Hardening the C++ Standard Library at massive scale. A look at increasing memory safety with libc++ hardening — a collaborative paper from engineers at Apple and Google. The results have been impressive: at Google the team discovered and fixed 1000+ bugs as hardening was enabled.

We're joining forces with industry & academia to call for memory safety standardization: https://t.co/UOVODzi0RZ. It's a recognition that memory unsafety is no longer a niche technical problem but a societal one, impacting everything from national security to personal privacy.

🛡️Want to help make the open source world safer and earn up to $45k 💰? We've revamped our Patch Rewards Program, extending its scope and increasing rewards for security patches – with a particular focus on memory safety, including bonus multipliers! https://t.co/pUiYgTRdsA

Celebrating 15 years of password hacking 💻 🔑, Swiss Army knives (and sometimes even chainsaws or swords) included! 😲 Discover how Google's security teams turn employee farewells into security tests. https://t.co/Mapn7Nrs78

Bounds-checking in C++: so people ask if the .3% overhead is real. It's not just a benchmark result, we got this through our Google-Wide profiling, that gives us the live insights from DCs. This surprised us too as it was much cheaper than we thought https://t.co/zBUvoYzGi1

The best part? It's incredibly cost-effective, with an average performance overhead of just 0.30%.  So there's really no reason not to do it if you're running C++ code :)

This improves spatial memory safety across Google's services, including performance-critical components of Search, Gmail, Drive, YouTube, and Maps.  We've already seen it disrupt a red team exercise, reduce segfaults by 30%, and improve code correctness.

Excited to share our latest post on memory safety! We're tackling spatial safety in our massive C++ codebase by hardening libc++ *by default*. It adds bounds checks to things like std::vector, preventing a fair bit of out-of-bounds vulnerabilities:

The dedication and hard work has payed off: "for hundreds of complex web applications that are built on Google’s hardened and safe-by-design frameworks, we've averaged less than one XSS report per year in total" (see page 9 of the whitepaper).

Percentage of codebase that's memory-safe 📈, memory-safety vulns 📉, EVEN IF YOU KEEP ADDING LINES OF C 🤯

Excited to share Google's memory safety strategy! We're working to build safer software by migrating to memory-safe languages like Rust as well as hardening our existing C++: https://t.co/UdmcghPhbO. We'll be sharing more details in upcoming posts.

Google CVR is doing incredible vulnerability research.

Released a blog about our @theori_io AIxCC experience! https://t.co/EpJrsyXsmO @tjbecker_ and I were hoping to have more info about other challenges, but they aren't released, so some of the information is a bit limited. Still, hope folks can enjoy reading it!

The drop in Android's memory safety vulnerabilities is astonishing. It's counterintuitive, but prioritizing memory-safe languages in new code quickly reduces memory-safety risks. Once we turn off the tap of new vulnerabilities, they start decreasing exponentially.

Excited to share this blog post about server-side memory corruption that my team exploited in production. Shout-out to @scannell_simon, @epereiralopez, and @thatjiaozi - this was a very fun project. :-) https://t.co/63Ho3HvF4w

"just as our efforts to eliminate XSS attacks through tooling showed, removing large classes of exploits both directly benefits consumers of software and allows us to move our focus to addressing further classes of security vulnerabilities." https://t.co/u3ZvvSO5Dd

Today I spoke on the importance of Secure by Design on behalf of @Google alongside @CISAgov @FDD @VenableLLP & more. We also launched a paper on @Google's approach to Secure by Design & published on how it can be applied to address memory safety vulns:

Ever struggle with C++ buffer issues? Spatial Safety is one of the main root causes for in-the-wild exploits! Read more about how we piloted the LLVM proposal for C++ Buffer Hardening here: https://t.co/IWdLxFjc4V

this is a big one… if you have opinions on this, make sure that they are heard 👀 Fact Sheet: Office of the National Cyber Director Requests Public Comment on Open-Source Software Security and Memory Safe Programming Languages | ONCD | The White House

I’m excited to announce the AI Cyber Challenge, a major, two-year @DARPA competition challenging the best and the brightest in cybersecurity and AI to secure the systems on which all American rely. https://t.co/mZR4ZNSiaM