other Cloudflare customers that had access to server memory. This occurred, according to numbers provided by Cloudflare at the time, more than 18,000,000 times before the problem was corrected. Some of the leaked data was cached by search engines.

<span class="mw-page-title-main">Vault 7</span> CIA files on cyber war and surveillance

Vault 7 is a series of documents that WikiLeaks began to publish on 7 March 2017, detailing the activities and capabilities of the United States Central Intelligence Agency (CIA) to perform electronic surveillance and cyber warfare. The files, dating from 2013 to 2016, include details on the agency's software capabilities, such as the ability to compromise cars, smart TVs, web browsers including Google Chrome, Microsoft Edge, Mozilla Firefox, and Opera, the operating systems of most smartphones including Apple's iOS and Google's Android, and computer operating systems including Microsoft Windows, macOS, and Linux. A CIA internal audit identified 91 malware tools out of more than 500 tools in use in 2016 being compromised by the release. The tools were developed by the Operations Support Branch of the CIA.

Ben Hawkes is a computer security expert and white hat hacker from New Zealand, previously employed by Google as manager of their Project Zero.

Ian Beer is a British computer security expert and white hat hacker, currently residing in Switzerland and working for Google as part of its Project Zero. He has been lauded by some as one of the best iOS hackers. Beer was the first security expert to publish his findings under the "Project Zero" name in the spring of 2014; at this time, the project was not yet revealed and crediting the newly discovered vulnerabilities to it led to some speculation.

<span class="mw-page-title-main">Reception and criticism of WhatsApp security and privacy features</span> Reception and criticism of security and privacy features in the WhatsApp messaging service

This article provides a detailed chronological account of the historical reception and criticism of security and privacy features in the WhatsApp messaging service.

FORCEDENTRY, also capitalized as ForcedEntry, is a security exploit allegedly developed by NSO Group to deploy their Pegasus spyware. It enables the "zero-click" exploit that is prevalent in iOS 13 and below, but also compromises recent safeguards set by Apple's "BlastDoor" in iOS 14 and later. In September 2021, Apple released new versions of its operating systems for multiple device families containing a fix for the vulnerability.

Log4Shell (CVE-2021-44228) is a zero-day vulnerability reported in November 2021 in Log4j, a popular Java logging framework, involving arbitrary code execution. The vulnerability had existed unnoticed since 2013 and was privately disclosed to the Apache Software Foundation, of which Log4j is a project, by Chen Zhaojun of Alibaba Cloud's security team on 24 November 2021. Before an official CVE identifier was made available on 10 December 2021, the vulnerability circulated with the name "Log4Shell", given by Free Wortley of the LunaSec team, which was initially used to track the issue online. Apache gave Log4Shell a CVSS severity rating of 10, the highest available score. The exploit was simple to execute and is estimated to have had the potential to affect hundreds of millions of devices.

References

  1. Greenberg, Andy (15 July 2014). "Meet 'Project Zero,' Google's Secret Team of Bug-Hunting Hackers". Wired. ISSN   1059-1028 . Retrieved 6 March 2019.
  2. 1 2 3 Evans, Chris (15 July 2014). "Announcing Project Zero". Google Online Security Blog. Retrieved 4 January 2015.
  3. "Project Zero Bug Tracker" . Retrieved 11 April 2019.
  4. "Chris Evans on Twitter" . Retrieved 22 September 2015.
  5. 1 2 3 4 5 6 Greenberg, Andy (15 July 2014). "Meet 'Project Zero,' Google's Secret Team of Bug-Hunting Hackers". Wired.com . Retrieved 4 January 2015.
  6. "Project Zero Research Blog" . Retrieved 11 April 2019.
  7. 1 2 3 4 Dent, Steven (2 January 2015). "Google posts Windows 8.1 vulnerability before Microsoft can patch it". Engadget . Retrieved 4 January 2015.
  8. Fingas, John (4 March 2019). "Google discloses 'high severity' Mac security flaw ahead of patch". Engadget. Retrieved 6 March 2019.
  9. 1 2 Davies, Chris (3 January 2018). "Google reveals CPU security flaw Meltdown and Spectre details". SlashGear. Retrieved 4 January 2018.
  10. "Google says it's too easy for hackers to find new security flaws" . Retrieved 3 February 2021.
  11. 1 2 "aPAColypse now: Exploiting Windows 10 in a Local Network with WPAD/PAC and JScript". 18 December 2017. Retrieved 18 December 2017.
  12. "Over The Air: Exploiting Broadcom's Wi-Fi Stack (Part 1)". 4 April 2017. Retrieved 12 April 2019.
  13. "Lawfareblog Hard National Security Choices Matt Tait" . Retrieved 9 March 2017.
  14. "Project Zero: Designing sockfuzzer, a network syscall fuzzer for XNU". Project Zero. 22 April 2021. Retrieved 13 November 2024.
  15. "Project Zero: An EPYC escape: Case-study of a KVM breakout". Project Zero. 29 June 2021. Retrieved 13 November 2024.
  16. "iOS zero-day let SolarWinds hackers compromise fully updated iPhones". 14 July 2021. Retrieved 14 July 2021.
  17. TIME Cybersecurity: Hacking, the Dark Web and You. Time Inc. Books. 19 January 2018. ISBN   9781547842414.
  18. "Issue 118: Windows: Elevation of Privilege in ahcache.sys/NtApphelpCacheControl". 30 September 2014. Retrieved 4 January 2015.
  19. "Exploiting the DRAM rowhammer bug to gain kernel privileges". 9 March 2015. Retrieved 11 April 2019.
  20. 1 2 "Issue 1139: cloudflare: Cloudflare Reverse Proxies are Dumping Uninitialized Memory". 19 February 2017. Retrieved 24 February 2017.
  21. "Incident report on memory leak caused by Cloudflare parser bug". Cloudflare. 23 February 2017. Retrieved 24 February 2017.
  22. "Another hole opens up in LastPass that could take weeks to fix". Naked Security. 29 March 2017. Retrieved 29 March 2017.
  23. Siegrist, Joe (31 March 2017). "Security Update for the LastPass Extension". LastPass Blog. Archived from the original on 7 April 2018. Retrieved 2 May 2017.
  24. Greenberg, Andy (3 January 2018). "A Critical Intel Flaw Breaks Basic Security for Most Computers". WIRED. Retrieved 4 January 2018.
  25. Tim (29 August 2019). "Project Zero: A very deep dive into iOS Exploit chains found in the wild". Project Zero. Retrieved 30 August 2019.
  26. Cox, Joseph (30 August 2019). "Google Says Malicious Websites Have Been Quietly Hacking iPhones for Years". Vice. Retrieved 30 August 2019.
  27. Goodin, Dan (7 September 2019). "Apple takes flak for disputing iOS security bombshell dropped by Google". Ars Technica.
  28. "Issue 1826: iMessage: malformed message bricks iPhone". bugs.chromium.org. 18 April 2019. Retrieved 9 September 2019.
  29. Beer, Ian; Groß, Samuel (15 December 2021). "Project Zero: A deep dive into an NSO zero-click iMessage exploit: Remote Code Execution". Google Project Zero . Retrieved 16 December 2021.