Computing Profession

Google’s Project Zero Aims to ‘improve Security Across the Internet’

Artist's impression of a lurking vulnerability.
Google's Project Zero is staffed by a "hacker dream team" aiming to improve security across the Internet, not just in Google products.

In 2007, 17-year-old George Hotz – better known by hacker handle Geohot – gained notoriety for jailbreaking his iPhone and posting his hack on YouTube. He unlocked his handset from AT&T’s network, which had an exclusive agreement with Apple to be the sole carrier for the iPhone, and activated it on T-Mobile, where he had a service contract. While not technically illegal, it did not win Hotz any accolades at Apple or AT&T. Apple co-founder Steve Wozniak, who has also been known to have hacked a phone system or two, sent Hotz a congratulatory email. "I think that misbehavior is very strongly correlated with and responsible for creative thought," Wozniak would later say of Hotz’s iPhone hack.

Three years later, Sony’s PlayStation 3 was subjected to Hotz’s brand of "misbehavior," and Sony filed suit against Geohot when he published his PS3 hack on the Web. They settled a couple of months later, with Hotz essentially agreeing not to hack any other Sony products. In 2011, Facebook hired Hotz as a developer, and in a 2012 profile in The New Yorker, Hotz said, "I don’t hack because of some ideology. I hack because I’m bored."

Early last year, Hotz took the $150,000 first prize in Google’s Pwnium hacking competition for discovering a security hole in Chrome, Google’s browser. A few months later, Hotz received an email from Chris Evans, the head of security for Google’s Chrome browser, with a job offer to join a new team Evans was forming, to be called Project Zero. It would be staffed with what Wired Magazine described as a full-time "hacker dream team," and its goal would be to improve security across the Internet – not just in Google products – and significantly reduce the number of people harmed by targeted attacks.

Google has a strong track record of encouraging employees to spend time on security research to make the Internet safer. A prime example of this was the discovery by a Google security researcher in early 2014 of the Heartbleed Bug, a significant vulnerability in the OpenSSL cryptographic software library, which had gone undetected for two years. "You should be able to use the Web without fear that a criminal or state-sponsored actor is exploiting software bugs to infect your computer, steal secrets or monitor your communications," Evans wrote in Project Zero’s inaugural blog post.

Hotz accepted Evans’ offer to join the Project Zero team as an intern, which provides an indication of the skill level of those already on staff. Google officially launched Project Zero last July, and as its name implies, zero-day exploits would be one of the primary targets of this elite team of cybersecurity researchers. Zero-day vulnerabilities are largely previously unknown security vulnerabilities; they earned the moniker because there are generally zero days between the time the exploit is discovered and the first attack. Since they are bugs that have been previously undiscovered, they are therefore unpatched, and since they are unknown to the software vendor, the danger lies in that the vulnerability could be known to, and exploited by, hackers.

Software bugs can be uncovered by anyone: users, security experts, the software companies themselves, or hackers, although the latter group is likely to keep them secret for as long as possible, in order to maximize the potential for nefarious ends. Some software companies offer financial incentives known as bug bounties, such as Google’s Pwnium mentioned above, in order to enlist outside help in discovering vulnerabilities in their software and get a fix in place.

Yet issues can arise when vulnerabilities are discovered, as there are no hard and fast rules in terms of reporting them, and no standard procedures to ensure a vendor patches its software. It is incumbent on the discoverer of the vulnerability to notify vendors of security flaws in their products, and deadline disclosure policies are used as a time-pressure inducement to force recalcitrant software vendors to get a solution in place. For example, the Zero Day Initiative (ZDI) from HP Digital Vaccine Labs (DVLabs) has an extensive deadline disclosure policy of steps to take on discovery of a vulnerability; if no patch has been released within 120 days, ZDI will publish a limited advisory to encourage the vendor to fix the vulnerability. The CERT Division of the Software Engineering Institute (SEI) at Carnegie Mellon University is more impatient, and maintains a 45-day disclosure deadline policy after the initial identification of a vulnerability, "regardless of the existence or availability of patches or workarounds from affected vendors."

Initially, Project Zero’s deadline disclosure policy provided a 90-day response window, but enforcement of a hard deadline soon came under fire, as did Project Zero’s mission to look for vulnerabilities in other vendors’ software instead of limiting itself to software under Google’s domain.

Early this year, Project Zero researchers found a security flaw in Microsoft Windows 8.1 and then stuck rigidly to the 90-day disclosure policy – even though Microsoft had responded to the disclosure and was due to issue a fix that would go out in its regular patch update cycle. Project Zero’s disclosure deadline fell two days before Microsoft’s scheduled patch update, and Google went ahead and publicly revealed the Windows vulnerability anyway. Chris Betz, senior director of the Microsoft Security Response Center, responded in a blog post, "Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a ‘gotcha,’ with customers the ones who may suffer as a result."

In the aftermath, Google was publicly slammed for its actions, and the uproar was not just related to Project Zero. Many critics pointed out the hypocrisy of Google halting development of security patches for Android’s built-in Web browser, WebView, early this year, which left almost a billion Android users running Android 4.3 (Jelly Bean) or earlier versions of the mobile operating system open to download attacks if they visit a poisoned Web page.

Microsoft’s Betz has called for better coordination. "This is a time for security researchers and software companies to come together and not stand divided over important protection strategies, such as the disclosure of vulnerabilities and the remediation of them," he posted on the Microsoft Security Response Center’s blog.

In February 2015, after "great debate and external feedback," Project Zero amended its disclosure deadline policy to include a 14-day grace period for select instances in which a vendor has a fix on the way, in addition to the original 90-day deadline. At the same time, a post on the Project Zero blog said its "deadlines appear to be working to improve patch times and end user security — especially when enforced consistently."

"It’s the threat of disclosure that makes companies act, and keeps vendors honest," says security expert Bruce Schneier, chief technology officer of Resilient Systems. "In the past, companies had no urgency if fixing vulnerabilities. Now there’s urgency."

Schneier adds that disclosure deadlines are vitally important, but when a fix is in the works, disclosure deadline policies should be amended on a case-by-case basis. "There’s a culture of fixing vulnerabilities," he points out, now that public scrutiny has become the norm, "but it’s only fair to let the vendor respond."

John Delaney is a freelance technology writer based in Brooklyn, N.Y.

Join the Discussion (0)

Become a Member or Sign In to Post a Comment

The Latest from CACM

Shape the Future of Computing

ACM encourages its members to take a direct hand in shaping the future of the association. There are more ways than ever to get involved.

Get Involved

Communications of the ACM (CACM) is now a fully Open Access publication.

By opening CACM to the world, we hope to increase engagement among the broader computer science community and encourage non-members to discover the rich resources ACM has to offer.

Learn More