Olivia
Online
Alex Rebert
@ayper
Security @ Google. Previously co-founder of @ForAllSecure. Opinions here are my own. @[email protected]
Pittsburgh
Joined August 2008
662 Following
522 Followers
119 Posts
Can we translate all C to Rust? The susceptibility of C to memory corruption has long been a cybersecurity pain point, and coding agents can free us of it. Read on for my recent experiments in this space, and apt & docker repos that you can pull rust-converted libraries from!
Hardening the C++ Standard Library at massive scale. A look at increasing memory safety with libc++ hardening — a collaborative paper from engineers at Apple and Google. The results have been impressive: at Google the team discovered and fixed 1000+ bugs as hardening was enabled. https://t.co/7kxWdfq2dD
We're joining forces with industry & academia to call for memory safety standardization: https://t.co/UOVODzi0RZ. It's a recognition that memory unsafety is no longer a niche technical problem but a societal one, impacting everything from national security to personal privacy.
🛡️Want to help make the open source world safer and earn up to $45k 💰?
We've revamped our Patch Rewards Program, extending its scope and increasing rewards for security patches – with a particular focus on memory safety, including bonus multipliers!
https://t.co/pUiYgTRdsA
Who to follow
Jonathan Metzman
@metzmanj
I do fuzzing on Google's Open Source Security Team.
I work on OSS-Fuzz/ClusterFuzz/FuzzBench.
Speaking on behalf of myself, not my employer.
Abhishek Arya 
@infernosec
Principal Engineer, AI Security at Google. Opinions are my own.
Tim Becker
@tjbecker
AI security R&D at @theori_io, @xint_official. LLM vuln research since 2024. Flag capturer at @PlaidCTF. Cryptography enthusiast.
Celebrating 15 years of password hacking 💻 🔑, Swiss Army knives (and sometimes even chainsaws or swords) included! 😲
Discover how Google's security teams turn employee farewells into security tests.
https://t.co/Mapn7Nrs78
@kupiakos Oops, I missed this. OOB accesses terminate the program immediately. See https://t.co/Q3ZeqTjhwj
Excited to share our latest post on memory safety! We're tackling spatial safety in our massive C++ codebase by hardening libc++ *by default*. It adds bounds checks to things like std::vector, preventing a fair bit of out-of-bounds vulnerabilities: https://t.co/Dek3jJaTxn
Bounds-checking in C++: so people ask if the .3% overhead is real. It's not just a benchmark result, we got this through our Google-Wide profiling, that gives us the live insights from DCs. This surprised us too as it was much cheaper than we thought
https://t.co/zBUvoYzGi1
@RoseSilicon The blog post is mostly about server-side code, where it was recently rolled out. But chrome also has it on since 2022.
@seanbax In particular, you can see the enabled checks with:
- https://t.co/J92hwXKmYb
- https://t.co/d6weQzlCO4
@seanbax That's right! Hardening does a few more things than just bounds checking: empty optional checks, sanity checks on sizes, sort ... I'm not aware of a comprehensive list -- I usually grep for the 2 enabled libc++ macros defined in https://t.co/zuxcMG2Psy
The best part? It's incredibly cost-effective, with an average performance overhead of just 0.30%. So there's really no reason not to do it if you're running C++ code :)
This improves spatial memory safety across Google's services, including performance-critical components of Search, Gmail, Drive, YouTube, and Maps. We've already seen it disrupt a red team exercise, reduce segfaults by 30%, and improve code correctness.
The dedication and hard work has payed off: "for hundreds of complex web applications that are built on Google’s hardened and safe-by-design frameworks, we've averaged less than one XSS report per year in total" (see page 9 of the whitepaper).
Percentage of codebase that's memory-safe 📈, memory-safety vulns 📉,
EVEN IF YOU KEEP ADDING LINES OF C 🤯
Excited to share Google's memory safety strategy! We're working to build safer software by migrating to memory-safe languages like Rust as well as hardening our existing C++: https://t.co/UdmcghPhbO.
We'll be sharing more details in upcoming posts.
Google CVR is doing incredible vulnerability research.
Learn how Google CVR could have potentially exfiltrated Gemini 1.0 Pro before launch last year. We describe the vulnz, the fix, and tips for bughunters. Also, shout-out to @epereiralopez for teaming up to adapt this work to another cloud provider.
https://t.co/65PY5o3mtV
@lauriewired Our team at Google just published a blog post with related findings on the half-life of vulnerabilities and how prioritizing safety in new code can dramatically improve overall security: https://t.co/psyHZAsD0A
@sephr The simulated results, which closely match the empirical data in Android, did not assume any prioritization.
So prioritization does not appear to explain the effectiveness of this strategy, although it may explain why the Android results outperformed the simulation.
The drop in Android's memory safety vulnerabilities is astonishing. It's counterintuitive, but prioritizing memory-safe languages in new code quickly reduces memory-safety risks. Once we turn off the tap of new vulnerabilities, they start decreasing exponentially.
I’m super excited about this blogpost. The approach is so counterintuitive, and yet the results are so much better than anything else that we’ve tried for memory safety. We finally understand why.
https://t.co/cBc3gMLzO6
@sephr Because the risk reduction far outweighs what one would expect from the % of memory-safe code. Android has *more* memory-unsafe code than it did in 2019, and yet, it has almost an order of magnitude fewer memory safety vulns.
Trends for you
Most Popular Users
Elon Musk
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.8M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.2M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.5M followers
KATY PERRY
@katyperry
86.7M followers
Taylor Swift
@taylorswift13
80.5M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.3M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.4M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
60.9M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers