LAS VEGAS -- Despite Google's own Project Zero being part of the discovery team for the Meltdown and Spectre vulnerabilities, Google itself wasn't not
LAS VEGAS — Despite Google’s own Project Zero being part of the discovery team for the Meltdown and Spectre vulnerabilities, Google itself wasn’t notified until 45 days after the initial report was sent to Intel, AMD and ARM.
Speaking at a panel on Meltdown and Spectre disclosure at Black Hat 2018 Wednesday, Matt Linton, senior security engineer and self-described “chaos specialist” at Google’s incident response team, explained how his company surprisingly fell through the cracks when it came time for the chip makers to notify OS vendors about the vulnerabilities.
“The story of Google’s perspective on Meltdown begins with both an act of brilliance and an act of extraordinary miscommunication, which is a real part of how incident response works,” Linton said during the session, titled “Behind the Speculative Curtain: The True Story of Fighting Meltdown and Spectre.”
Even though Project Zero researcher Jann Horn was part of both the Meltdown and Spectre discovery teams, Linton said, Project Zero never notified Google directly. Instead, the Project Zero group followed strict guidelines for responsible vulnerability disclosure and only notified the “owners” of the bugs, namely the chip makers.
“They feel very strongly in PZ [Project Zero] about being consistent about who they notify and rebuffing criticism that Project Zero gives Google early heads up about bugs and things,” Linton said. “I assure they did not.”
Project Zero notified Intel and the other chip makers about the vulnerabilities on June 1, 2017. It had been previously reported that Google’s incident response team wasn’t looped into the Meltdown and Spectre disclosure process until July, but it wasn’t entirely clear why that was. Linton explained what happened.
“[Project Zero] notified Intel and the other CPU vendors of these speculative execution vulnerabilities and they said a third of the way through the email that ‘We found these, here are the proof of concepts, and by the way, we haven’t told anyone else about this including Google, and it’s now your responsibility to tell anyone you need to tell,’ and somewhere along the line they missed that piece of the email,” he told the audience.
Linton said the CPU vendors began the Meltdown and Spectre disclosure process and started notifying companies that needed to know such as Microsoft, but they apparently believed Google had already been informed because Project Zero was part of the discovery teams. As a result, Google was left out of early stage of the coordinated disclosure process.
“As an incident responder, I didn’t find out about this until mid-July, 45 days after [the chip vendors] discovered it,” Linton said.
The miscommunication regarding Google was just one of several issues that plagued the massive coordinated disclosure effort for Meltdown and Spectre. The panelists, which included Eric Doerr, general manager of the Microsoft Security Response Center, and Christopher Robinson, principal program manager and team lead of Red Hat Product Security Assurance, discussed the ups and down of the complex, seven-month process as well as advice for security researchers and vendors based on their shared experiences.
Editor’s note: Stay tuned for more from this panel on the Meltdown and Spectre disclosure process.