Alex Rebert @ayper

Security @ Google. Previously co-founder of @ForAllSecure. Opinions here are my own. @ayper@infosec.exchange

 Pittsburgh
Joined August 2008
We're joining forces with industry & academia to call for memory safety standardization: security.googleblog.com/2025…. It's a recognition that memory unsafety is no longer a niche technical problem but a societal one, impacting everything from national security to personal privacy.

Securing tomorrow's software: the need for memory safety standards

Posted by Alex Rebert, Security Foundations, Ben Laurie, Research, Murali Vijayaraghavan, Research and Alex Richardson, Silicon For decades,...

security.googleblog.com
2
16
1
63
🛡️Want to help make the open source world safer and earn up to $45k 💰? We've revamped our Patch Rewards Program, extending its scope and increasing rewards for security patches – with a particular focus on memory safety, including bonus multipliers! bughunters.google.com/blog/5…

Blog: Level Up Your Open Source Karma (And Your Wallet) by Improving Security

This blog post takes you through everything you need to know about the Patch Rewards Program, including our newly introduced focus on memory safety (including reward multipliers!), recently increased...

bughunters.google.com
30
2
148
Celebrating 15 years of password hacking 💻 🔑, Swiss Army knives (and sometimes even chainsaws or swords) included! 😲 Discover how Google's security teams turn employee farewells into security tests. bughunters.google.com/blog/6…

Blog: The Great Google Password Heist: 15 years of hacking passwords to test our security (and...

The Leaving Tradition in Google's security team, which could be described as a type of small-scale offensive security exercise, is a great (and fun) example of team culture. Curious? See this blog...

bughunters.google.com
31
5
109
Alex Rebert retweeted
Kinuko Yasuda @kinu
16 Nov 2024
Bounds-checking in C++: so people ask if the .3% overhead is real. It's not just a benchmark result, we got this through our Google-Wide profiling, that gives us the live insights from DCs. This surprised us too as it was much cheaper than we thought research.google/pubs/google-…

Google-Wide Profiling: A Continuous Profiling Infrastructure for Data Centers

research.google
Alex Rebert @ayper
15 Nov 2024
Excited to share our latest post on memory safety! We're tackling spatial safety in our massive C++ codebase by hardening libc++ *by default*. It adds bounds checks to things like std::vector, preventing a fair bit of out-of-bounds vulnerabilities: security.googleblog.com/2024…
1
14
1
26
The best part? It's incredibly cost-effective, with an average performance overhead of just 0.30%.  So there's really no reason not to do it if you're running C++ code :)
1
2
2
26
This improves spatial memory safety across Google's services, including performance-critical components of Search, Gmail, Drive, YouTube, and Maps.  We've already seen it disrupt a red team exercise, reduce segfaults by 30%, and improve code correctness.
2
5
43
Excited to share our latest post on memory safety! We're tackling spatial safety in our massive C++ codebase by hardening libc++ *by default*. It adds bounds checks to things like std::vector, preventing a fair bit of out-of-bounds vulnerabilities: security.googleblog.com/2024…

Retrofitting spatial safety to hundreds of millions of lines of C++

Posted by Alex Rebert and Max Shavrick, Security Foundations, and Kinuko Yasuda, Core Developer Attackers regularly exploit spatial mem...

security.googleblog.com
2
50
5
250
Alex Rebert retweeted
Lukas Weichselbaum @we1x
22 Oct 2024
The dedication and hard work has payed off: "for hundreds of complex web applications that are built on Google’s hardened and safe-by-design frameworks, we've averaged less than one XSS report per year in total" (see page 9 of the whitepaper).
Heather Adkins - Ꜻ - Spes consilium non est
 @argvee
22 Oct 2024
Secure by design takes dedication and years of hard work to get the balance right between velocity and safety. Read a bit about @Google’s commitment and journey in our new white paper. Humbled to work with the professionals that make this happen everyday. blog.google/technology/safet…
3
6
1
28
Percentage of codebase that's memory-safe 📈, memory-safety vulns 📉, EVEN IF YOU KEEP ADDING LINES OF C 🤯
Security Cryptography Whatever @SCWpod
15 Oct 2024
NEW EPISODE! You may not be rewriting the world in Rust, but if you walk like the Android team, you'll drive down your memory-unsafety vulnerabilities more than 2X below the industry average over time! 🎉 securitycryptographywhatever… piped.video/WL4CgVI6p9g
1
3
1
9
Excited to share Google's memory safety strategy! We're working to build safer software by migrating to memory-safe languages like Rust as well as hardening our existing C++: security.googleblog.com/2024…. We'll be sharing more details in upcoming posts.

Safer with Google: Advancing Memory Safety

Posted by Alex Rebert, Security Foundations, and Chandler Carruth, Jen Engel, Andy Qin, Core Developers Error-prone interactions between ...

security.googleblog.com
3
72
2
237
Google CVR is doing incredible vulnerability research.
Anthony Weems @amlweems
4 Oct 2024
Learn how Google CVR could have potentially exfiltrated Gemini 1.0 Pro before launch last year. We describe the vulnz, the fix, and tips for bughunters. Also, shout-out to @epereiralopez for teaming up to adapt this work to another cloud provider. bughunters.google.com/blog/5…
5
Alex Rebert retweeted
tylerni7 @tylerni7
24 Sep 2024
Released a blog about our @theori_io AIxCC experience! medium.com/@sa-blog/winning-… @tjbecker_ and I were hoping to have more info about other challenges, but they aren't released, so some of the information is a bit limited. Still, hope folks can enjoy reading it!

Winning the AIxCC Qualification Round

In August, Theori’s CTF team, as part of the Maple Mallard Magistrates, won Defcon CTF for the 3rd year in a row–the first team ever to do…

medium.com
19
1
62
The drop in Android's memory safety vulnerabilities is astonishing. It's counterintuitive, but prioritizing memory-safe languages in new code quickly reduces memory-safety risks. Once we turn off the tap of new vulnerabilities, they start decreasing exponentially.
Jeff Vander Stoep @jeffvanderstoep
25 Sep 2024
I’m super excited about this blogpost. The approach is so counterintuitive, and yet the results are so much better than anything else that we’ve tried for memory safety. We finally understand why. security.googleblog.com/2024…
2
3
1
35
Alex Rebert retweeted
Anthony Weems @amlweems
10 Sep 2024
Excited to share this blog post about server-side memory corruption that my team exploited in production. Shout-out to @scannell_simon, @epereiralopez, and @thatjiaozi - this was a very fun project. :-) bughunters.google.com/blog/6…

Blog: CVR: The Mines of Kakadûm

In this document, Google's Cloud Vulnerability Research team (CVR) presents vulnerabilities in a third-party JPEG 2000 image library called Kakadu. Exploiting memory corruption vulnerabilities...

bughunters.google.com
40
1
152
Alex Rebert retweeted
Royal Hansen @royalhansen
6 Mar 2024
"just as our efforts to eliminate XSS attacks through tooling showed, removing large classes of exploits both directly benefits consumers of software and allows us to move our focus to addressing further classes of security vulnerabilities." security.googleblog.com/2024…

Secure by Design: Google’s Perspective on Memory Safety

Alex Rebert, Software Engineer, Christoph Kern, Principal Engineer, Security Foundations Google’s Project Zero reports that memory safety v...

security.googleblog.com
1
3
21
Alex Rebert retweeted
Royal Hansen @royalhansen
4 Mar 2024
Today I spoke on the importance of Secure by Design on behalf of @Google alongside @CISAgov @FDD @VenableLLP & more. We also launched a paper on @Google's approach to Secure by Design & published on how it can be applied to address memory safety vulns: blog.google/technology/safet…

Tackling cybersecurity vulnerabilities through Secure by Design

Our new report — Secure by Design at Google — outlines our principles and approaches for strengthening security through design.

blog.google
18
42
Ever struggle with C++ buffer issues? Spatial Safety is one of the main root causes for in-the-wild exploits! Read more about how we piloted the LLVM proposal for C++ Buffer Hardening here: bughunters.google.com/blog/6…

Blog: LLVM's 'RFC: C++ Buffer Hardening' at Google

In this blog post, we're sharing how we evaluated LLVM's proposed approach at Google, outlining our initial conclusions from this process, sharing useful adoption tips, and pointing to the next steps...

bughunters.google.com
33
1
137
Alex Rebert retweeted
cje
 @caseyjohnellis
10 Aug 2023
this is a big one… if you have opinions on this, make sure that they are heard 👀 Fact Sheet: Office of the National Cyber Director Requests Public Comment on Open-Source Software Security and Memory Safe Programming Languages | ONCD | The White House m.cje.io/3s2Xz6t
1
16
2
37
Alex Rebert retweeted
Perri Adams
 @perribus
9 Aug 2023
I’m excited to announce the AI Cyber Challenge, a major, two-year @DARPA competition challenging the best and the brightest in cybersecurity and AI to secure the systems on which all American rely. aicyberchallenge.com
5
82
12
260
Announced at the #BlackHat keynote: @Google, @OpenAI, @Anthropic, and @Microsoft will collaborate with @DARPA for its AI Cyber Challenge – a 2-year competition aimed at driving innovation at the nexus of AI and cybersecurity. Read more here: whitehouse.gov/briefing-room…
10
31
Load more