@ayper profile picture
Alex Rebert @ayper

Security @ Google. Previously co-founder of @ForAllSecure. Opinions here are my own. @ayper@infosec.exchange

Joined August 2008
  • Tweets 119
  • Following 662
  • Followers 521
5 Photos and videos
Alex Rebert retweeted
Zardus@DEFCON.social@Zardus
Apr 28
Can we translate all C to Rust? The susceptibility of C to memory corruption has long been a cybersecurity pain point, and coding agents can free us of it. Read on for my recent experiments in this space, and apt & docker repos that you can pull rust-converted libraries from!
14
23
118
22,372
Alex Rebert retweeted
Heather Adkins - Ꜻ - Spes consilium non est
@argvee
12 Nov 2025
Hardening the C Standard Library at massive scale. A look at increasing memory safety with libc hardening — a collaborative paper from engineers at Apple and Google. The results have been impressive: at Google the team discovered and fixed 1000 bugs as hardening was enabled. queue.acm.org/detail.cfm?id=…

1
33
275
24,011
Alex Rebert@ayper
25 Feb 2025
We're joining forces with industry & academia to call for memory safety standardization: security.googleblog.com/2025…. It's a recognition that memory unsafety is no longer a niche technical problem but a societal one, impacting everything from national security to personal privacy.

Securing tomorrow's software: the need for memory safety standards

blog.google
3
16
61
4,497
Alex Rebert retweeted
Google VRP (Google Bug Hunters)
@GoogleVRP
21 Jan 2025
🛡️Want to help make the open source world safer and earn up to $45k 💰? We've revamped our Patch Rewards Program, extending its scope and increasing rewards for security patches – with a particular focus on memory safety, including bonus multipliers! bughunters.google.com/blog/5…

Blog: Level Up Your Open Source Karma (And Your Wallet) by Improving Security

This blog post takes you through everything you need to know about the Patch Rewards Program, including our newly introduced focus on memory safety (including reward multipliers!), recently increased...

bughunters.google.com
1
28
142
41,733
Alex Rebert retweeted
Google VRP (Google Bug Hunters)
@GoogleVRP
4 Dec 2024
Celebrating 15 years of password hacking 💻 🔑, Swiss Army knives (and sometimes even chainsaws or swords) included! 😲 Discover how Google's security teams turn employee farewells into security tests. bughunters.google.com/blog/6…

Blog: The Great Google Password Heist: 15 years of hacking passwords to test our security (and...

The Leaving Tradition in Google's security team, which could be described as a type of small-scale offensive security exercise, is a great (and fun) example of team culture. Curious? See this blog...

bughunters.google.com
1
31
108
26,908
Alex Rebert retweeted
Kinuko Yasuda@kinu
16 Nov 2024
Bounds-checking in C : so people ask if the .3% overhead is real. It's not just a benchmark result, we got this through our Google-Wide profiling, that gives us the live insights from DCs. This surprised us too as it was much cheaper than we thought research.google/pubs/google-…

Google-Wide Profiling: A Continuous Profiling Infrastructure for Data Centers

research.google
Alex Rebert@ayper
15 Nov 2024
Excited to share our latest post on memory safety! We're tackling spatial safety in our massive C codebase by hardening libc *by default*. It adds bounds checks to things like std::vector, preventing a fair bit of out-of-bounds vulnerabilities: security.googleblog.com/2024…
1
14
26
21,620
Alex Rebert@ayper
15 Nov 2024
Excited to share our latest post on memory safety! We're tackling spatial safety in our massive C codebase by hardening libc *by default*. It adds bounds checks to things like std::vector, preventing a fair bit of out-of-bounds vulnerabilities: security.googleblog.com/2024…

Retrofitting spatial safety to hundreds of millions of lines of C

Posted by Alex Rebert and Max Shavrick, Security Foundations, and Kinuko Yasuda, Core Developer Attackers regularly exploit spatial mem...

security.googleblog.com
2
49
246
77,144
Alex Rebert@ayper
15 Nov 2024
This improves spatial memory safety across Google's services, including performance-critical components of Search, Gmail, Drive, YouTube, and Maps.  We've already seen it disrupt a red team exercise, reduce segfaults by 30%, and improve code correctness.
2
4
43
27,669
Alex Rebert@ayper
15 Nov 2024
The best part? It's incredibly cost-effective, with an average performance overhead of just 0.30%.  So there's really no reason not to do it if you're running C code :)
1
2
26
2,516
Alex Rebert retweeted
Lukas Weichselbaum@we1x
22 Oct 2024
The dedication and hard work has payed off: "for hundreds of complex web applications that are built on Google’s hardened and safe-by-design frameworks, we've averaged less than one XSS report per year in total" (see page 9 of the whitepaper).
Heather Adkins - Ꜻ - Spes consilium non est
@argvee
22 Oct 2024
Secure by design takes dedication and years of hard work to get the balance right between velocity and safety. Read a bit about @Google’s commitment and journey in our new white paper. Humbled to work with the professionals that make this happen everyday. blog.google/technology/safet…
3
6
27
5,012
Alex Rebert retweeted
Deirdre Connolly¹@durumcrustulum
15 Oct 2024
Percentage of codebase that's memory-safe 📈, memory-safety vulns 📉, EVEN IF YOU KEEP ADDING LINES OF C 🤯
Security Cryptography Whatever@SCWpod
15 Oct 2024
NEW EPISODE! You may not be rewriting the world in Rust, but if you walk like the Android team, you'll drive down your memory-unsafety vulnerabilities more than 2X below the industry average over time! 🎉 securitycryptographywhatever… youtu.be/WL4CgVI6p9g
1
3
9
1,553
Alex Rebert@ayper
15 Oct 2024
Excited to share Google's memory safety strategy! We're working to build safer software by migrating to memory-safe languages like Rust as well as hardening our existing C : security.googleblog.com/2024…. We'll be sharing more details in upcoming posts.

Safer with Google: Advancing Memory Safety

Posted by Alex Rebert, Security Foundations, and Chandler Carruth, Jen Engel, Andy Qin, Core Developers Error-prone interactions between ...

security.googleblog.com
2
71
231
63,123
Alex Rebert@ayper
4 Oct 2024
Google CVR is doing incredible vulnerability research.
Anthony Weems@amlweems
4 Oct 2024
Learn how Google CVR could have potentially exfiltrated Gemini 1.0 Pro before launch last year. We describe the vulnz, the fix, and tips for bughunters. Also, shout-out to @epereiralopez for teaming up to adapt this work to another cloud provider. bughunters.google.com/blog/5…
5
466
Alex Rebert retweeted
tylerni7@tylerni7
24 Sep 2024
Released a blog about our @theori_io AIxCC experience! medium.com/@sa-blog/winning-… @tjbecker and I were hoping to have more info about other challenges, but they aren't released, so some of the information is a bit limited. Still, hope folks can enjoy reading it!

Winning the AIxCC Qualification Round

In August, Theori’s CTF team, as part of the Maple Mallard Magistrates, won Defcon CTF for the 3rd year in a row–the first team ever to do…

medium.com
18
60
6,916
Alex Rebert@ayper
25 Sep 2024
The drop in Android's memory safety vulnerabilities is astonishing. It's counterintuitive, but prioritizing memory-safe languages in new code quickly reduces memory-safety risks. Once we turn off the tap of new vulnerabilities, they start decreasing exponentially.
Jeff Vander Stoep@jeffvanderstoep
25 Sep 2024
I’m super excited about this blogpost. The approach is so counterintuitive, and yet the results are so much better than anything else that we’ve tried for memory safety. We finally understand why. security.googleblog.com/2024…
2
3
34
3,714
Alex Rebert retweeted
Anthony Weems@amlweems
10 Sep 2024
Excited to share this blog post about server-side memory corruption that my team exploited in production. Shout-out to @scannell_simon, @epereiralopez, and @thatjiaozi - this was a very fun project. :-) bughunters.google.com/blog/6…
39
149
28,908
Alex Rebert retweeted
Royal Hansen@royalhansen
6 Mar 2024
"just as our efforts to eliminate XSS attacks through tooling showed, removing large classes of exploits both directly benefits consumers of software and allows us to move our focus to addressing further classes of security vulnerabilities." security.googleblog.com/2024…

Secure by Design: Google’s Perspective on Memory Safety

Alex Rebert, Software Engineer, Christoph Kern, Principal Engineer, Security Foundations Google’s Project Zero reports that memory safety v...

security.googleblog.com
1
3
20
1,229
Alex Rebert retweeted
Royal Hansen@royalhansen
4 Mar 2024
Today I spoke on the importance of Secure by Design on behalf of @Google alongside @CISAgov @FDD @VenableLLP & more. We also launched a paper on @Google's approach to Secure by Design & published on how it can be applied to address memory safety vulns: blog.google/technology/safet…

Tackling cybersecurity vulnerabilities through Secure by Design

Our new report — Secure by Design at Google — outlines our principles and approaches for strengthening security through design.

blog.google
19
43
5,760
Alex Rebert retweeted
Google VRP (Google Bug Hunters)
@GoogleVRP
14 Feb 2024
Ever struggle with C buffer issues? Spatial Safety is one of the main root causes for in-the-wild exploits! Read more about how we piloted the LLVM proposal for C Buffer Hardening here: bughunters.google.com/blog/6…

Blog: LLVM's 'RFC: C Buffer Hardening' at Google

In this blog post, we're sharing how we evaluated LLVM's proposed approach at Google, outlining our initial conclusions from this process, sharing useful adoption tips, and pointing to the next steps...

bughunters.google.com
32
134
17,473
Alex Rebert retweeted
cje
@caseyjohnellis
10 Aug 2023
this is a big one… if you have opinions on this, make sure that they are heard 👀 Fact Sheet: Office of the National Cyber Director Requests Public Comment on Open-Source Software Security and Memory Safe Programming Languages | ONCD | The White House m.cje.io/3s2Xz6t

1
16
37
8,818
Load more