Nasko Oskov

Making inroads into memory safety, one step at a time - developer.chrome.com/blog/memory-sa…

We are looking for an Android security expert to join our team and work on securing Chrome on Andoird. Job posting is available at google.com/about/careers/…, but also feel free to reach out to me directly.

2024Q3 update from @googlechrome security: #q3-2024" target="_blank" rel="nofollow noopener">chromium.org/Home/chromium-…

On DAV1D and fuzzing googleprojectzero.blogspot.com/2024/10/effect…

Great post by @quidity on attacks and mitigations.

@jduck @amyexp Have you tried maybe doing the same with "Rust" as the search term? Grepping for just one specific term might not reveal the full picture.

@nasko @amyexp Running `target/release/split-quarters ../index.html` [*] Let's check "memory safe" mentions [*] Read 396158 bytes q2-2024: 0 mentions q1-2024: 2 mentions q4-2023: 3 mentions q3-2023: 0 mentions q2-2023: 1 mentions q1-2023: 2 mentions q4-2022: 1 mentions q3-2022: 0 mentions

@jduck @argvee @ivansprundel We would all love to have protections! We can't always have them. Mitigations which increase attacker cost or significantly decrease probability of successful exploitation are worthwhile deploying when you don't have luxury of rewriting all the code in reasonable time.

@argvee @ivansprundel So are we considering MiraclePtr protection as memory safety?? I don't think it works that way. I'd like to see more like "we replaced v8 with a memory safe js engine" or "privilege process X is entirely written in memory safe language".

Chrome VRP increasing payouts for some types of bugs, as memory corruption bugs become harder. 💪💪

@jduck @argvee @ivansprundel If a JS engine security bug is in the JIT code it produces, what difference does it make what language the engine is written in? Entire process written in memory safe language is an awesome goal, but with millions lines of code, it does not happen overnight.

@jduck @amyexp Just because press rooms have more time and incentive to write about the bugs than engineers have time to write about their work, does not mean it is not happening. Have you seen our quarterly updates? chromium.org/Home/chromium-…

@nasko @amyexp I guess we don't get to hear about that stuff enough. I only hear "yet another 0day exploited in the wild". IMHO that's the story so frequently that something much more drastic is warranted than bug bounties or mitigations. Happy to chat tho

@jduck @amyexp Are you suggesting that our VRP is the only security strategy we have in our arsenal? I wonder what gives the impression that we aren't serious about security. Happy to chat more if you are up for a constructive conversation.

@amyexp @nasko No offense but I don't think offering more money is a security strategy. Maybe it's time to get serious?? I would bet several groups have chrome zero day stockpiled up to 10 deep

📢 Chrome VRP reward updates! 💰 Bigger payouts (up to 5x higher, $250,000+) and clearer guidelines, all designed to incentivize high-quality Chrome security research. Let's work together to make Chrome even safer! 🔐 bughunters.google.com/blog/530204429…

@CrispinCowan0 @PittaMan @davetamasi @adamshostack @osterman @selfissued @reybango @tanawts @vincentzimmer @rmhrisk @FritzSands @dhw @datSecuritychic @m3ch3l3 @m0thran @pongolyn @VirtualChrista @koronkowy @jerickso @jaybeale Darn it, I won't be around at that time 😞 one of these days I'll be able to make it.

@PittaMan @'ing you because I like you and want to see you 😎🍻 @davetamasi @adamshostack @osterman @selfissued @reybango @tanawts @vincentzimmer @rmhrisk @FritzSands @dhw @datSecuritychic @m3ch3l3 @m0thran @nasko @pongolyn @VirtualChrista @koronkowy @jerickso @jaybeale

#immune compromised Nancy out of town, it is again party time! Beer, grilling, cigars on the patio by the fire. Saturday July 6th, from 2pm until tired of it. Special this year, @PittaMan from the WY IoT startup that never happened is flying in. Bring a friend, DM for directions

This morning, I read about Satya Nadella’s latest memo, which emphasizes Microsoft’s new priority: security above all. The memo introduces a policy linking senior leadership compensation to the achievement of "security plans and milestones." I see this as a commendable step forward for Microsoft but more will be needed if they are to get back to being a security leader. Some thoughts here: unmitigatedrisk.com/?p=793

Unpopular opinion: companies doing an about-face to focus only on AI while abandoning existing products will regret that decision.

Here's what we've been doing in @googlechrome security in the first three months of this year: chromium.org/Home/chromium-…

I published a step by step guide on using Windows event logs to hunt for malware trying to steal sensitive data from browsers e.g. cookies, passwords etc. security.googleblog.com/2024/04/detect… #DFIR Hope it's useful!

Big day for the V8 Sandbox: * Now included in the Chrome VRP: #v8-sandbox-bypass-rewards" target="_blank" rel="nofollow noopener">g.co/chrome/vrp/#v8… * Motivation & goals discussed in a new technical blog post: v8.dev/blog/sandbox If there is ever a Sandbox "beta" release, this is it!

@rakyll This is not just distributed systems. Client-side apps suffer from "more features - more failure modes" as well. At least we don't usually do cascading failures, I guess? ;)