The April 2014 uncovering of Heartbleed marked the discovery of one of the most serious zero-day vulnerabilities found in Internet history. Before the general public was made aware of the Heartbleed bug, the risks had been analyzed, and fixes were released the same day of the announcement. A team of engineers at Google decided to concentrate on finding security risks like Heartbleed before they can be exploited. Google announced the official formation of a dedicated team of detectives in July 2014, and Project Zero was born.
The Project Zero goal is to “significantly reduce the number of people harmed by targeted attacks.” The team is dedicated to researching, finding and reporting large numbers of vulnerabilities to improve Internet security. The tenets of Project Zero and updates on its work are on Google’s Project Zero blog, part of the team’s assertion that their work will be transparent. Will this team of the best bug detectives Google can find wipe out zero-day bugs? They are on the right track, but face unfavorable odds.
How Project Zero Can Make the Internet More Secure
Google is off to a great start in the quest to squash bugs like Heartbleed. The pledges of Project Zero are exactly what should come from a team that’s serious about security, including:
- Assembling a team of top Internet security analysts who will spend 100 percent of their time working on Project Zero
- Pledging that their work will be transparent
- Notifying the affected parties only, no third-party vendors
Google’s announcement of Project Zero’s formation included the statement that they are forming a team of the top security researchers. Chris Evans, the team leader, made the team announcement and created the Project Zero blog to establish the team’s goals as well as to provide updates and discoveries he thinks will be informative to the Internet security crowd. Evans called himself a “Research Herder” in the initial post, and made sure to mention that the team will be adding talent.
Who Is Onboard
The top minds in Internet security and hacking alike came on board, some from inside Google. In fact, Google’s policy has always been to pay hackers who bring data vulnerabilities to their attention through their Vulnerability Reward Program. The hacker who reverse-engineered the Sony PlayStation 3 was sued by Sony, but was one of the first members announced by Google for the Project Zero team. The team also includes long-time Google researchers who did not previously devote 100 percent of their time to vulnerability research, but will now. The group has already contributed to an Apple bug fix.
Project Zero’s work is supposed to be transparent. They have promised that every issue they discover will be reported in an external database accessible to anyone. The database location was included in the Project Zero announcement. Fifty-five issues are currently listed. Google does assert that their work will only become known once the software vendor who is affected has been notified and a patch is available. In other words, just as with Heartbleed, the general public will not be informed until a bug fix is in place in order to prevent exploitation.
The team also asserts that they will not notify any third-party vendors. In the least favorable third-party scenarios, a third party will buy information about software vulnerabilities from a hacker in order to exploit the flaws or to force payment from the software company. Many companies do pay “bug bounties,” but in less-ethical situations, much more money is demanded. There are also legitimate businesses that search for bugs and sell their results. These vendors find vulnerabilities that can create security risks for large corporations and sell the findings to the corporations. However, these businesses do not provide transparency, so their results are not as helpful to the general public as the open information that will be provided by Project Zero could be.
By hiring the best researchers, providing transparency, working ethically, and keeping information about major security risks secure until a fix is available, it seems Google should be able to eliminate the possibility of another Heartbleed. However, Project Zero faces many hurdles on the way to achieving a goal that may not be realistic.
Why Project Zero Can’t Eliminate Bugs
Google has the power to attract the best and brightest in the engineering world, but the lure of working at Google will always be up against the lure of money to be made exploiting vulnerabilities. The idea of completely wiping out security risks like Heartbleed through a dedicated team of top researchers is inspiring, but the power of being able to exploit security flaws that will touch millions of people is more exciting to some hackers.
Others Have Tried
The uphill battle is already evident in the existence of a number of legitimate businesses who have been selling their research for years. Their existence has not put a stop to Internet security breaches, and no amount of research can stop every error in programming that allows security breaches to occur.
Reporting Practices Don’t Remove Vulnerability
The team will not publically report any bugs until a patch is available, but by then many vulnerable users could have their data accessed. For instance, if Project Zero finds a bug in a popular mobile app, it may take weeks until a patch is available and the announcement is made publically to users of that mobile app. During those weeks, users are unaware that they are at risk. If they had been told immediately, those users would have had the option to uninstall the mobile app until the problem is fixed.
Even if Project Zero detects the next Heartbleed, millions could have their secure data accessed until the flaw is made known. However, Project Zero is at least on track to keep these vulnerabilities from continuing, and their willingness to share all information allows developers to learn ways to prevent bugs that lead to zero-day vulnerabilities.
Reduction in Exploitation
Project Zero cannot put a stop to all Internet security risks, but with their talent and resources the team can certainly make a difference in research and discoveries. Chris Evans announced that Project Zero’s objective is to significantly reduce the number of people harmed by criminal or state-sponsored exploitation of software bugs. In only a few months, the team has begun to tackle several security risks. Perhaps they have not yet found the next Heartbleed, but Project Zero seems to be a worthwhile endeavor.
Top image ©GL Stock Images