Our great sponsors
-
gcp-dhcp-takeover-code-exec
Google Compute Engine (GCE) VM takeover via DHCP flood - gain root access by getting SSH keys added by google_guest_agent
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
-
security-research
This project hosts security advisories and their accompanying proof-of-concepts related to research conducted at Google which impact non-Google owned code.
Same subnet = as another VM in your project? or random GCP user? Seems like pretty different risk levels...
https://github.com/irsl/gcp-dhcp-takeover-code-exec#attack-s...
Confidential computing (Intel SGX, ARM TrustZone, AMD SEV-SNP) handle this by encrypting the virtual machine memory so that even having full root on the host does not expose vm compute or memory.
There are plenty of ways to do zero trust networking, a slick commercial implementation is https://tailscale.com/, which you can totally use in the cloud for secure node to node comms if you're worried about those things.
Funny thing is I agree with you that Google should hold itself to that bar, but I don't agree as to Project Zero being the reason. I think we very much should distinguish Google from P0, and that P0's policy should be irrelevant here; their entire purpose is to be an independent team of security researchers finding vulnerability in software, indiscriminately. It seems a number of others here feel similarly (judging by the responses), and ironically their support for the position is probably being lost by dragging P0 into the conversation.
The reason I think Google should hold itself to that bar is something else: Google itself uses that bar for other vendors. From the horse's mouth [1]:
> This is why Google adheres to a 90-day disclosure deadline. We notify vendors of vulnerabilities immediately, with details shared in public with the defensive community after 90 days, or sooner if the vendor releases a fix.
If they're going to do this to others as general company policy, they need to do this to themselves.
[1] https://www.google.com/about/appsecurity/