Keynote: "When Exploits Aren't Binary" - Maddie Stone, BSides Canberra 2023

we have our conference keynote uh who is Maddie Stone um mty stone is a security researcher and leads the exploits team within Google's threat analysis group or tag as it's known as for the past four years she's focused on zero days that are actively exploited in the wild first at Google project zero and now tag she has found vulnerabilities in many major platforms including Safari Chrome Android and Windows previously she was a reverse engineer focused on malware on the Android security team we are very privileged to have her today so let's welcome Maddie to the stage oh thank [Applause] you thank you all so much for having me uh the last time I presented at an

Australian conference I was at home in San Francisco presenting to a computer screen while y'all were all in a room together so I'm so thankful to Sylvio and Kylie for inviting me back so we can do this the right way and I can get to meet all of y'all so when they invited me to Keynote it felt like a lot of pressure of coming up with the topic because as I've heard this is the best technical security conference in all of Australia so I was going back and forth and trying to think about what do I really enjoy when I'm listening to a keynote and it's when folks are talking about things they care about that they

think are interesting and so I'm trying that here um thinking about the things that when I get to sit down and have a coffee or a beer with someone and talk all about exploits what they might find or tell me they find at least interesting and some of the nuances associated with these when they had thought maybe it was pretty clear and there wasn't so much Nuance in some of the areas so let me know what you what you think once I'm back off the continent and in the US you can hold it till there um but yeah let's get into it so they already gave me a very nice bio but hi I'm Maddie and I really really

like zero exploits um and so I lead this team now called tag exploits as a little team we've only actually been set up officially within tag for the last three months um but myself over on Project zero as well as tag has been focused on tracking detecting commercial surveillance vendors and understanding as as much as we can about the active use of in the wild zero days so these are some of the recent blogs we've put up um for tag and yeah so this is if we will talk about later why I think cves are a terrible metric for just about every little thing you can think of but since there are some folks who I know

are like where's your cve how do I know that you're qualified our team just in 2023 has found 16 in the wild zero days 13 of these 16 are um attributed or we found use by the commercial surveillance vendors when I talk about commercial surveillance vendors those are the folks like NSO and their Pegasus spyware candiru in inexa ETC so they're the folks selling to governments some sort of spyware capability that is almost always using zero days to get surreptitiously onto a device so my goal with this is to hopefully make this a bit interesting for everyone whether or not you've ever looked or thought about an exploit in your life or you've been looking at this

for decades and so let's make sure let's start with what does a modern exploit chain look like today it's almost always going to actually include three different zero days if someone wants to remotely Target a mobile device for example you're always going to need your initial remote code execution you're then with that initial remote code execution usually going to be caught in some sort of tight sandbox sandbox meaning you can't access a lot of data outside of that you know think about any app you install on your phone you really don't want it and it shouldn't be able to read your WhatsApp or signal messages that's the sandbox so you first need to get out of that sandbox and then you

need um likely a privilege escalation to get root or full privileges onto the device because you want your spyware to do just about everything so these are sort of this levels of it and it's not ever just one zero day anymore and so when we think about that we we also need to remember that attackers are lazy just like me and others I hope in this industry of only ever wanting to do what's actually required to accomplish their goal and so I think this is an important context for us all to remember when we see numbers of zero days or folks talking about the threat of this versus they used to just be able to do fishing

Etc is yeah if fishing's not working anymore they're going to move to the next sophisticated level and if um but if they don't need zero days and instead can use fishing they're going to use fishing so I think we need to remember that actually we want attackers to have to use the most sophisticated means we want to make them have to hack us with their most sophisticated capabilities because what's that story we're never going to be able to say or I hope you're not saying I'm unhackable no one can ever hack me with a zero day the other story can be is we breached but they had to chain four of their best and novel

zero days together and oh by the way we detected them in 24 hours so you want attacker thinking of do I really want to burn all these capabilities this is the amount of energy and attention I have to put into this so this is some of that context that I want to put behind the conversations we're going to have or um throughout this and so a lot of people tell me yes Maddie you know days are scary there's a lot of it happening but in the the scheme of things it is the smallest number sort of of computer-based attacks why should I be worried about this when you know most orgs are still falling um vulnerable to

attacks or we're not getting things patched quickly so an - day works perfectly fine and the issue in why I hope lots of folks care and yes security hygiene orgs do not need to be worried about protecting thems from a zero day if they're still taking six months to you know patch something for example but each of these zero days has an outsized impact on society each time they're used because even if we specifically are not the ones being targeted with the zero day it affects us if your journalists are being targeted human rights Defenders political opponents if you can't trust your elections if journalists are scared to publish because of the thre threat of what's

happening to them and their families that does affect us all and so that's why I hope folks understand that this is not just a them problem I'm not a high-risk user my organization is not going to be targeted specifically by these zero days so I should not I don't need to be putting energy into also advocating for how vendors handle them or um sanctions against some of these commercial surveillance vendors Etc so with all this in mind we set up this brand new team three months ago within tag and we're working on setting up our mission um and so right now what we're working off of is detect analyze and prevent zero day exploitation and so our goal is find the

attacks as soon as possible that's a failure case when you detect it so understand absolutely everything about them and I mean failure case for attackers not a failure case for us and so we want to learn everything we can what were the uh ttp's techniques oh shoot tools techniques and procedures um and uh understand the details of that root cause vulnerability and how might they have found it because they likely have others what was that exploit technique how were they delivering this and use all of that information to figure out how do we make it so it can't happen again and I have an aster here on zero day because actually this is one of

the first places where it gets hard to describe exactly what you mean it's supposed to be easy right a bug is either a zero day or an end day and you know we have clear definitions so it should just be one or the other the definition I usually use is a zero day is a vulnerability Defenders don't yet know about so the attackers know about it but Defenders don't so that will mean that Defenders aren't working to issue the pad there's no patch to apply there's not really users don't even know they should be worried about it Etc which the opposite would be an end day which is a bug that Defenders do know about so already we do get into

some disagreements across the IND industry with some folks using zero day is a vulnerability that doesn't have a patch available which while slight modification can be different and mean that you're categorizing things differently but even with that that should still be one or the other right but there ends up being quite a bit of confusion especially when you're doing something like me and others of trying to track the number of actively exploited as a zero day versus actively exploited as an end day um things and this starts to matter because it matters what you're trying to say so let's go into an example you go to the store and you buy this cute little products and

you choose them because you expect the vendor to be providing you security updates to keep you safe and you you trust you've seen a record from that vendor and you're feeling good about it they issue monthly security updates or whatever it is but what you don't might not what you might not know is there's a cute little licensed library in there um there's a cute little open source kernel that doesn't issue cves because they expect you to sink back up to the kernel there's a cute little GPU driver which is not open source so you don't see the source code you just get patches or um the binary blob so what happens when there's vulnerabilities in those what happens

when say cute little GPU driver knows about the security a security fix but it's in the binary blob and you as a user haven't taken it or what about for the cute little kernel that is open source but they have a policy of not issuing cves because they EXP expect all fixes to be taken in so you as the downstream know that there's been a lot of changes but don't realize there's a security impact is that zero day or in day and so we're running into especially this dichotomy a lot Upstream meaning you know the folks who are being included they might release a fix patch of vulnerability but the downstream doesn't release a fix and that means

none of the users are able to actually install the pack on their phone other examples of this is you know I said before bug fixed Upstream without a security advisory or cve does Downstream Defenders even know that it's a bug and where would would that be zero day or in day what about a product that doesn't or hasn't ever received security updates do they even have Defenders unless could it be a zero day or an end day if there's not even Defenders or security updates being released what about a bug that's fully disclosed maybe a security researcher has tried really hard to report it to the vendor and they're finally at the point that they don't have any more energy trying

to get the vendor to take it seriously or release a patch so they fully disclose and then that's exploited after it's fully disclosed well Defenders know about it so is it zero day or in day and finally mitigation by passes it's amazing how much defense in depth is starting to happen of exploit negations something like even Mark of the web on Windows might be one where if something's downloaded from the web you know it has a little popup saying hey like are you sure you want to execute or run this or open this it's from the web so if you get past that is that a vulnerability or not because usually a vulnerability has to pass a security

boundary and mitigations aren't usually considered security boundaries so this is just some of those great areas that we're confronting regularly for those of us in this space and it comes down to in what I think I'm challenging myself to think about and what I hope others think about too is what am I trying to communicate when I'm trying when I do say zero day versus end day because there's a lot of different options of why someone may be using this and if we actually think and try to come up with more specific language of what we're trying to say by saying it's a zero day or end day maybe we can figure this out and collaborate more on this

like really big problem so some of the examples might be this is zero day because users don't have a clear and easy recourse to protect themselves clear and easy being something like a patch maybe they don't even know that they're vulnerable and need to apply something or maybe you're trying to communicate that hey this was an attack that required significant expertise and resources and couldn't have been you know cyber crimin cyber criminal group x y and z um um maybe you're trying to say there's should be urgency around this or it's a bug that fers didn't know exists the definition I usually use so that's where it comes down to each of these great areas of trying to think of why

does it matter whether or not it's zero day or end day so one of the ones on the common Upstream releases a patch Downstream hasn't the way I've been trying to describe that to folks is it's an end day that functions like a zero day so we're still trying to fight against that because it's a signal for us of what as hackers are able to do um but trying to be very clear that this is what we're trying to say they didn't have to use a zero day but it's going to work towards users as one and so that's a problem that we can then address specifically rather than try just saying in day zero

day Etc and so this comes up a lot of we have this public tracking sheet where we tried to track all of the known publicly known in the wild zero days and so so I get lots and lots of emails and messages of why' you include this you shouldn't have included this you should include this Etc we do have a scope on the intro sheet explaining because we do everyone has a scope and we outline ours there um but so the other side of this is that by having a tracking spreadsheet it makes it pretty easy for people to focus on number of in the wild zero days it's a clear it's calculable it's a metric and

it makes bar graph you know all the things that everyone wants when they're trying to quantify security and so when you look at this bar graph obviously the 20 to 21 Jump was one of the biggest um things that caught everyone's attention and I do think one of the turning points of folks starting to pay more attention to in the wild zero days but unfortunately everything I kept getting based on that jump and the spike was oh my goodness Maddie everything's gone to crap security is terrible look at how many in the wild Zer days are used but what PE people didn't realize actually was that that 20 to 21 Jump was with an Android

and Apple began disclosing when something was in the wild and so we get into that um we will talk about that more but then the same thing happened when focusing just on the numbers of then what happened in 21 to 22 M you told us that that jump was because of detection and disclosure so is the jump 21 to 22 because we didn't do as good of detection so that's where we need to start looking at what does the number of in the wild zero days even mean what can we take from it and what can't we take from it the first sort of descriptor we need is that unfortunately I am not able to

calculate and maybe some of youall are but I am not able to calculate how many zero days are actually actively exploited in the wild the attackers are not calling me up and letting me know when they're going to start using a new one and things like that so what we can actually calculate and track is the number of in the wild deer days detected and disclosed in the wild and that's a really important distinction because as I said of that 2020 to 2021 jump changes in detection and disclosure is going to obviously impact the number of detected and disclosed in the wild Zer days but even beyond that still what do we take from this number because we are seeing

fluctuations we are tracking them what it how do we think about this um my take the number can't tell us much it's a pretty terrible metric for security but it is an indicator and so taking a step back to think about why do we do this work what are we getting from even trying to track them if we can't use the number as a a security metric and so let me tell you how I think about this problem and what we're trying to accomplish so the first four years of studying in the wild zero days I spent time on Google project zero and project Zero's Mission specifically is make zero day hard and so obviously I

bring pieces of that now into this work of yeah we want to make zero day hard but what does that even mean so the first piece of it is increased the cost per zero day and as everyone has a question of well how much does a zero day cost whenever I say that and so that's going to bring me to a tangent yesterday or not yesterday Wednesday this little tweet popped up and started getting a lot of attention a zero day broker offering to pay up to $20 million for an iOS full chain and a Android full full chain and I have [Laughter] opinions because well one I won't be able to get into all of my opinions here so come

find me at the party later and I will talk your ear off but first um how did we get to 20 million for what three bugs four bugs maybe other thing it does say up to no one's promising anything with an up to but how did we even come up with this number so this was post to Wednesday September 27th but you look back at their Twitter feed and huh they previously said they would pay $2.5 million for IOS and Android po chains and that was only two months ago so when I'm talking about cost I am not talking about how much a Twitter account claims that they will pay up to for a zero day

because as much as I would love to put that on my performance packet or something like that to to say oh yeah in 2 months we made the cost of a zero day go up 10 times a or just under 10 times I don't think anyone would believe me because it's not true a zero day chain is not almost 10 times harder now in September than it was two months ago so that's not the cost what we're talking about and this is largely driving driven by Supply and anyone can tweet anything they want but this bring us to how do these commercial surveillance work how does selling exploits work what are even these business Dynamics so back in August 2022

about a year ago inexa one of the big surve commercial surveillance vendors um had documents of one of their price proposals leak and this was really insightful for us not even so much about the number and the cost but how they structure their product and so I know this is super small but what this basically says is that they will deliver their product a capability of via a oneclick exploits meaning they will deliver a link and the target does have to click the link to for it to occur for both Android and iOS and they will maintain that capability for a year so they guarantee to you that they will have these zero days capabilities for

one year and if things get patched or versions change they will continue um with new capabilities you also get the spyware implant some of the analytics around how to communicate once the spyware implants involved Etc um training sessions things like that so that's for $8 million for your one-year guarantee of capabilities for both iOS and um Android so this was the screenshot about the maintenance package saying they will continue to support and this is going to come into play Easier or later as as well of remembering they're saying we've got zero days for you for full 12 months regardless of patches this is just something I found interesting too is if you want the implant to stay on the phone through

reboots persistence will cost you another little $3 million and the basic package is you can exploit people within your home country with the previous one but if you want five additional countries outside your own borders as the customer buying it then it'll cost another 1.2 mil so just some interesting aspects of how this works but let's end that tangent sparkly hands everything now so what I do mean by cost of zero day is not the cost to buy a zero day because that is going to be driven much more by demand and as that tweet had said it's customer is a non-nato country and so depending on who you are it may cost more depending on

the restrictions you placed on it it's going to be different so that's not what we're trying to change with make zero day hard we're trying to influence how much does it cost for someone to develop a zero day of course that will ultimately influence some of the cost to buy it as well but what we're directly trying to change is those costs to develop and that's not just money that's also how long does it take you to find that new zero day and develop an exploit technique to make it useful how much expertise do you need the most senior folks and have a huge ramp up time of getting up to speed on that component they're looking at do people

need to be specialized on one or could you have one person that can generally do everything for you we want people to have to put invest time and money and expertise to be able to develop these that you can't just hire anyone off the street and have a new zero day you know within a month or so so that's what we mean by increase the cost per zero day and second secondarily increase the number of zero days required to maintain that same capability so that can look a few different ways of first we said they're guaranteeing you'll have they'll have that capability for a full year if you're finding things really fast and they have to keep oops walked

into the fog um if you're finding things really fast and they have to keep coming up with new zero days to to meet their contract you're increasing the number of zero days required if vendors are issuing or issuing creating new security boundaries such that as that little three bug chain that I showed at the beginning now is a four or five bug chain that's increasing the number of zero days required so that's what we mean when we think about making zero day or specifically these sort of technical aspects of zero day exploitation harder ultimately it costs cost them more for a less useful zero day but then I guess we were on a tangent of a tangent so let's get back

to all that being said what does the number of in the wild Zer days mean and I said it's nothing it doesn't tell us much of anything about security because there's a lot of reasons that are great for security that may drive the number both up and wait up and down and there's a lot of things that are security regressions that will also cause that number to go up and down so three security wins that would cause that number to spike and I think these were some of the things that were really driving that jump from 2020 to 2021 more folks disclosing when there is a zero day and it's known to be in the wild

them not just being fixed as regular bugs but Apple and Android an annotating release notes saying there's evidence to to suggest this is being exploited in the wild adding security boundaries discovering and fixing those zero days more quickly but at the same vein there's reasons that number could go up and it not be great such as it's easier to have a functioning zero day because no one's performing variant analysis and so you only need to change one or two lines of code and have another functioning zero day because yeah the vendor patched this specific bug in one place but didn't patch it in any of the others um exploit techniques aren't mitigated as a part of our industry thankfully we're

now at this point where usually bugs will be fixed and there is the expectation that bugs are fixed the same isn't said for exploit techniques meaning just because you have a bug you have to find a way to make that bug useful to accomplish your goal and it is not the norm for all of those techniques to be mitigated each time one's found so what that means is an attacker can plug and play a new vulnerability ility into their exploit technique framework and lastly the really really sad one more exploitable bugs are added to code than that are fixed so going up really can't take tell as much and the same can be said for going down you know lots of

these are opposites of what I just said so I won't read them out again um but something of making it harder is for example killing off a whole bug class so now for someone to find a bug they have to get creative come up with new bug classes research a component that has no public research on it things like that or it could go down because attackers don't need to use zero days they can use in days or fishing it could be going down because the same zero day has a super long life because patches aren't being um released to users so yeah that number doesn't mean much but it can be an indicator to tell

us hey we need to look closer something here is changing and what is it so every year for the last four years we've published year review of in the wild Z days and so um we published our 2022 and we saw the big drop from 2021 to 2022 it went from I believe like 69 down to 40 so pretty substantial drop when we're not talking about big numbers here 69 you know 40 those aren those aren't huge in the scheme of every other security thing that we deal with in this industry and so that's a pretty substantial um drop down but that's where that number of zero days versus in day or the definition came in because what I did

see when I broke it down further to see was it one platform having a drop was it across the board what are we dealing with that contributed to this drop we saw that the number in Android dropped a lot but then when we thought back of all the campaigns that were found we realized quite a few of those campaigns used in days that were functioning like zero days so the attackers didn't have to use zero days so that's a not that's a negative reason for the numbers to come down negative being a security regression something that we can an opportunity for us to fix another on the other side is we also saw a pretty distinct drop in browser

zero days from 2021 to 2022 and we when we took a step back and thought about what could be contributing to that there were two things in 2022 most of the major browsers All released pretty substantial exploit mitigations Chrome released Miracle pointer SLB backup ref pointer which um largely made use after freeze in the browser process un exploitable and Safari released lock down mode along with that many customers were switching to wanting what's called zero click exploits meaning bugs that a user never has has to interact with zero click they don't need to click a link answer a phone call open a document because they have that much more guarantee of working because you're not

dependent on the user or the target doing anything and the thing about zero clicks is they're almost always going to be in attack surfaces that aren't in the browser because when thinking about a zero click it's the thing that's being sent to the user's phone before they interact so things like phone calls or messages or things like that so finding the bugs there it's not really your browser doing much um remotely before you interact with it so those are just two examples of how both contribute with the number going down one sort of on the positive side and one sort of on the negative side um the other thing we noted in the 2022 uh um Whatchamacallit here in

review is bug collisions and this becomes one of the more difficult areas that people think it should be super easy to say who did this who's behind these bugs and it's not especially when we're talking the commercial surveillance vendors of think of how many parties you have at play to sort of attribute and trademark attribution is hard you know all of that stuff of you have commercial surveillance vendors selling and putting together the whole product you have exploit brokers who are exploit shops who are often selling some of the exploits to these commercial surveillance vendors to supplement the in-house development of commercial surveillance vendors then you have the government customers who are actually using the product against folks and then

when you add in bug collisions bug collisions are where more than one person find the same vulnerability independently so we have seen this you know becoming more often across cross security researcher to security researcher security researchers and attackers attackers and attackers themselves one of the funny anecdotes is we continue hearing little Whispers and things that when each of these bugs are getting patched a lot of the attackers don't know who was caught because running into the same bugs so here are some examples of sort of not great but I try to find something to put up to show bug collisions vers you know sort of the discussions and hearing and things we have of the top

left bug was in Microsoft proxy it was an in the wild that was just patched in September and you can see there are five different entities credited on those release notes and then of course there would be the N the wild attacker as well so all those folks sort of found them in independently um and reported it in along with the attacker the middle one is a chrome bug of last Saturday we published about a campaign um in collaboration with citizen lab that we had found in Texa using zero days in Egypt um to deliver Predator spyware and so we had found the iOS spool or gotten the iOS spool chain and then we had

discovered just the first step just the initial remote code execution which was in Chrome um for Android devices and we found it and then found that also just a security researcher had reported it to Chrome and independently found it as well so that's just sort of another example of all of these um bug collisions that are currently happening and here's just a funny one in the Tweet of uh last September project zero had uh disclosed a bug and then you know another researcher being like rip to the feature that was there forever and nobody wanted to report because it was useful so getting back to these numbers hopefully you see that this numbers in this chart actually doesn't tell us much

of anything at all um and oh I forgot what I was going to say but what we are starting to see is you know 2023 9 months in is has surpassed 2022 and while you'll just have to wait for the 2023 year in review because we don't have a full year to really consider the analysis and what exactly is going to happen yet we can start looking at some of the campaigns that contributed to those numbers so in December 202 to tag found a viston um campaign in the UAE viston being another commercial surveillance vendor and this was the chain used for Android devices and it was pretty wild because six bugs for one exploit chain um it wasn't 6 zero days

so this was towards a Samsung device and the initial Vector was through Samsung browser Samsung browser is built on top of chromium and tends to be a few versions behind so while the initial rce was zero day the sandbox Escape was end day on Chrome but zero day on Samsung browser then there was an zero day info leak and then there was a bug in the Molly GPU driver which was in day via the Molly GPU cuz arm had released a patch for it but it was unpatched in Android um and then we had uh another zero day in the kernel and another zero day inoli in the mly GPU driver as well so in one campaign finding four zero

days um across the board you know these numbers this is what we want to see we want to see having to use lots of bugs preferably we're hoping to get to you know all of these having to be full zero days but progress not Perfection um and here's another one this is the one we just published about um in Egypt last Saturday um with citizen lab and and so the iOS full chain was three bugs and the Android we found one so again via another campaign another four zero days um added in so when you start to think of that like that's a good way of wanting to find more and seeing that substantial change

so I don't want this to be all negative because actually I think there's been a whole lot of progress in security not even talking to 10 15 20 years ago I think there's been substantial Pro progress and even just the last two three four years and that's not to say that there isn't a lot of areas of opportunity for us to improve on but think about it all of these attackers are needing to use zero days now they're not able to rely on the simpler things we're detecting them we're disclosing them vendors are fixing pretty quickly in the seven day deadline is becoming more normal for these inth wild bugs and vendors are releasing fixes for that iOS

iio west chain for all um all three of those bugs Apple released um all the all three of those patches in just about a week for the for a chrome bug that was patched yesterday Chrome patched that in two days that is huge progress could we ever imagine being there you know 5 years ago of that type typ of turnaround times and we know about it and we're able to collaborate more so that's definitely progress but there's also a lot we need to work on you know the unpatched times are the unpatched periods the in days functioning as zero days of course and one of the biggest things that I Contin to see and was in

that year in review as well and I've now put in I think three different year in reviews is that we want and we think that zero days should be this super notel capability exploiting bugs we hadn't looked at before in bug classes using exploit techniques we didn't even consider but that's not the case right now 40% of 2022 is in the wild deer days were pretty trivial variants of previously known bugs 20% of them were previous variants of previous in the wild bugs so one of the biggest areas of opportunity that will be a return on investment as an industry is looking at our vendor responses to reported vulnerabilities and because of those bug collisions I talked about you don't just

have to wait and do this for in the wild bumps because what are security researchers reporting to you they're often finding the same stuff as attackers and so can we get patches more quickly and fixes more quickly into the user's hands not just if you're an upstream component or Downstream but getting it faster to users can we make sure that the root cause of bugs is actually addressed so James fora and I presented at offensive Con in Germany about this class of Windows bugs that was reoccurring reoccurring being exploited in the wild and what was happening is that each time they were issuing a patch it was to break the proof of concept or exploit not actually

fixing the root cause bug so attackers could keep coming back exploiting the same root caus bug just sort of finding a new path to it um that's not getting to it and that's making it way too easy to have this zero day capability so doing these root cause analyses doing variant analyses and sharing as much as possible I also have this public uh in the wild RCA repository on GitHub and when we first started doing this people are like no you're giving all the details to attackers and the number of times I've had to be like the attackers have already exploited the bugs they have these details we are the ones who don't have it as Defenders and need to be sharing

it with them we're not giving them new information they already exploited it um but making it easier on us on all of these highly under resource security teams because none of what I'm saying is novel or not what security vendor teams have been saying over and over and over for years I'm just trying to reiterate what they're saying so how can we capitalize on each reported vulnerability to learn as much as possible and make it that much harder for them to come back and do it again that's all I got thank you so much for having [Applause] me what a great presentation do we have any questions for Maddie in the audience you've got to wave your hands really

vigorously one over here oh there's one over here

too hello ah hi Maddie just curious with raising the cost of developing an exploit do you have any concerns that attackers will start moving to the source such as contributing weakening patches to the Kel rather than attempting to write custom exploits sure um you know but the goal as I said is continue raising the bar if they're going to put themselves at that risk that's another new risk of they starting to try and interact and more risk of getting caught then than just being able to look at code and do a zero day so that's the goal is to continue making it that much harder so let's see them you know try to create weakening patches and then catch

them any other questions questions oh over there fog uh just on the microphone you're good you're good hello there we go um thanks for a great talk I suppose I was just wondering you uh you mentioned uh a few different commercial surveillance venders I was just curious roughly how many kind of do you guys track or on your radar that you sort of no about and spot them we're tracking between 30 and 40 any other questions in the audience one over here yeah hi Maddie thank you so much for your great talk um you mentioned in the talk uh well you mentioned the uh cost for various exploit chains um provided by these um attackers um and obviously

like the price at which they pay is based on demand and not supply and and I get all of that um but on the defensive side what would you say is the defensive cost of having like teams such as project zero um and and the on the defensive side what's the cost of finding these vulnerabilities and patching them is it more is it less is it a losing battle is it a winning battle what are your thoughts I'm not an economist and I did not do well and uh what is it economy 101 um I mean it's hard I thankfully Google pays myself and other uh people on Project zero I think pretty decently um so I don't think we're especially

cheap but I do think especially with the Cadence that we are finding in the wild deer days I hope I believe we are beating them out for what they're paying for I mean of course they're guarant guing it at this um yearly rate I think we are seeing more folks popping up in these sort of exploit Dev shops and Brokers because the csvs themselves are not being able to maybe keep up or confident they can keep up in the Cadence of zero days they need to have on a regular basis like supplementing because they also have their own uh vul researchers and exploit devs so I know it's a unsatisfying response um you know I get

always asked cost and I'm like I don't know I know it's you know it has to be more than what all of the um vendors are able to pay and their prices still go keep going up for what bounties because I can't imagine that researchers are selling to these other shops when there's the much lower risk of giving it to a bug Bounty for you know a pretty substantial part amount of money as well I'm sure we could ask my a million more questions but we might have to call it there uh I'm sure Maddie will be around at the conference and talk to her if you can and let's welcome M uh sorry thank you uh thanks Maddie one more time

thank yall