The browser boss, the princess of security, the den mom to Project Zero. Introducing Parisa Tabriz sounds like hyping a championship boxer.
Tabriz’s titles, responsibility and resume make her an undisputed heavyweight on the security circuit: She directs engineering for Google Chrome, which is essentially a fight between the web’s most popular browser and an internet full of threats.
She’s one of the driving forces behind the decades-long effort to move the web ecosystem to secure transport. On top of that, she’s in charge over at Google’s Project Zero, a notorious four-year-old team of security analysts churning out public zero-day vulnerability reports at dizzying speeds.
CyberScoop: A conversation about browser security has to touch on how Chrome patches faster than any of its competitors. How does that happen?
Parisa Tabriz: That’s something I’m really proud of. There’s not a simple one sentence answer but one of the things Chrome has invested in since day zero is being able to automatically update users and to be able to really build, test and release very quickly. Since the beginning, Chrome has had the ability to automatically update users. We also have a very quick release cycle. We release a milestone about every six weeks and we have multiple different Chrome release branches that end up getting promoted. The simple way to say is, being able to launch and iterate quickly was built in to how we developed Chrome from the start. I think in general software has to evolve to be way more agile. Historically there was the waterfall model where you would have stages and assume you fixed the bugs and could release and then not do anything for six months or twelve months. There’s a recognition now that software is really complicated, humans make mistakes, there will be bugs. Part of your security strategy has to be, how fast can you respond.
A couple of things we’ve invested in with Chrome is, for one, fuzzing. We have thousands of computer cores that will fuzz the latest version of Chrome. Fuzzing is a type of security testing where you essentially throw random input at a program to try to get it to crash. If you get it to crash, then what you’ve done is hit a bug and you know some of those bugs will have security consequences. We’ve invested a ton in fuzzing and built out this infrastructure so we catch bugs very soon after they’re inadvertently introduced by engineers. We can point to the engineer, say you introduced this code change that resulted in Chrome crashing. Fix the bug. Because it’s so soon, it’s easy for a developer to fix.
CS: The way Chrome specifically has approached defending high-risk users is really interesting. Chrome fits in specifically because of, for instance, way the browser has taken to security keys, which Safari does not support. How do you approach the problem of security for the journalist, the politician, the dissident?
PT: I think Chrome is the window to the web for billions of people. That means you have to protect against the diversity of threats a billion people face. Part of Chrome is how do we create safe defaults but also controls for users that have different needs?
I manage Project Zero as well. That’s a team that really focuses on the targeted user. In particular, their mission is making zero days hard because there’s a recognition that zero days today are used by nation-states, large criminal organizations and really targeting individuals. There hasn’t been dedicated resources on the defensive side to actually try to understand those exploitation techniques and build better defenses against them. Part of my team at Chrome works very closely with Project Zero in terms of understanding the exploitation techniques they discover and then building in advanced mitigation into Chrome.
Another person in Google launched the Titanium program, which is particularly around account security for targeted individuals. We’re really trying to make it successful among politicians given the hacking we’ve seen in elections. In those cases, you may actually get prompted additional times for a second factor or a hardware token, which for some people is not a good hurdle but it’s a tradeoff that makes sense for others. I’d love to bring the concept of Titanium to Chrome as well. We want to protect both my dad who is retired and has no reason to be targeted and then also the journalist traveling to China.
CS: What has Project Zero’s impact been in the last four years?
First, they’ve reported over 1,400 vulnerabilities across a variety of targets. That, at a minimum, has closed issues and brought more attention to issues that could have been known and exploited by attackers. That’s impressive given the size of the team and various spread of targets which is browsers, operating systems, antivirus systems, password managers.
I think their most important impact is actually bringing more attention to deadline-driven disclosure. Looking at the overall impact from very large vendors in response to a deadline-driven disclosure policy. There’s a long history and debate about the right type of disclosure policy for security vulnerabilities. A spectrum of opinions still exist today: One end being you should fully disclose when you find a vulnerability and let people the users and company act accordingly. The other end is you should disclose the vulnerability and give the vendor as much time as they need to fix it. Project Zero I think brought more popularity to deadline disclosure which I think addresses a historical imbalance between the individual researcher and the vendor. If they’re a really large company, you have a huge power imbalance. What ended up happening was you have a large company that says we need six months or two years to fix this, you’re in a position where you know a vulnerability but aren’t able to communicate to to the larger public and have the public act on that.
To me, popularizing deadline-driven disclosure has absolutely resulted in faster response and improved end user security as a result. You see vendors recognizing it’ll become public and with the public attention, we’ll be scrutinized in a way we weren’t before. We’ve seen some impressive improvements in number of security patches, response time and number of security issues fixed in 90 days versus how long similar issues took to fix prior to deadline disclosure.