2026-06-10T00:55:45Z https://yabu.me jeffvanderstoep https://yabu.me/npub1aw8l0s85w9mhef4kv7hxzkc9dcfuhc8526egseldka5hr72clm3qqlz2wr https://media.infosec.exchange/infosec.exchange/accounts/avatars/109/296/073/397/726/746/original/5a70eb128f7dc157.jpg https://media.infosec.exchange/infosec.exchange/accounts/avatars/109/296/073/397/726/746/original/5a70eb128f7dc157.jpg https://yabu.me/nevent1qqszuxpz4kkqep63wclxwlvl7vkejum9rnjemmyyk4rx3xwef2d7p9szyr4cla7q73chwl9xken6uc2mq4hp8jlq73tt9zr8akmkju0etrlwy96nv22 In reply to <a href='/nevent1qqsfs342p2fvmtfar4zfjy6ewahjh746rgs86nqfr80rg5xm3qk0qsqd4md93'>nevent1q…md93</a><br/>_________________________<br/><br/>One of my coworkers listened in and had some interesting takeaways:<br/><br/>1. The practicality of the Android team in tackling a problem: working incrementally right away without trying to solve for everything, and how that&#39;s almost always the right approach when you&#39;re doing big changes like this.<br/>2. The shift away from being attacker focused: how that&#39;s applicable to more of security than just memory safety. I.e., don&#39;t focus on making the attacker&#39;s life harder by constraining yourself to their playing field, but rather focus on making the defender&#39;s life easier by focusing on the things that we control<br/>3. It&#39;s more expensive to clean up a mess than to prevent the mess: It doesn&#39;t follow directly from the blogpost, but it&#39;s essentially the difference between &#34;build something in a MSL&#34; (developer-focused) or &#34;build something in an unsafe language, and go and tack on a bunch of mitigations afterwards&#34; (attacker-focused) 2024-10-17T15:10:28Z https://yabu.me/nevent1qqsfs342p2fvmtfar4zfjy6ewahjh746rgs86nqfr80rg5xm3qk0qsqzyr4cla7q73chwl9xken6uc2mq4hp8jlq73tt9zr8akmkju0etrlwy325teu I joined <span itemprop="mentions" itemscope itemtype="https://schema.org/Person"><a itemprop="url" href="/npub1s92qwp35dcz3lgka00kqhtu6zmgvgq6ethcqueqyrjnlrrygegfqaygcnc" class="bg-lavender dark:prose:text-neutral-50 dark:text-neutral-50 dark:bg-garnet px-1"><span>Deirdre Connolly¹</span> (<span class="italic">npub1s92…gcnc</span>)</a></span> and <span itemprop="mentions" itemscope itemtype="https://schema.org/Person"><a itemprop="url" href="/npub185664zle47ve9zfaf66x45245u8v9wg867fgh32t2yfwl2rjw4nq7j64fe" class="bg-lavender dark:prose:text-neutral-50 dark:text-neutral-50 dark:bg-garnet px-1"><span>Thomas H. Ptacek</span> (<span class="italic">npub1856…64fe</span>)</a></span> on the Security Cryptography Whatever podcast to talk about our latest blogpost:<br/><br/><a href="https://securitycryptographywhatever.com/2024/10/15/a-little-bit-of-rust-goes-a-long-way/">https://securitycryptographywhatever.com/2024/10/15/a-little-bit-of-rust-goes-a-long-way/</a><br/><a href="https://security.googleblog.com/2024/09/eliminating-memory-safety-vulnerabilities-Android.html">https://security.googleblog.com/2024/09/eliminating-memory-safety-vulnerabilities-Android.html</a><br/><br/>Something that Thomas said in the podcast really stood out to me. He said “the blog post undersells it. …. This is a lot more interesting than it looks like on the tin.”<br/><br/>I agree with this. It feels like we discovered a game-changer not just in memory safety, but in security more generally - that doing something very practical results in major security improvements for non-obvious reasons. Focusing on new code is disproportionately effective, exponentially. <br/><br/>Thomas also said “And that observation about the half life of vulnerabilities, if that’s true, says something pretty profound about what the work looks like to shift to a memory safe future.”<br/><br/>Or as Deidre said: “You can get really big bang for your buck, which is if you have something new, just write it in the Rust or another memory safe language and make it interop with the rest of your project and you will in fact, get really good returns on mitigating your memory safe vulnerabilities, which is the majority of your vulnerabilities, period.”<br/><br/>Agreed. We’re already prioritizing differently based on this data. It was a fun conversation, and we believe that it applies to a lot more than just memory safety. 2024-10-17T15:05:30Z https://yabu.me/nevent1qqsv66p2eknvw9xnyv52awe4wnarurz68flvnh7gaksy2sqnazcumrczyr4cla7q73chwl9xken6uc2mq4hp8jlq73tt9zr8akmkju0etrlwyuz6r2j In reply to <a href='/nevent1qqs8mk0jcds3jsxmgm6zut98l398wuuumg99c0rz4ju449lgdp650nqfh0jwj'>nevent1q…0jwj</a><br/>_________________________<br/><br/>Why? It&#39;s consistent across all projects that the cited &#34;large scale&#34; study analyzed. It&#39;s also consistent when we looked at Android, which was not part of the study. When we change the behavior of development within Android, the result matched what we would expect based on the half-life metric.<br/><br/>When you look at studies that analyze how this works from the opposite angle &#34;how much does it cost to find the next vulnerability in the same codebase?&#34; you&#39;ll see a similar result. E.g. &#34;On the Exponential Cost of Vulnerability Discovery&#34; <a href="https://mboehme.github.io/paper/FSE20.EmpiricalLaw.pdf">https://mboehme.github.io/paper/FSE20.EmpiricalLaw.pdf</a><br/><br/>There&#39;s a finite number of vulnerabilities within a code base. As the density drops, the cost of finding the next vulnerability will rise. 2024-09-27T18:57:50Z https://yabu.me/nevent1qqsqwzdjc8u9k752gekd0csgsnhs0e5j9dqpr449y2dp6e4f3cljyzgzyr4cla7q73chwl9xken6uc2mq4hp8jlq73tt9zr8akmkju0etrlwyk0dj42 I’m super excited about this blogpost. The approach is so counterintuitive, and yet the results are so much better than anything else that we’ve tried for memory safety. We finally understand why.<br/><br/><a href="https://security.googleblog.com/2024/09/eliminating-memory-safety-vulnerabilities-Android.html">https://security.googleblog.com/2024/09/eliminating-memory-safety-vulnerabilities-Android.html</a> 2024-09-25T17:03:12Z