Project Zero is a team of security analysts employed by

Google Google LLC () is an American Multinational corporation, multinational technology company focusing on Search Engine, search engine technology, online advertising, cloud computing, software, computer software, quantum computing, e-commerce, ar ...

tasked with finding zero-day vulnerabilities. It was announced on 15 July 2014.

History

After finding a number of flaws in software used by many end-users while researching other problems, such as the critical " Heartbleed" vulnerability, Google decided to form a full-time team dedicated to finding such vulnerabilities, not only in Google software but any software used by its users. The new project was announced on 15 July 2014 on Google's security blog. When it launched, one of the principal innovations that Project Zero provided was a strict 90-day disclosure deadline along with a publicly visible bugtracker where the vulnerability disclosure process is documented. While the idea for Project Zero can be traced back to 2010, its establishment fits into the larger trend of Google's counter-surveillance initiatives in the wake of the

2013 global surveillance disclosures Thirteen or 13 may refer to: * 13 (number), the natural number following 12 and preceding 14 * One of the years 13 BC, AD 13, 1913, 2013 Music * 13AD (band), an Indian classic and hard rock band Albums * ''13'' (Black Sabbath album), 2013 * ...

Edward Snowden Edward Joseph Snowden (born June 21, 1983) is an American and naturalized Russian former computer intelligence consultant who leaked highly classified information from the National Security Agency (NSA) in 2013, when he was an employee and s ...

. The team was formerly headed by Chris Evans, previously head of Google's

Chrome Chrome may refer to: Materials * Chrome plating, a process of surfacing with chromium * Chrome alum, a chemical used in mordanting and photographic film Computing * Google Chrome, a web browser developed by Google ** ChromeOS, a Google Chrome- ...

security team, who subsequently joined

Tesla Motors Tesla, Inc. ( or ) is an American multinational automotive and clean energy company headquartered in Austin, Texas. Tesla designs and manufactures electric vehicles ( electric cars and trucks), battery energy storage from home to gr ...

. Other notable members include security researchers

Ben Hawkes Ben Hawkes is a computer security expert and white hat hacker from New Zealand, previously employed by Google as manager of their Project Zero. Hawkes has been credited with finding dozens of flaws in computer software, such as within Adobe Fla ...

Ian Beer Ian Beer is a British computer security expert and white hat hacker, currently residing in Switzerland and working for Google as part of its Project Zero. He has been lauded by some as one of the best iOS hackers. Beer was the first security ex ...

and Tavis Ormandy. Hawkes eventually became the team's manager and then resigned on 4 May 2022. The team's focus is not just on finding bugs and novel attacks, but also on researching and publicly documenting how such flaws could be exploited in practice. This is done to ensure that defenders have sufficient understanding of attacks; the team keeps an extensive research blog with articles that describe individual attacks in detail.

Bug finding and reporting

Bugs found by the Project Zero team are reported to the manufacturer and only made publicly visible once a patch has been released or if 90 days have passed without a patch being released. The 90-day-deadline is Google's way of implementing responsible disclosure, giving software companies 90 days to fix a problem before informing the public so that users themselves can take necessary steps to avoid attacks. There have been cases where the vendor does not produce any solution for the discovered flaws within 90 days of having been notified, before the public disclosure by the team, thus leaving users of the compromised systems vulnerable.

Notable members

* Tavis Ormandy *

Jann Horn Jann may refer to: People Feminine given name * Jann Arden (born 1962), Canadian singer-songwriter ** ''Jann Arden'' (album), her eponymous eighth album * Jann Browne (born 1954), American country singer * Jann Carl (born 1960), American journa ...

Natalie Silvanovich Natalie may refer to: People * Natalie (given name) * Natalie (singer) (born 1979), Mexican-American R&B singer/songwriter * Shahan Natalie (1884–1983), Armenian writer and principal organizer of Operation Nemesis Music Albums * ''Natal ...

James Forshaw James is a common English language surname and given name: *James (name), the typically masculine first name James * James (surname), various people with the last name James James or James City may also refer to: People * King James (disambiguat ...

* Maddie Stone

Past members

Gal Beniamini Gal may refer to: People Surname * Gál, a Hungarian surname * Andreas Gal (born 1976), German programmer * Dani Gal (born 1975), Israeli video artist * Dean Gal (born 1995), Israeli footballer * Edward Gal (born 1970), Dutch dressage rider * G ...

Thomas Dullien Thomas may refer to: People * List of people with given name Thomas * Thomas (name) * Thomas (surname) * Saint Thomas (disambiguation) * Thomas Aquinas (1225–1274) Italian Dominican friar, philosopher, and Doctor of the Church * Thomas the Ap ...

* Chris Evans * George Hotz *

Matt Tait Matt may refer to: *Matt (name), people with the given name ''Matt'' or Matthew, meaning "gift from God", or the surname Matt *In British English, of a surface: having a non-glossy finish, see gloss (material appearance) *Matt, Switzerland, a mu ...

Steven Vittitoe Stephen or Steven is a common English first name. It is particularly significant to Christians, as it belonged to Saint Stephen ( grc-gre, Στέφανος ), an early disciple and deacon who, according to the Book of Acts, was stoned to death; h ...

Notable discoveries

One of the first Project Zero reports that attracted attention involved a flaw that allowed hackers to take control of software running the Safari browser. For its efforts, the team, specifically Beer, was cited in Apple's brief note of thanks. On 30 September 2014, Google detected a security flaw within Windows 8.1's system call "NtApphelpCacheControl", which allows a normal user to gain administrative access.

Microsoft Microsoft Corporation is an American multinational corporation, multinational technology company, technology corporation producing Software, computer software, consumer electronics, personal computers, and related services headquartered at th ...

was notified of the problem immediately but did not fix the problem within 90 days, which meant information about the bug was made publicly available on 29 December 2014. Releasing the bug to the public elicited a response from Microsoft that they are working on the problem. On 9 March 2015, Google Project Zero's blog posted a guest post that disclosed how a previously known hardware flaw in commonly deployed DRAM called Row Hammer could be exploited to escalate privileges for local users. This post spawned a large quantity of follow-up research both in the academic and hardware community. On 19 February 2017, Google discovered a flaw within

Cloudflare Cloudflare, Inc. is an American content delivery network and DDoS mitigation company, founded in 2009. It primarily acts as a reverse proxy between a website's visitor and the Cloudflare customer's hosting provider. Its headquarters are in San ...

's reverse proxies, which caused their edge servers to run past the end of a buffer and return memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data. Some of this data was cached by search engines. A member of the Project Zero team referred to this flaw as Cloudbleed. On 27 March 2017, Tavis Ormandy of Project Zero discovered a vulnerability in the popular password manager

LastPass LastPass is a password manager distributed in subscription form as well as a freemium model with limited functionality. The standard version of LastPass comes with a web interface, but also includes plugins for various web browsers and apps fo ...

. On 31 March 2017, LastPass announced they had fixed the problem. Project Zero was involved in discovering the

Meltdown Meltdown may refer to: Science and technology * Nuclear meltdown, a severe nuclear reactor accident * Meltdown (security vulnerability), affecting computer processors * Mutational meltdown, in population genetics Arts and entertainment Music * ...

and

Spectre Spectre, specter or the spectre may refer to: Religion and spirituality * Vision (spirituality) * Apparitional experience * Ghost Arts and entertainment Film and television * ''Spectre'' (1977 film), a made-for-television film produced and writ ...

vulnerabilities affecting many modern

CPU A central processing unit (CPU), also called a central processor, main processor or just processor, is the electronic circuitry that executes instructions comprising a computer program. The CPU performs basic arithmetic, logic, controlling, and ...

s, which were discovered in mid-2017 and disclosed in early January 2018. The issue was discovered by Jann Horn independently from the other researchers who reported the security flaw and was scheduled to be published on 9 January 2018 before moving the date up because of growing speculation. On 18 April 2019, Project Zero discovered a bug in

Apple An apple is an edible fruit produced by an apple tree (''Malus domestica''). Apple trees are cultivated worldwide and are the most widely grown species in the genus '' Malus''. The tree originated in Central Asia, where its wild ances ...

iMessage iMessage is an instant messaging service developed by Apple Inc. and launched in 2011. iMessage functions exclusively on Apple platforms: macOS, iOS, iPadOS, and watchOS. Core features of iMessage, available on all supported platforms, includ ...

wherein a certain malformed message could cause Springboard to "...crash and respawn repeatedly, causing the UI not to be displayed and the phone to stop responding to input." This would completely crash the iPhone's UI making it inoperable. This bug would persist even after a hard reset. The flaw also affected iMessage on Mac with different results. Apple fixed the bug within the 90 day period before Project Zero released it. On 1 February 2019, Project Zero reported to Apple that they had detected a set of five separate and complete iPhone exploit chains affecting

iOS 10 iOS 10 is the tenth major release of the iOS mobile operating system developed by Apple Inc., being the successor to iOS 9. It was announced at the company's Worldwide Developers Conference on June 13, 2016, and was released on September 13, ...

through all versions of

iOS 12 iOS 12 is the twelfth major release of the iOS mobile operating system developed by Apple Inc. Aesthetically similar to its predecessor, iOS 11, it focuses more on performance than on new features, quality improvements and security updates. An ...

not targeting specific users but having the ability to infect any user who visited an infected site. A series of hacked sites were being used in indiscriminate watering hole attacks against their visitors which Project Zero estimated receive thousands of visitors per week. Project Zero felt the attacks indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years. Apple fixed the exploits in the release of iOS 12.1.4 on 7 February 2019, and said the fixes were already underway when reported by Project Zero. In December 2021, the team published a technical breakdown of the

FORCEDENTRY FORCEDENTRY, also capitalized as ForcedEntry, is a security exploit allegedly developed by NSO Group to deploy their Pegasus spyware. It enables the "Zero-click attack, zero-click" exploit that is prevalent in iOS 13 and below, but also compromis ...

exploit based on its collaboration with Apple’s

Security Engineering and Architecture Security is protection from, or resilience against, potential harm (or other unwanted coercive change) caused by others, by restraining the freedom of others to act. Beneficiaries (technically referents) of security may be of persons and social ...

(SEAR) group. The exploit was described by the team:

JBIG2 doesn't have scripting capabilities, but when combined with a vulnerability, it does have the ability to emulate circuits of arbitrary logic gates operating on arbitrary memory. So why not just use that to build your own computer architecture and script that!? That's exactly what this exploit does. Using over 70,000 segment commands defining logical bit operations, they define a small computer architecture with features such as registers and a full 64-bit adder and comparator which they use to search memory and perform arithmetic operations. It's not as fast as Javascript, but it's fundamentally computationally equivalent. The bootstrapping operations for the sandbox escape exploit are written to run on this logic circuit and the whole thing runs in this weird, emulated environment created out of a single decompression pass through a JBIG2 stream. It's pretty incredible, and at the same time, pretty terrifying.

References

External links

* {{Google LLC Google Computer security organizations Computer-related introductions in 2014 Projects established in 2014