This year marks the fifth anniversary of Project Zero, an applied security research team at Google that aims to "make 0day hard". It has been a tumultuous and exciting journey so far, and we've managed to explore a huge range of weird and wonderful attacks. Full-chain browser exploits. Remote WiFi firmware attacks. The trials and tribulations of Flash! Kernel and userland privilege escalation for Linux, Windows, macOS, chromeOS, iOS, and Android. Hypervisor escapes. Oh, and something about speculative execution...
We've published a dizzying array of vulnerabilities and exploits. But why? How? And what does this all mean for user security?
This presentation gives a behind-the-scenes look at Project Zero's work, and a retrospective assessment of the impact this work has had. We'll look at why a team like Project Zero is needed in the first place, and some of the core principles that we use to make decisions. We'll dive into some of the classic hits from Project Zero's portfolio, and share some of the technical insights that result. And finally, we'll share some of the lessons learned, and a sketch for the next five years of Project Zero.
Ben Hawkes is a founding member and team lead of Google's 'Project Zero' security research team, where he helped develop the team's technical strategy and vulnerability disclosure policies. As a researcher, Ben discovered many vulnerabilities across a range of different software platforms (including Android, Linux, and Windows), and published research focused on vulnerability analysis and software exploitation. Prior to Project Zero, Ben worked for four years on the security of Google's product launches, with a particular focus on virtualization and sandboxing.