Black Hat: Google Chief Says Stop Playing Security Whack-A-Mole

During the 2018 Black Hat keynote, Google's 'Security Princess' and Director of Engineering Parisa Tabriz urged attendees to toss out the status quo and focus on real problems.

LAS VEGAS—The 2018 Black Hat keynote kicked off with a celebration of noise, smoke, and lasers worthy of any Hollywood production. Last year's conference drew more than 17,000 attendees. Black Hat doesn't release totals until the event is complete, but this year may be even bigger. In keeping with the size of the crowd, the keynote took place in the sports arena of the Mandalay Bay Resort.

Black Hat Bug ArtThe founder of Black Hat, Jeff Moss (also known as @darktangent) welcomed the crowd. He shared the fact that this year 112 countries had sent at least one attendee, and gave a special shoutout to the 26 who sent only one attendee. Moss also reported that Black Hat's scholarship program, which waives fees for deserving young security researchers, issued 233 scholarships this year.

"World events have caught up and we are being tested," said Moss. "Cyber offense is almost purely technical, with almost no politics involved. Defense is largely political. How much money do you spend? What kind of golden eggs are you trying to protect?"

"It feels like our adversaries have strategies and we have tactics," continued Moss. "I don't like that. What's my strategy?"

Moss pointed out that about 20 companies in the world have a global influence that affects billions. These are the Microsofts, Googles, and Apples of the tech world. Consumers and experts, Moss said, can pressure those companies to make better, more secure products. He offered the example of Google gradually deprecating insecure HTTP in Chrome, which now actively marks HTTP sites as not secure. That single move by just one company had an enormous effect.

Optimistic Dissatisfaction

Why Google Should Embrace Blockchain

Parisa Tabriz, Director of Engineering at Google, is responsible for making Chrome secure. She also manages the Project Zero security research team.

The "Security Princess," as she's called, owned the keynote stage in a chic white dress and pink-streaked hair. She opened with a picture of that old favorite arcade game, Whack-A-Mole. She admitted that as a child, Tabriz had stationed a brother on each side to whack the moles she couldn't get in the middle. The analogy was important.

"We must stop playing Whack-A-Mole and be more strategic," said Tabriz. "This room has the world's best experts on computer security, which is becoming the security of the world."

"We have to do more to solve the problems," she continued, "but I'm optimistic. We have made great strides over the decade. But there's more work to do in an increasingly complex landscape."

Tackle the Root Cause

To get away from playing Whack-A-Mole and fixing problems only as they pop up, Tabriz advises that researchers must tackle the root cause. She brought up the "5 Whys" technique, popular in auto design and other areas. If there is a problem, ask why. Each answer becomes the subject of the next question. Five whys down, you start to get somewhere.

Tabriz gave an example. "Suppose someone discloses a Remote Code Execution Bug in your product. Why did the bug lead to Remote Code Execution? Why didn't we discover it earlier? Why don't we have the tests that would have caught it? Why did the update take so long? Why does it take five weeks to deliver a fix?" She advised the audience to invest more, and differently, in tackling root causes.

Project Zero

Cloud Security Playbook for SMBs

Google's Project Zero team, managed by Tabriz, focuses on preventing zero-day exploits and reducing the harm caused by targeted attacks. The team isn't aligned to any one Google project; they treat Android, Chrome, and other Google services just as they would third-party products.

Tabriz noted that in 2014 this team exposed more than 1,400 vulnerabilities in a range of products. "Our aim is to advance understanding of the offensive actors to inform and improve our defenses," said Tabriz. "We have to do more than one-off fixes. Our strategy is to build an advanced understanding of the attackers."

"The problem is, vendors don't always have a sense of priority for security," continued Tabriz, "and there's a large power imbalance between the individual researcher and a corporation." To level the field, Project Zero introduced 90-day disclosure. After they notify a company of a security vulnerability, they make it public in 90 days, whether or not the company fixed it.

"The deadline causes short-term pain for large organizations, including Google," noted Tabriz. But by sticking to the deadline, they force vendors to rally and invest in better processes. She reported that at present, 98 percent of issues get fixed within the 90-day period, up from 25 percent prior to the deadline policy.

Pick Milestones and Celebrate

Tabriz noted that the people working in cyberdefense rarely make the headlines. They work in the background, keeping us all safe. She advised all defense teams to identify milestones in their work, and make celebrating these milestones part of the project.

She took as an example the team that worked on getting more, or even all, websites to use the secure HTTPS connection, rather than insecure HTTP. "Without HTTPS, there's no security, and no privacy," she observed. Tabriz went through a detailed timeline of the process, which included a poetry slam that kicked off the effort and produced this haiku:

Secrets in the tubes.
People in the middle snoop.
Protect with crypto.

The celebration aspect also went beyond poetry to treats, including an HTTPS cake and HTTPS pie. Tabriz noted that there's no big expense involved, but that the celebration elevates the team and the project.

Build Out Your Coalition

Blockchain Tug of War

Continuing with the Chrome team as an example, Tabriz focused on the project that changed Chrome to render every site separately, isolating them so a dangerous site can't infect other open pages. She noted a number of ways such project could fail.

"Management could kill it," she said. "We had 10 engineers working on site isolation, and thought it would take a year. It took six. Mistakes like that can put a bulls-eye on the projects back." But, she explained, the team kept in touch with management and other teams, articulating the progress and the reasons it took longer.

"Lack of peer support could also kill the project," she continued. "Chrome is 10 years old, with ten million lines of code, and the site isolation project cuts across all the architecture." The process of finding text on a page previously was a simple loop; site isolation would make it much more complex. "The little team had to find out who owns text search and convince them to change."

The third killer could have been a change to underlying web standards that would derail the new effort. Fortunately, the team got the web standards bodies on board, with an agreement that site isolation is valuable enough they should avoid changes that would affect it.

Out With the Status Quo

Tabriz refers to the communication upward to management and outward to peers and partners as building out your coalition. That, along with focusing on root causes and building in milestones and celebration, make up her plan for seriously improving security technology. Importantly, it's not the status quo. At one point she displayed a slide saying…well…"Execrate the Status Quo."

"I'm optimistic," she concluded. "You can be proud of our advances. I remain hopeful because while so many of you are cynical, it's because you personally care. It's up to us."

About Neil J. Rubenking