Posted by Jan Jedrzejowicz, Director of Product, Android and Business Communications; Alberto Pastor Nieto, Sr. Product Manager Google Messages and RCS Spam and Abuse; Stephan Somogyi, Product Lead, User Protection; Branden Archer, Software Engineer Every day, over a billion people…
Tag: Google Online Security Blog
Bringing new theft protection features to Android users around the world
Posted by Jianing Sandra Guo, Product Manager and Nataliya Stanetsky, Staff Program Manager, Android Janine Roberta Ferreira was driving home from work in São Paulo when she stopped at a traffic light. A man suddenly appeared and broke the window…
Safer with Google: Advancing Memory Safety
Posted by Alex Rebert, Security Foundations, and Chandler Carruth, Jen Engel, Andy Qin, Core Developers Error-prone interactions between software and memory1 are widely understood to create safety issues in software. It is estimated that about 70% of severe vulnerabilities2 in…
Using Chrome’s accessibility APIs to find security bugs
Posted by Adrian Taylor, Security Engineer, Chrome Chrome’s user interface (UI) code is complex, and sometimes has bugs. Are those bugs security bugs? Specifically, if a user’s clicks and actions result in memory corruption, is that something that an attacker…
Evaluating Mitigations & Vulnerabilities in Chrome
Posted by Alex Gough, Chrome Security Team The Chrome Security Team is constantly striving to make it safer to browse the web. We invest in mechanisms to make classes of security bugs impossible, mitigations that make it more difficult to…
Pixel’s Proactive Approach to Security: Addressing Vulnerabilities in Cellular Modems
Posted by Sherk Chung, Stephan Chen, Pixel team, and Roger Piqueras Jover, Ivan Lozano, Android team Pixel phones have earned a well-deserved reputation for being security-conscious. In this blog, we’ll take a peek under the hood to see how Pixel…
Eliminating Memory Safety Vulnerabilities at the Source
Posted by Jeff Vander Stoep – Android team, and Alex Rebert – Security Foundations Memory safety vulnerabilities remain a pervasive threat to software security. At Google, we believe the path to eliminating this class of vulnerabilities at scale and building…
Eliminating Memory Safety Vulnerabilities at the Source
Posted by Jeff Vander Stoep – Android team, and Alex Rebert – Security Foundations Memory safety vulnerabilities remain a pervasive threat to software security. At Google, we believe the path to eliminating this class of vulnerabilities at scale and building…
A new path for Kyber on the web
Posted by David Adrian, David Benjamin, Bob Beck & Devon O’Brien, Chrome Team We previously posted about experimenting with a hybrid post-quantum key exchange, and enabling it for 100% of Chrome Desktop clients. The hybrid key exchange used both the…
Deploying Rust in Existing Firmware Codebases
< p style=”text-align: left;”>Posted by Ivan Lozano and Dominik Maier, Android Team Android’s use of safe-by-design principles drives our adoption of memory-safe languages like Rust, making exploitation of the OS increasingly difficult with every release. To provide a secure foundation,…
Virtual Escape; Real Reward: Introducing Google’s kvmCTF
Marios Pomonis, Software Engineer < div> Google is committed to enhancing the security of open-source technologies, especially those that make up the foundation for many of our products, like Linux and KVM. To this end we are excited to announce…
Sustaining Digital Certificate Security – Entrust Certificate Distrust
Posted by Chrome Root Program, Chrome Security Team The Chrome Security Team prioritizes the security and privacy of Chrome’s users, and we are unwilling to compromise on these values. The Chrome Root Program Policy states that CA certificates included in…
Staying Safe with Chrome Extensions
Posted by Benjamin Ackerman, Anunoy Ghosh and David Warren, Chrome Security Team Chrome extensions can boost your browsing, empowering you to do anything from customizing the look of sites to providing personalized advice when you’re planning a vacation. But as…
Time to challenge yourself in the 2024 Google CTF
Hlynur Gudmundsson, Software Engineer < div> It’s Google CTF time! Install your tools, commit your scripts, and clear your schedule. The competition kicks off on June 21 2024 6:00 PM UTC and runs through June 23 2024 6:00 PM UTC.…
I/O 2024: What’s new in Android security and privacy
Posted by Dave Kleidermacher, VP Engineering, Android Security and Privacy Our commitment to user safety is a top priority for Android. We’ve been consistently working to stay ahead of the world’s scammers, fraudsters and bad actors. And as their tactics…
Google and Apple deliver support for unwanted tracking alerts in Android and iOS
Google and Apple have worked together to create an industry specification – Detecting Unwanted Location Trackers – for Bluetooth tracking devices that makes it possible to alert users across both Android and iOS if such a device is unknowingly being…
Your Google Account allows you to create passkeys on your phone, computer and security keys
Sriram Karra and Christiaan Brand, Google product managers Last year, Google launched passkey support for Google Accounts. Passkeys are a new industry standard that give users an easy, highly secure way to sign-in to apps and websites. Today, we announced…
Secure by Design: Google’s Perspective on Memory Safety
Alex Rebert, Software Engineer, Christoph Kern, Principal Engineer, Security Foundations Google’s Project Zero reports that memory safety vulnerabilities—security defects caused by subtle coding errors related to how a program accesses memory—have been “the standard for attacking software for the last…
Secure by Design: Google’s Perspective on Memory Safety
Alex Rebert, Software Engineer, Christoph Kern, Principal Engineer, Security Foundations < div> Google’s Project Zero reports that memory safety vulnerabilities—security defects caused by subtle coding errors related to how a program accesses memory—have been “the standard for attacking software for…
Piloting new ways of protecting Android users from financial fraud
Posted by Eugene Liderman, Director of Mobile Security Strategy, Google From its founding, Android has been guided by principles of openness, transparency, safety, and choice. Android gives you the freedom to choose which device best fits your needs, while also…
Improving Interoperability Between Rust and C++
Posted by Lars Bergstrom – Director, Android Platform Tools & Libraries and Chair of the Rust Foundation Board Back in 2021, we announced that Google was joining the Rust Foundation. At the time, Rust was already in wide use across…
UN Cybercrime Treaty Could Endanger Web Security
Royal Hansen, Vice President of Privacy, Safety and Security Engineering This week, the United Nations convened member states to continue its years-long negotiations on the UN Cybercrime Treaty, titled “Countering the Use of Information and Communications Technologies for Criminal Purposes.”
Scaling security with AI: from detection to solution
Dongge Liu and Oliver Chang, Google Open Source Security Team, Jan Nowakowski and Jan Keller, Machine Learning for Security Team < div> The AI world moves fast, so we’ve been hard at work keeping security apace with recent advancements. One…
Effortlessly upgrade to Passkeys on Pixel phones with Google Password Manager
Posted by Sherif Hanna, Group Product Manager, Pixel Security Helping Pixel owners upgrade to the easier, safer way to sign in Your phone contains a lot of your personal information, from financial data to photos. Pixel phones are designed to…
Hardening cellular basebands in Android
Posted by Ivan Lozano and Roger Piqueras Jover Android’s defense-in-depth strategy applies not only to the Android OS running on the Application Processor (AP) but also the firmware that runs on devices. We particularly prioritize hardening the cellular baseband given…
Evolving the App Defense Alliance
Posted by Nataliya Stanetsky, Android Security and Privacy Team The App Defense Alliance (ADA), an industry-leading collaboration launched by Google in 2019 dedicated to ensuring the safety of the app ecosystem, is taking a major step forward. We are proud…
MTE – The promising path forward for memory safety
Posted by Andy Qin, Irene Ang, Kostya Serebryany, Evgenii Stepanov Since 2018, Google has partnered with ARM and collaborated with many ecosystem partners (SoCs vendors, mobile phone OEMs, etc.) to develop Memory Tagging Extension (MTE) technology. We are now happy…
More ways for users to identify independently security tested apps on Google Play
Posted by Nataliya Stanetsky, Android Security and Privacy Team Keeping Google Play safe for users and developers remains a top priority for Google. As users increasingly prioritize their digital privacy and security, we continue to invest in our Data Safety…
Qualified certificates with qualified risks
Posted by Chrome Security team Improving the interoperability of web services is an important and worthy goal. We believe that it should be easier for people to maintain and control their digital identities. And we appreciate that policymakers working on…
SMS Security & Privacy Gaps Make It Clear Users Need a Messaging Upgrade
Posted by Eugene Liderman and Roger Piqueras Jover SMS texting is frozen in time. People still use and rely on trillions of SMS texts each year to exchange messages with friends, share family photos, and copy two-factor authentication codes to…
Scaling Rust Adoption Through Training
Posted by Martin Geisler, Android team Android 14 is the third major Android release with Rust support. We are already seeing a number of benefits: Productivity: Developers quickly feel productive writing Rust. They report important indicators of development velocity, such…
Capslock: What is your code really capable of?
Jess McClintock and John Dethridge, Google Open Source Security Team, and Damien Miller, Enterprise Infrastructure Protection Team When you import a third party library, do you review every line of code? Most software packages depend on external libraries, trusting that…
Android Goes All-in on Fuzzing
Posted by Jon Bottarini and Hamzeh Zawawy, Android Security Fuzzing is an effective technique for finding software vulnerabilities. Over the past few years Android has been focused on improving the effectiveness, scope, and convenience of fuzzing across the organization. This…
AI-Powered Fuzzing: Breaking the Bug Hunting Barrier
Dongge Liu, Jonathan Metzman, Oliver Chang, Google Open Source Security Team Since 2016, OSS-Fuzz has been at the forefront of automated vulnerability discovery for open source projects. Vulnerability discovery is an important part of keeping software supply chains secure, so…
AI-Powered Fuzzing: Breaking the Bug Hunting Barrier
Dongge Liu, Jonathan Metzman, Oliver Chang, Google Open Source Security Team Since 2016, OSS-Fuzz has been at the forefront of automated vulnerability discovery for open source projects. Vulnerability discovery is an important part of keeping software supply chains secure, so…
Toward Quantum Resilient Security Keys
Elie Bursztein, cybersecurity and AI research director, Fabian Kaczmarczyck, software engineer As part of our effort to deploy quantum resistant cryptography, we are happy to announce the release of the first quantum resilient FIDO2 security key implementation as part of…
Making Chrome more secure by bringing Key Pinning to Android
Posted by David Adrian, Joe DeBlasio and Carlos Joan Rafael Ibarra Lopez, Chrome Security Chrome 106 added support for enforcing key pins on Android by default, bringing Android to parity with Chrome on desktop platforms. But what is key pinning…
An update on Chrome Security updates – shipping security fixes to you faster
Posted by Amy Ressler, Chrome Security Team To get security fixes to you faster, starting now in Chrome 116, Chrome is shipping weekly Stable channel updates. Chrome ships a new milestone release every four weeks. In between those major releases,…
Android 14 introduces first-of-its-kind cellular connectivity security features
Posted by Roger Piqueras Jover, Yomna Nasser, and Sudhi Herle Android is the first mobile operating system to introduce advanced cellular security mitigations for both consumers and enterprises. Android 14 introduces support for IT administrators to disable 2G support in…
Downfall and Zenbleed: Googlers helping secure the ecosystem
Tavis Ormandy, Software Engineer and Daniel Moghimi, Senior Research Scientist Finding and mitigating security vulnerabilities is critical to keeping Internet users safe. However, the more complex a system becomes, the harder it is to secure—and that is also the case…
Pixel Binary Transparency: verifiable security for Pixel devices
Jay Hou, Software Engineer, TrustFabric (transparency.dev) Pixel Binary Transparency With Android powering billions of devices, we’ve long put security first. There’s the more visible security features you might interact with regularly, like spam and phishing protection, as well as less…
The Ups and Downs of 0-days: A Year in Review of 0-days Exploited In-the-Wild in 2022
Maddie Stone, Security Researcher, Threat Analysis Group (TAG) This is Google’s fourth annual year-in-review of 0-days exploited in-the-wild [2021, 2020, 2019
The Ups and Downs of 0-days: A Year in Review of 0-days Exploited In-the-Wild in 2022
Maddie Stone, Security Researcher, Threat Analysis Group (TAG) This is Google’s fourth annual year-in-review of 0-days exploited in-the-wild [2021, 2020, 2019] and builds off of the mid-year 2022 review. The goal of this report is not to detail each individual…
Supply chain security for Go, Part 3: Shifting left
Julie Qiu, Go Security & Reliability and Jonathan Metzman, Google Open Source Security Team Previously in our Supply chain security for Go series, we covered dependency and vulnerability management tools and how Go ensures package integrity and availability as part…
A look at Chrome’s security review culture
Posted by Alex Gough, Chrome Security Team Security reviewers must develop the confidence and skills to make fast, difficult decisions. A simplistic piece of advice to reviewers is “just be confident” but in reality that takes practice and experience. Confidence…
An important step towards secure and interoperable messaging
Posted by Giles Hogben, Privacy Engineering Director Most modern consumer messaging platforms (including Google Messages) support end-to-end encryption, but users today are limited to communicating with contacts who use the same platform. This is why Google is strongly supportive of…
Gmail client-side encryption: A deep dive
Nicolas Lidzborski, Principal Engineer and Jaishankar Sundararaman, Sr. Director of Engineering, Google Workspace In February, we expanded Google Workspace client-side encryption (CSE) capabilities to include Gmail and Calendar in addition to Drive, Docs, Slides, Sheets
Gmail client-side encryption: A deep dive
Nicolas Lidzborski, Principal Engineer and Jaishankar Sundararaman, Sr. Director of Engineering, Google Workspace In February, we expanded Google Workspace client-side encryption (CSE) capabilities to include Gmail and Calendar in addition to Drive, Docs, Slides, Sheets
Supply chain security for Go, Part 2: Compromised dependencies
Julie Qiu, Go Security & Reliability, and Roger Ng, Google Open Source Security Team “Secure your dependencies”—it’s the new supply chain mantra. With attacks targeting software supply chains sharply rising, open source developers need to monitor and judge the risks…
Google Cloud Awards $313,337 in 2022 VRP Prizes
Anthony Weems, Information Security Engineer 2022 was a successful year for Google’s Vulnerability Reward Programs (VRPs), with over 2,900 security issues identified and fixed, and over $12 million in bounty rewards awarded to researchers. A significant amount of these vulnerability…
Protect and manage browser extensions using Chrome Browser Cloud Management
Posted by Anuj Goyal, Product Manager, Chrome Browser Browser extensions, while offering valuable functionalities, can seem risky to organizations. One major concern is the potential for security vulnerabilities. Poorly designed or malicious extensions could compromise data integrity and expose sensitive…
Bringing Transparency to Confidential Computing with SLSA
Asra Ali, Razieh Behjati, Tiziano Santoro, Software Engineers Every day, personal data, such as location information, images, or text queries are passed between your device and remote, cloud-based services. Your data is encrypted when in transit and at rest, but…
Learnings from kCTF VRP’s 42 Linux kernel exploits submissions
Tamás Koczka, Security Engineer In 2020, we integrated kCTF into Google’s Vulnerability Rewards Program (VRP) to support researchers evaluating the security of Google Kubernetes Engine (GKE) and the underlying Linux kernel. As the Linux kernel is a key component not…
Announcing the Chrome Browser Full Chain Exploit Bonus
Amy Ressler, Chrome Security Team on behalf of the Chrome VRP For 13 years, a key pillar of the Chrome Security ecosystem has included encouraging security researchers to find security vulnerabilities in Chrome browser and report them to us, through…
Adding Chrome Browser Cloud Management remediation actions in Splunk using Alert Actions
Posted by Ashish Pujari, Chrome Security Team Introduction Chrome is trusted by millions of business users as a secure enterprise browser. Organizations can use Chrome Browser Cloud Management to help manage Chrome browsers more effectively. As an admin, they can…
Time to challenge yourself in the 2023 Google CTF!
Vincent Winstead, Technical Program Manager It’s Google CTF time! Get your hacking toolbox ready and prepare your caffeine for rapid intake. The competition kicks off on June 23 2023 6:00 PM UTC and runs through June 25 2023 6:00 PM…
Google Trust Services ACME API available to all users at no cost
David Kluge, Technical Program Manager, and Andy Warner, Product Manager Nobody likes preventable site errors, but they happen disappointingly often. The last thing you want your customers to see is a dreaded ‘Your connection is not private’ error instead of…
Announcing the launch of GUAC v0.1
Brandon Lum and Mihai Maruseac, Google Open Source Security Team Today, we are announcing the launch of the v0.1 version of Graph for Understanding Artifact Composition (GUAC). Introduced at Kubecon 2022 in October, GUAC targets a critical need in the…
How the Chrome Root Program Keeps Users Safe
Posted by Chrome Root Program, Chrome Security Team What is the Chrome Root Program? A root program is one of the foundations for securing connections to websites. The Chrome Root Program was announced in September 2022. If you missed it,…
New Android & Google Device Vulnerability Reward Program Initiatives
Posted by Sarah Jacobus, Vulnerability Rewards Team As technology continues to advance, so do efforts by cybercriminals who look to exploit vulnerabilities in software and devices. This is why at Google and Android, security is a top priority, and we…
$22k awarded to SBFT ‘23 fuzzing competition winners
Dongge Liu, Jonathan Metzman and Oliver Chang, Google Open Source Security Team Google’s Open Source Security Team recently sponsored a fuzzing competition as part of ISCE’s Search-Based and Fuzz Testing (SBFT) Workshop. Our goal was to encourage the development of…
Introducing a new way to buzz for eBPF vulnerabilities
Juan José López Jaimez, Security Researcher and Meador Inge, Security Engineer Today, we are announcing Buzzer, a new eBPF Fuzzing framework that aims to help hardening the Linux Kernel. What is eBPF and how does it verify safety? eBPF is…
I/O 2023: What’s new in Android security and privacy
Posted by Ronnie Falcon, Product Manager Android is built with multiple layers of security and privacy protections to help keep you, your devices, and your data safe. Most importantly, we are committed to transparency, so you can see your device…
Introducing rules_oci
Appu Goundan, Google Open Source Security Team Today, we are announcing the General Availability 1.0 version of rules_oci, an open-sourced Bazel plugin (“ruleset”) that makes it simpler and more secure to build container images with Bazel. This effort was a…
Making authentication faster than ever: passkeys vs. passwords
Silvia Convento, Senior UX Researcher and Court Jacinic, Senior UX Content Designer In recognition of World Password Day 2023, Google announced its next step toward a passwordless future: passkeys. Passkeys are a
So long passwords, thanks for all the phish
By: Arnar Birgisson and Diana K Smetters, Identity Ecosystems and Google Account Security and Safety teams Starting today, you can create and use passkeys on your personal Google Account. When you do, Google will not ask for your password or…
Google and Apple lead initiative for an industry specification to address unwanted tracking
Companies welcome input from industry participants and advocacy groups on a draft specification to alert users in the event of suspected unwanted tracking Location-tracking devices help users find personal items like their keys, purse, luggage, and more through crowdsourced finding…
Secure mobile payment transactions enabled by Android Protected Confirmation
Posted by Rae Wang, Director of Product Management (Android Security and Privacy Team) Unlike other mobile OSes, Android is built with a transparent, open-source architecture. We firmly believe that our users and the mobile ecosystem at-large should be able to…
How we fought bad apps and bad actors in 2022
Posted by Anu Yamunan and Khawaja Shams (Android Security and Privacy Team), and Mohet Saxena (Compute Trust and Safety) Keeping Google Play safe for users and developers remains a top priority for Google. Google Play Protect continues to scan billions…
Celebrating SLSA v1.0: securing the software supply chain for everyone
Bob Callaway, Staff Security Engineer, Google Open Source Security team Last week the Open Source Security Foundation (OpenSSF) announced the release of SLSA v1.0, a framework that helps secure the software supply chain. Ten years of using an internal version…
Google Authenticator now supports Google Account synchronization
Christiaan Brand, Group Product Manager
Securely Hosting User Data in Modern Web Applications
Posted by David Dworken, Information Security Engineer, Google Security Team Many web applications need to display user-controlled content. This can be as simple as serving user-uploaded images (e.g. profile photos), or as complex as rendering user-controlled HTML (e.g. a web…
Supply chain security for Go, Part 1: Vulnerability management
Posted by Julie Qiu, Go Security & Reliability and Oliver Chang, Google Open Source Security Team High profile open source vulnerabilities have made it clear that securing the supply chains underpinning modern software is an urgent, yet enormous, undertaking. As…
Announcing the deps.dev API: critical dependency data for secure supply chains
Posted by Jesper Sarnesjo and Nicky Ringland, Google Open Source Security Team Today, we are excited to announce the deps.dev API, which provides free access to the deps.dev dataset of security metadata, including dependencies, licenses, advisories, and other critical health…
Thank you and goodbye to the Chrome Cleanup Tool
Posted by Jasika Bawa, Chrome Security Team Starting in Chrome 111 we will begin to turn down the Chrome Cleanup Tool, an application distributed to Chrome users on Windows to help find and remove unwanted software (UwS). Origin story The…
OSV and the Vulnerability Life Cycle
Posted by Oliver Chang and Andrew Pollock, Google Open Source Security Team It is an interesting time for everyone concerned with open source vulnerabilities. The U.S. Executive Order on Improving the Nation’s Cybersecurity requirements for vulnerability disclosure programs and assurances…
Google Trust Services now offers TLS certificates for Google Domains customers
Andy Warner, Google Trust Services, and Carl Krauss, Product Manager, Google Domains We’re excited to announce changes that make getting Google Trust Services TLS certificates easier for Google Domains customers. With this integration, all Google Domains customers will be able…
8 ways to secure Chrome browser for Google Workspace users
Posted by Kiran Nair, Product Manager, Chrome Browser Your journey towards keeping your Google Workspace users and data safe, starts with bringing your Chrome browsers under Cloud Management at no additional cost. Chrome Browser Cloud Management is a single destination…
Our commitment to fighting invalid traffic on Connected TV
Posted by Michael Spaulding, Senior Product Manager, Ad Traffic Quality Connected TV (CTV) has not only transformed the entertainment world, it has also created a vibrant new platform for digital advertising. However, as with any innovative space, there are challenges…
Moving Connected Device Security Standards Forward
Posted by Eugene Liderman, Director of Mobile Security Strategy, Google As Mobile World Congress approaches, we have the opportunity to have deep and meaningful conversations across the industry about the present and future of connected device security. Ahead of the…
Vulnerability Reward Program: 2022 Year in Review
Posted by Sarah Jacobus, Vulnerability Rewards Team It has been another incredible year for the Vulnerability Reward Programs (VRPs) at Google! Working with security researchers throughout 2022, we have been able to identify and fix over 2,900 security issues and…
Hardening Firmware Across the Android Ecosystem
Posted by Roger Piqueras Jover, Ivan Lozano, Sudhi Herle, and Stephan Somogyi, Android Team A modern Android powered smartphone is a complex hardware device: Android OS runs on a multi-core CPU – also called an Application Processor (AP). And the…
The US Government says companies should take more responsibility for cyberattacks. We agree.
Posted by Kent Walker, President, Global Affairs & Chief Legal Officer, Google & Alphabet and Royal Hansen, Vice President of Engineering for Privacy, Safety, and Security Should companies be responsible for cyberattacks? The U.S. government thinks so – and frankly,…
Taking the next step: OSS-Fuzz in 2023
Posted by Oliver Chang, OSS-Fuzz team Since launching in 2016, Google’s free OSS-Fuzz code testing service has helped get over 8800 vulnerabilities and 28,000 bugs fixed across 850 projects. Today, we’re happy to announce an expansion of our OSS-Fuzz Rewards…
Taking the next step: OSS-Fuzz in 2023
Posted by Oliver Chang, OSS-Fuzz team Since launching in 2016, Google’s free OSS-Fuzz code testing service has helped get over 8800 vulnerabilities and 28,000 bugs fixed across 850 projects. Today, we’re happy to announce an expansion of our OSS-Fuzz Rewards…
Sustaining Digital Certificate Security – TrustCor Certificate Distrust
Posted by Chrome Root Program, Chrome Security Team Note: This post is a follow-up to discussions carried out on the Mozilla “Dev Security Policy” Web PKI public discussion forum Google Group in December 2022. Google Chrome communicated its distrust of…
Supporting the Use of Rust in the Chromium Project
Posted by Dana Jansens (she/her), Chrome Security Team We are pleased to announce that moving forward, the Chromium project is going to support the use of third-party Rust libraries from C++ in Chromium. To do so, we are now actively…
Enhanced Protection – The strongest level of Safe Browsing protection Google Chrome has to offer
Posted by Benjamin Ackerman, Chrome Security and Jonathan Li, Safe Browsing As a follow-up to a previous blog post about How Hash-Based Safe Browsing Works in Google Chrome, we wanted to provide more details about Safe Browsing’s Enhanced Protection mode…
Trust in transparency: Private Compute Core
Posted by Dave Kleidermacher, Dianne Hackborn, and Eugenio Marchiori We care deeply about privacy. We also know that trust is built by transparency. This blog, and the technical paper reference within, is an example of that commitment: we describe an…
Enhanced Protection – The strongest level of Safe Browsing protection Google Chrome has to offer
Posted by Benjamin Ackerman (Chrome Security and Jonathan Li (Safe Browsing) As a follow-up to a previous blog post about How Hash-Based Safe Browsing Works in Google Chrome, we wanted to provide more details about Safe Browsing’s Enhanced Protection mode…
How to SLSA Part 1 – The Basics
Posted by Tom Hennen, Software Engineer, BCID & GOSST One of the great benefits of SLSA (Supply-chain Levels for Software Artifacts) is its flexibility. As an open source framework designed to improve the integrity of software packages and infrastructure, it…
The Package Analysis Project: Scalable detection of malicious open source packages
Posted by Caleb Brown, Open Source Security Team Despite open source software’s essential role in all software built today, it’s far too easy for bad actors to circulate malicious packages that attack the systems and users running that software. Unlike…
Memory Safe Languages in Android 13
Posted by Jeffrey Vander Stoep For more than a decade, memory safety vulnerabilities have consistently represented more than 65% of vulnerabilities across products, and across the industry. On Android, we’re now seeing something different – a significant drop in memory…
Use-after-freedom: MiraclePtr
Posted by Adrian Taylor, Bartek Nowierski and Kentaro Hara on behalf of the MiraclePtr team Memory safety bugs are the most numerous category of Chrome security issues and we’re continuing to investigate many solutions – both in C++ and in…
Fuzzing beyond memory corruption: Finding broader classes of vulnerabilities automatically
Posted by Jonathan Metzman, Dongge Liu and Oliver Chang, Google Open Source Security Team Recently, OSS-Fuzz—our community fuzzing service that regularly checks 700 critical open source projects for bugs—detected a serious vulnerability (CVE-2022-3008): a bug in the TinyGLTF project that…
Announcing Google’s Open Source Software Vulnerability Rewards Program
Posted by Francis Perron, Open Source Security Technical Program Manager Today, we are launching Google’s Open Source Software Vulnerability Rewards Program (OSS VRP) to reward discoveries of vulnerabilities in Google’s open source projects. As the maintainer of major projects such…
Announcing the Open Sourcing of Paranoid’s Library
Posted by Pedro Barbosa, Security Engineer, and Daniel Bleichenbacher, Software Engineer Paranoid is a project to detect well-known weaknesses in large amounts of crypto artifacts, like public keys and digital signatures. On August 3rd 2022 we open sourced the library containing…
Making Linux Kernel Exploit Cooking Harder
Posted by Eduardo Vela, Exploit Critic Cover of the medieval cookbook. Title in large letters kernel Exploits. Adorned. Featuring a small penguin. 15th century. Color. High quality picture. Private collection. Detailed. The Linux kernel is a key component for the…
How Hash-Based Safe Browsing Works in Google Chrome
By Rohit Bhatia, Mollie Bates, Google Chrome Security There are various threats a user faces when browsing the web. Users may be tricked into sharing sensitive information like their passwords with a misleading or fake website, also called phishing. They…
DNS-over-HTTP/3 in Android
Posted by Matthew Mauer and Mike Yu, Android team To help keep Android users’ DNS queries private, Android supports encrypted DNS. In addition to existing support for DNS-over-TLS, Android now supports DNS-over-HTTP/3 which has a number of improvements over DNS-over-TLS.…