The Unsinkable Maddie Stone, Google’s Bug-Hunting Badass

At Google’s Mountain View campus, 40 minutes south of her gym, Stone’s job could easily be all-consuming. She joined Project Zero in 2019 after two years working on the Android security team, where she was hired for her skills in hardware and software reverse engineering. It’s a discipline where you take unknown code—in this case, some of the most sophisticated malware in the world—and deconstruct it to see what makes it tick. Once you’ve done that, you can figure out how to defuse it.Stone eventually rose to lead a team that studies and neuters the Android malware actively used by criminals and nation state hackers.
“There was such a clear, direct impact,” Stone says of her Android-focused work. “I find these potentially harmful apps, I flag the malware, and the defense we develop propagates to 2.8 billion devices. It was just such a massive, tangible impact that most people don't get in their jobs.”Some of the work involved countering one-off hacking tools, but other times got more personal. Stone and her colleagues once spent 18 months battling a botnet maker intent on infecting Android devices and skilled at circumventing deterrents. While the fight was still raging in the summer of 2018, Stone gave a talk at the Black Hat security conference in Las Vegas about features that helped the botnet malware avoid being analyzed. Within 72 hours, Stone says, the attacker group started altering each of the features she had touched on—despite the talk not being made public.
Her experience on Android made Stone a natural fit when Project Zero decided to expand. Finding previously undiscovered software bugs and motivating developers to patch them quickly is core to the group’s mission: “Make zero-day hard.” But in 2019, the team broadened its focus beyond just disclosing unique zero-days the researchers found themselves to tracking and studying those that hackers actively exploit in the wild—the exact types of flaws Stone had been stamping out on Android.“The key thing to remember is that the problem we’re working on is not theoretical. These are issues that are affecting real people, cause user harm, and have an impact on society,” says Ben Hawkes, who runs Project Zero and was one of its founding members. “So the idea was essentially to create a hybrid role within Project Zero.” Stone would bridge the gap between combing code to find individual flaws and looking at how attackers behave and evolve more broadly.

Essentially, Stone helps give Project Zero a longer view, working to understand what makes certain vulnerabilities valuable to hackers and how to make it even more difficult and costly for them to find and exploit those types of bugs.

In her first year at Project Zero, Stone has investigated dozens of actively exploited software flaws to determine how each one works, whether the techniques it uses are novel or widespread, what tools attackers may have used to find the initial bug, and whether structural improvements in software could make whole classes of exploits more difficult to craft.

“A lot of the findings so far have been things that we weren’t quite expecting,” Stone says, “And my ultimate conclusion from that has been that we actually don’t have enough data yet to do this work the way we want to.”

For example, Project Zero’s tracking spreadsheet for actively exploited zero-days currently shows 15 examples that have come to light this year. Three of those were found in security scanning tools like antivirus software. Stone points out that this number of AV-related entries is surprising given how modest their user base is relative to massive platforms like Chrome, Windows, or iOS. But it’s difficult to tell whether they’re especially vulnerable, or other actively exploited zero-days remain undiscovered.