LAS VEGAS—Black Hat’s hallmark of offensive security and cool hacks is still one big reason tens of thousands come to the desert every summer. But clearly something bigger is going on as the conference turns 21.
Some of the talks are also about enabling defense, working across companies and industries, and addressing personal difficulties related to a profession that suddenly means too much to physical safety, national security, and economic stability.
Not so surprisingly, Google—yes there are benefits to its business model—isn’t waiting for permission to take the reins of most of this movement forward. Google, to many, is the internet and when it decides to deprecate HTTP in favor of an encrypted web, start marking sites as Not Secure, or rolling out site isolation as a mitigation in Chrome, it becomes imperative for others to keep up or get out.
Google’s director of engineering Parisa Tabriz drove this message home during her keynote address inside the cavernous Mandalay Bay Events Center arena. The days of isolated fixes have to come to an end, she pleaded. Instead, classes of software and hardware bugs need to be eradicated, something that requires an approach of identifying root causes rather than one-off patches for the same bugs over and over.
Tabriz also said the industry needs to invest in bold proactive defensive projects, be more intentional about those projects, and engage champions outside security in order to ensure these efforts succeed.
No problem, right?
Not every company is as well-resourced as Google, but Tabriz—she’s responsible for the security of the Chrome browser as well as overseeing the Project Zero research team—walks the walk.
Google has begun in a recent Chrome update to mark sites as Not Secure that are still connecting and transmitting traffic in the clear. It was a gradual implementation, one that required people and financial investments, and engagement with other browser makers and stakeholders to make it work.
“We have to stop playing Whac-A-Mole,” Tabriz said. “It’s so frustrating when I see reports of a vulnerability that’s been previously fixed or a trivial variant of a bug that we knew about. We need an ambitious, strategic, and collaborative approach to defense.”
The move to deprecate HTTP in Chrome was all of those things. In fact, it’s the guiding principle for Tabriz’s teams at Google, in particular Project Zero. This team of advanced, offensive researchers has sniffed out more than 1,400 bugs in software, hardware, mobile platforms, and more. It also took a major leap when it imposed a 90-day disclosure deadline upon affected vendors. The three-month grace period from Google gives vendors what it believes is ample time to patch vulnerabilities or at least explain why a given company may need additional time to fix. Much to the consternation of many, including Microsoft and other giants in 2014, some companies had to deal with public disclosures coming out of Project Zero ahead of patches. Google, for its part Tabriz said, expected the backlash but kept its posture.
Looking back, it may be a difficult exercise to argue with the results given that pre-deadline, the patch rate hovered around 25 percent. Today, it’s at 98 percent, Tabriz said.
“It’s an Impressive number, but it’s not representative of the most important impact of this team,” Tabriz said. “It aims to inform and improve defensive strategies. The strategy is to build a research pipeline to advance the understanding of exploitation among defenders. This leads to structural improvements and better end-user security.”
Translated, an encrypted web, and quicker patch times.
The forward-thinking part of the Google approach, meanwhile, can be seen in its site isolation efforts, which were rolled out in Chrome late last year and then turned on by default in May in the browser. Site isolation injects boundaries between sites reached using Chrome, and as a result, different sites run under their own processes. This cuts down on a lot of cross-site data theft, and by happy coincidence, went a long way toward mitigating the Spectre and Meltdown vulnerabilities found in hardware chips earlier this year.
“No one could have predicted Spectre,” Tabriz said. “We knew where the assets were and were attacking this problem for years. Site isolation gave Chrome a nice head start.”
Spectre and Meltdown were just the most recent examples too of cross-company collaboration, something that Tabriz used the Black Hat pulpit to make another important call for.
“Investing in defensive projects promotes core security principles of isolation, containment and simplicity,” she said. “When the benefits are not clear, it’s important to communicate up and out, and get people outside your security team invested in a project.”