We'll provide a frank assessment of the current attack landscape and how it has changed since the "mass malware" years. We will then explore what this means for effective defenses and vulnerability response. This will lead into a detailed description of where Project Zero fits it, with it's mission to make zero days hard and lower the incidence of targeted exploitation. We'll dive into some depth on the most significant Project Zero publications, policies and general observations to date.

1. Project Zero
Making 0day hard(er)

2. Google Confidential and Proprietary
Industry context
● To understand the formation of Project Zero, we need to
understand some industry shifts;
● Not everyone is taking these shifts on board;
● Failure to consider these shifts can result in suboptimal decisions.

3. Google Confidential and Proprietary
Industry context
Observation #1
Offensive security research done in the open is drying up.

4. Google Confidential and Proprietary
Industry context
Observation #2
Targeted attacks using 0-days are on the increase.

5. Google Confidential and Proprietary
Industry context
Observation #3
Mass malware 0-days are getting rare.

6. Google Confidential and Proprietary
Project Zero
The mission statement:
Make 0day hard.

7. The Project Zero team:
Attack research.
Vulnerability research
Exploit development
Exploit mitigations
In public

8. Google Confidential and Proprietary
Why build this team?
● Provide dream jobs to top-tier offensive security researchers.
● Provide a source of data to the wider defensive community.
● Be a progressive influence on industry wide policies.

9. Google Confidential and Proprietary
How do we make 0-day hard?
● Tweak the economics, lower supply of “good” bugs.
○ Mop up the “obvious” bugs.
○ Bug collision!
○ Provide a better job for the best offensive researchers.
● Invest in mitigations, tooling and scale.
● Force multiplier: sharing data enable other defenders.
● Industry change.

10. Google Confidential and Proprietary
Technical strategy
Eliminate low-hanging fruit
● utilize machine resources
● to bring an end to dumb-
fuzzing
● of ubiquitous software
platforms
Last step of the bug chain
● find surfaces with high
contention
● e.g. kernel, sandbox
● use all means possible to
find+fix bugs

11. Google Confidential and Proprietary
Target selection
● Balance of:
○ observed attacks
○ external feedback
○ internal deduction
● As of today, we focus heavily on endpoint client-side attacks
○ mobile: Android, iOS
○ desktop: Windows, OS X, Linux
○ browser: Chrome, Internet Explorer, Firefox
○ documents: Office, Reader

12. Google Confidential and Proprietary
Results
Number of security bugs handled by Project Zero: 427
Number of blog posts (primarily on vulnerability exploitation) made by Project Zero: 25

13. Google Confidential and Proprietary
Disclosure deadlines
● Project Zero uses a disclosure deadline.
○ Currently 90 days.
● Starting to become an industry norm.
● The goal: faster patch response times.
○ Acknowledging the reality of independent discovery.
● Results and data suggest deadlines are effective.

14. Google Confidential and Proprietary
Results: disclosure deadlines
Up to March 2015

15. Google Confidential and Proprietary
Results: disclosure deadlines
All issues filed in 2015

16. Google Confidential and Proprietary
Final thoughts
● Researchers: consider applying a disclosure deadline on your
findings. Join us under the Project Zero umbrella.
● Software vendors: explore the idea of building an open and
transparent attack research team of your own.
● Progressive companies: consider joining the Project Zero
umbrella by spinning up your own teams.

17. Google Confidential and Proprietary
Follow our blog and bug tracker
http://googleprojectzero.blogspot.com/
https://code.google.com/p/google-security-research/
We’re hiring!
Questions?