Google Online Security Blog

Mitigating Spectre with Site Isolation in Chrome

July 11, 2018

Posted by Charlie Reis, Site IsolatorSite IsolationWhat is Spectre?
speculative execution side-channel attacksadditional variant of Spectredeployed some mitigationsmost effective mitigationWhat is Site Isolation?
Site Isolationmulti-process architectureout-of-process iframespursuing this for several yearsimprove the Chrome extension security model

A single page may now be split across multiple renderer processes using out-of-process iframes.

Cross-Origin Read BlockingFetch specweb developers should check that their resources are served with the right MIME type and with the nosniff response headerknown issuesHow does Site Isolation help?
What additional work is in progress?
original motivating goalsHelp improve Site Isolation!
Chrome Vulnerability Reward ProgramChrome New Feature Special Rewards

Compiler-based security mitigations in Android P

June 27, 2018

Posted by Ivan Lozano, Information Security Engineer[Cross-posted from the Android Developers Blog] Control Flow Integritycounterfeit-object-orientedreturn-oriented

Figure 1. Assembly-level comparison of a virtual function call with and without CFI enabled. Figure 1Link-Time Optimization (LTO)LLVM design documentationenabled by defaultCFI kernel support Integer Overflow Sanitizationhardening the media stackfewerinstructionsunnecessarychecks

libui

libnl

libmediaplayerservice

libexif

libdrmclearkeyplugin

libreverbwrapper

Future PlansAndroid Open Source ProjectAcknowledgements: This post was developed in joint collaboration with Vishwath Mohan, Jeffrey Vander Stoep, Joel Galenson, and Sami Tolvanen

Better Biometrics in Android P

June 21, 2018

Posted by Vishwath Mohan, Security Engineer[Cross-posted from the Android Developers Blog]Knowledgepossessionbiometric

shoulder surfing

Defining a better model to measure biometric security, and using that to functionally constrain weaker authentication methods.

Providing a common platform-provided entry point for developers to integrate biometric authentication into their apps.

A better security model for biometricsintroduced two new metrics Strong vs. Weak BiometricsSAR/IAR metrics

require the user to re-enter their primary PIN, pattern, password or a strong biometric to unlock a device after a 4-hour window of inactivity, such as when left at a desk or charger. This is in addition to the 72-hour timeout that is enforced for both strong and weak biometrics.

are not supported by the forthcoming BiometricPrompt API, a common API for app developers to securely authenticate users on a device in a modality-agnostic way.

can't authenticate payments or participate in other transactions that involve a KeyStore auth-bound key.

must show users a warning that articulates the risks of using the biometric before it can be enabled.

BiometricPrompt APIBiometricPrompt API

ConclusionAcknowledgements: This post was developed in joint collaboration with Jim Miller

End-to-end encryption for push messaging, simplified

June 5, 2018

[Cross-posted from the Android Developers Blog]adviseCapillary open source libraryFile-Based EncryptionAndroid Keystoreuser authentication

Crypto functionality and key management across all versions of Android back to KitKat (API level 19).

Key generation and registration workflows.

Message encryption (on the server) and decryption (on the client).

Integrity protection to prevent message modification.

Caching of messages received in unauthenticated contexts to be decrypted and displayed upon device unlock.

Edge-cases, such as users adding/resetting device lock after installing the app, users resetting app storage, etc.

Web Push encryption What it's not

The open source library and demo app are not designed to support peer-to-peer messaging and key exchange. They are designed for developers to send E2E-encrypted push messages from a server to one or more devices. You can protect messages between the developer's server and the destination device, but not directly between devices.

It is not a comprehensive server-side solution. While core crypto functionality is provided, developers will need to adapt parts of the sample server-side code that are specific to their architecture (for example, message composition, database storage for public keys, etc.)

here

Insider attack resistance

June 1, 2018

Posted by Shawn Willden, Staff Software Engineer[Cross-posted from the Android Developers Blog]external researchersprotect the encryption keys in secure hardwareGoogle Pixel 2 devicesinsider attack resistanceAcknowledgements: This post was developed in joint collaboration with Paul Crowley, Senior Software Engineer

Keeping 2 billion Android devices safe with machine learning

May 24, 2018

Posted by Sai Deep Tetali, Software Engineer, Google Play Protect[Cross-posted from the Android Developers Blog]Google Play Protect Security at scale

Training our machines

malicious behavior

Doubling down on securitysecurity experts and researchersPlay ProtectAcknowledgements: This work was developed in joint collaboration with Google Play Protect, Safe Browsing and Play Abuse teams with contributions from Andrew Ahn, Hrishikesh Aradhye, Daniel Bali, Hongji Bao, Yajie Hu, Arthur Kaiser, Elena Kovakina, Salvador Mandujano, Melinda Miller, Rahul Mishra, Damien Octeau, Sebastian Porst, Chuangang Ren, Monirul Sharif, Sri Somanchi, Sai Deep Tetali, Zhikun Wang, and Mo Yu.

Google CTF 2018 is here

May 8, 2018

Posted by Jan Keller, Security TPMGoogle CTF 2017

Congratulations (for the second year) to the team pasten, from Israel, for scoring first place in both the quals and the finals. Also, for everyone who hasn’t played yet or wants to play again, we have open-sourced the 2017 challenges in our GitHub repository.

Hence, we are excited to announce Google CTF 2018:

Date and time: 00:00:01 UTC on June 23th and 24th, 2018
Location: Online
Prizes: Big checks, swag and rewards for creative write-ups

The winning teams will compete again for a spot at the Google CTF Finals later this year (more details on the Finals soon).

For beginners and veterans alike
Based on the feedback we received, we plan to have additional challenges this year where people that may be new to CTFs or security can learn about, and try their hands at, some security challenges. These will be presented in a “Quest” style where there will be a scenario similar to a real world penetration testing environment. We hope that this will give people a chance to sharpen their skills, learn something new about CTFs and security, while allowing them to see a real world value to information security and its broader impact.
We hope to virtually see you at the 3rd annual Google CTF on June 23rd 2018 at 00:00:01 UTC. Check g.co/ctf, or subscribe to our mailing list for more details, as they become available.

Why do we host these competitions?
We outlined our philosophy last year, but in short: we believe that the security community helps us better protect Google users, and so we want to nurture the community and give back in a fun way.
Thirsty for more?
There are a lot of opportunities for you to help us make the Internet a safer place:

Our Vulnerability Rewards Program: Report vulnerabilities in our infrastructure and get rewarded
(AutoFuzz) Patch Rewards Program: Fix vulnerabilities in open-source software to build your reputation and make an impact in the security community
Vulnerability Research Grants Program: Apply for a research grant to extensively test a component of our infrastructure at your own pace.

Leveraging AI to protect our users and the web

April 20, 2018

Posted by Elie Bursztein, Anti-Abuse Research Lead - Ian Goodfellow, Adversarial Machine Learning Research Leadfirst talksecond talkre-recordingthe slidesslides

DNS over TLS support in Android P Developer Preview

April 17, 2018

Posted by Erik Kline, Android software engineer, and Ben Schwartz, Jigsaw software engineer[Cross-posted from the Android Developers Blog]DNSIETFRFC 7858DNS over TLS in P

community-maintained listLinkProperties.isPrivateDnsActive()

Protecting users with TLS by default in Android P

April 12, 2018

Posted by Chad Brubaker, Senior Software Engineer Android Security[Cross-posted from the Android Developers Blog]announcedandroid:usesCleartextTrafficNetwork Security ConfigHow do I update my app?
Why should I use TLS?
blog postDeveloper Summit talkIsn't TLS slow?
No, it's not.How do I use TLS in my app?
SSLSocketFactorySocketFactorySSLSocketgetDefaultHostnameVerifier()HostnameVerifier.verify()I need to use cleartext traffic to
network security configAllow cleartext connections to a specific domain
<network-security-config> <domain-config cleartextTrafficPermitted="true"> <domain includeSubdomains="true">insecure.example.com</domain> <domain includeSubdomains="true">insecure.cdn.example.com</domain> </domain-config> </network-security-config>Allow connections to arbitrary insecure domains
<network-security-config> <domain-config cleartextTrafficPermitted="false"> <domain includeSubdomains="true">example.com</domain> <domain includeSubdomains="true">cdn.example2.com</domain> </domain-config> <base-config cleartextTrafficPermitted="true" /> </network-security-config>
How do I update my library?isCleartextTrafficPermitted

Security Blog

Mitigating Spectre with Site Isolation in Chrome

Compiler-based security mitigations in Android P

Better Biometrics in Android P

End-to-end encryption for push messaging, simplified

Insider attack resistance

Keeping 2 billion Android devices safe with machine learning

Google CTF 2018 is here

Leveraging AI to protect our users and the web

DNS over TLS support in Android P Developer Preview

Protecting users with TLS by default in Android P

Labels

Archive

Feed

Company-wide

Products

Developers