Project Zero is a team of security analysts employed by

Google Google LLC (, ) is an American multinational corporation and technology company focusing on online advertising, search engine technology, cloud computing, computer software, quantum computing, e-commerce, consumer electronics, and artificial ...

tasked with finding zero-day vulnerabilities. It was announced on 15 July 2014.

History

After finding a number of flaws in software used by many end-users while researching other problems, such as the critical "

Heartbleed Heartbleed is a security bug in some outdated versions of the OpenSSL cryptography library, which is a widely used implementation of the Transport Layer Security (TLS) protocol. It was introduced into the software in 2012 and publicly disclos ...

" vulnerability, Google decided to form a full-time team dedicated to finding such vulnerabilities, not only in Google software but any software used by its users. The new project was announced on 15 July 2014 on Google's security blog. When it launched, one of the principal innovations that Project Zero provided was a strict 90-day disclosure deadline along with a publicly visible bugtracker where the vulnerability disclosure process is documented. While the idea for Project Zero can be traced back to 2010, its establishment fits into the larger trend of Google's counter-surveillance initiatives in the wake of the 2013 global surveillance disclosures by

Edward Snowden Edward Joseph Snowden (born June 21, 1983) is a former National Security Agency (NSA) intelligence contractor and whistleblower who leaked classified documents revealing the existence of global surveillance programs. Born in 1983 in Elizabeth ...

. The team was formerly headed by Chris Evans, previously head of Google's Chrome security team, who subsequently joined

Tesla Motors Tesla, Inc. ( or ) is an American multinational automotive and clean energy company. Headquartered in Austin, Texas, it designs, manufactures and sells battery electric vehicles (BEVs), stationary battery energy storage devices from hom ...

. Other notable members include security researchers Ben Hawkes, Ian Beer and Tavis Ormandy. Hawkes eventually became the team's manager and then resigned on 4 May 2022. The team's focus is not just on finding bugs and novel attacks, but also on researching and publicly documenting how such flaws could be exploited in practice. This is done to ensure that defenders have sufficient understanding of attacks; the team keeps an extensive research blog with articles that describe individual attacks in detail.

Bug finding and reporting

Bugs found by the Project Zero team are reported to the manufacturer and only made publicly visible once a patch has been released or if 90 days have passed without a patch being released. The 90-day-deadline is Google's way of implementing responsible disclosure, giving software companies 90 days to fix a problem before informing the public so that users themselves can take necessary steps to avoid attacks. There have been cases where the vendor does not produce any solution for the discovered flaws within 90 days, before the public disclosure by the team, increasing the risk to already-vulnerable users.

Notable members

* Ian Beer * Jann Horn * Natalie Silvanovich * James Forshaw

Past members

*Ben Hawkes * Tavis Ormandy * Gal Beniamini * Thomas Dullien * Chris Evans * George Hotz * Matt Tait * Steven Vittitoe *Ned Williamson *Felix Wilhelm * Maddie Stone

Notable discoveries

* One of the first Project Zero reports that attracted attention involved a flaw that allowed hackers to take control of software running the Safari browser. For its efforts, the team, specifically Beer, was cited in Apple's brief note of thanks. * On 30 September 2014, Google detected a security flaw within Windows 8.1's system call "NtApphelpCacheControl", which allows a normal user to gain administrative access.

Microsoft Microsoft Corporation is an American multinational corporation and technology company, technology conglomerate headquartered in Redmond, Washington. Founded in 1975, the company became influential in the History of personal computers#The ear ...

was notified of the problem immediately but did not fix the problem within 90 days, which meant information about the bug was made publicly available on 29 December 2014. Releasing the bug to the public elicited a response from Microsoft that they are working on the problem. * On 9 March 2015, Google Project Zero's blog posted a guest post that disclosed how a previously known hardware flaw in commonly deployed DRAM called

Row Hammer Rowhammer (also written as row hammer or RowHammer) is a computer security exploit that takes advantage of an unintended and undesirable side effect in dynamic random-access memory (DRAM) in which memory cell (computing), memory cells interact e ...

could be exploited to escalate privileges for local users. This post spawned a large quantity of follow-up research both in the academic and hardware community. * On 19 February 2017, Google discovered a flaw within

Cloudflare Cloudflare, Inc., is an American company that provides content delivery network services, cybersecurity, DDoS mitigation, wide area network services, reverse proxies, Domain Name Service, ICANN-accredited domain registration, and other se ...

's reverse proxies, which caused their edge servers to run past the end of a buffer and return memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data. Some of this data was cached by search engines. A member of the Project Zero team referred to this flaw as Cloudbleed. * On 27 March 2017, Tavis Ormandy of Project Zero discovered a vulnerability in the popular password manager

LastPass LastPass is a password manager application. The standard version of LastPass comes with a Web interface, but also includes plugins for various Web browsers and apps for many smartphones. It also includes support for bookmarklets. Founded in ...

. On 31 March 2017, LastPass announced they had fixed the problem. * Project Zero was involved in discovering the Meltdown and Spectre vulnerabilities affecting many modern CPUs, which were discovered in mid-2017 and disclosed in early January 2018. The issue was discovered by Jann Horn independently from the other researchers who reported the security flaw and was scheduled to be published on 9 January 2018 before moving the date up because of growing speculation. * On 1 February 2019, Project Zero reported to

Apple An apple is a round, edible fruit produced by an apple tree (''Malus'' spp.). Fruit trees of the orchard or domestic apple (''Malus domestica''), the most widely grown in the genus, are agriculture, cultivated worldwide. The tree originated ...

that they had detected a set of five separate and complete iPhone exploit chains affecting

iOS 10 iOS 10 is the iOS version history, tenth major release of the iOS mobile operating system developed by Apple Inc., being the successor to iOS 9. It was announced at the company's Worldwide Developers Conference on June 13, 2016, and was release ...

through all versions of

iOS 12 iOS 12 is the iOS version history, twelfth major release of the iOS mobile operating system developed by Apple Inc., Apple. Aesthetically similar to its predecessor, iOS 11, it focuses more on performance than on new features, quality improvemen ...

not targeting specific users but having the ability to infect any user who visited an infected site. A series of hacked sites were being used in indiscriminate watering hole attacks against their visitors which Project Zero estimated receive thousands of visitors per week. Project Zero felt the attacks indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years. Apple fixed the exploits in the release of iOS 12.1.4 on 7 February 2019, and said the fixes were already underway when reported by Project Zero. * On 18 April 2019, Project Zero discovered a bug in

iMessage iMessage is an instant messaging service developed by Apple Inc. and launched in 2011. iMessage functions exclusively on Apple platforms – including iOS, iPadOS, macOS, watchOS, and visionOS – as part of Apple ecosystem, Apple's approach t ...

wherein a certain malformed message could cause

Springboard A springboard or diving board is used for diving and is a board that is itself a spring, i.e. a linear flex-spring, of the cantilever type. Springboards are commonly fixed by a hinge at one end (so they can be flipped up when not in use), and ...

to "...crash and respawn repeatedly, causing the UI not to be displayed and the phone to stop responding to input." This would completely crash the iPhone's UI making it inoperable. This bug would persist even after a hard reset. The flaw also affected iMessage on

Mac Mac or MAC may refer to: Common meanings * Mac (computer), a line of personal computers made by Apple Inc. * Mackintosh, a raincoat made of rubberized cloth * Mac, a prefix to surnames derived from Gaelic languages * McIntosh (apple), a Canadi ...

with different results. Apple fixed the bug within the 90 day period before Project Zero released it. * In December 2021, the team published a technical breakdown of the

FORCEDENTRY FORCEDENTRY, also capitalized as ForcedEntry, is a security exploit allegedly developed by NSO Group to deploy their Pegasus spyware. It enables the " zero-click" exploit that is prevalent in iOS 13 and below, but also compromises recent safegu ...

exploit based on its collaboration with Apple’s Security Engineering and Architecture (SEAR) group.

References

External links

* {{Google LLC Google Computer security organizations Internet properties established in 2014