IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Google’s Project Zero is frightening and reassuring in equal measure

This crack team of security researchers are doing work we should all be grateful for

Female IT programmer working on a desktop computer in data centre

The search giant has long since been just a search giant, but one area in which Google excels is in threat discovery. Project Zero is a team of security researchers. If Marks and Spencer did cyber security research then these would be the calibre of hackers it employed. Seriously, the Project Zero researchers are drawn from some of the best in their respective fields. Which is why when it issues reports, they’re well worth reading. 

Take the analysis of zero-days disclosed by Project Zero across 2021. The obvious headline takeaway is that 2021 broke the record for number of zero-days across multiple platforms, 58 if you care about such things, and ditto for those impacting Google Chrome, at 14. Another potential takeaway is that despite the maturity of Google’s security ecosystem, a team of truly “elite” researchers can still find this number of zero-days

Another possible takeaway is that the vast majority of them fell into the same-old-same-old category of memory corruption vulnerabilities enabling the exploits. Although this is a tried and tested method, it’s not a tired one. Indeed, that so many zero-day exploits were going down that route demonstrates how important this class of vulnerability is and how much further there is to travel for DevSec folk. 

“Memory corruption vulnerabilities have been the standard for attacking software for the last few decades, and it’s still how attackers are having success,” said Maddie Stone, the Project Zero researcher behind the analysis. Stone also made the point that while it’s great finding zero-days, and the improvement amongst researchers in being able to do so, there’s a “lot more improving to be done”. 

That attackers are, on the whole, sticking to legacy exploit techniques should be a huge concern to the tech industry as a whole, but it’s also a huge opportunity to close them out by putting a greater focus on closing those rogue code gaps.

Related Resource

Storage's role in addressing the challenges of ensuring cyber resilience

Understanding the role of data storage in cyber resiliency

Whitepaper cover with title over a grey rectangle with header graphic and ESG logoFree Download

What really stood out to me from the 58 zero-days detailed in this report was that only two of them made the researchers go “wow”, and that they avoided the memory corruption methodology completely. Both targeted Apple users, via iOS and iMessage respectively, and both invested in novel exploit techniques with great impact. How great? If I said “NSO Pegasus” that should be enough to get your head spinning into overdrive. 

The two exploits were singled out as, firstly an iOS security sandbox escape that only used logic bugs to work and, secondly, a zero-click iMessage exploit in reality rather than the realm of hyperbolic headlines. The Project Zero researchers described the latter as being “one of the most technically sophisticated exploits” they had ever seen, according to the report. 

“Using over 70,000 segment commands defining logical bit operations, they define a small computer architecture with features such as registers and a full 64-bit adder and comparator which they use to search memory and perform arithmetic operations,” the report said. “It’s not as fast as JavaScript, but it’s fundamentally computationally equivalent.” 

I’ll add my wow into the mix at this point.

Featured Resources

2022 State of the multi-cloud report

What are the biggest multi-cloud motivations for decision-makers, and what are the leading challenges

Free Download

The Total Economic Impact™ of IBM robotic process automation

Cost savings and business benefits enabled by robotic process automation

Free Download

Multi-cloud data integration for data leaders

A holistic data-fabric approach to multi-cloud integration

Free Download

MLOps and trustworthy AI for data leaders

A data fabric approach to MLOps and trustworthy AI

Free Download

Most Popular

Empowering employees to truly work anywhere
Sponsored

Empowering employees to truly work anywhere

22 Nov 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

15 Nov 2022
The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

14 Nov 2022