Comment by tptacek
5 years ago
I guess. Project Zero has a sort of unique history; as I understand it, it's less a reflection of Google's distinctive culture as it is Google's savvy in acquiring and nurturing a pre-existing research culture, and that might not be replicable. But you can also ask the question: how much of an impact has P0 had on shielding Google and its partners from similar vulnerabilities? If your impression is that, because of people like Ian Beer, Android phones are basically impregnable, I'll submit without a lot of insider knowledge that you're probably mistaken.
What an Apple P0 buys Apple might just be a bunch of favorable nerd press cycles. But that's not a problem Apple really has.
I am, however, convinced that with the right resource commitment, you could scale up a world-class research capability --- to potentially arbitrary levels --- without headhunting existing researchers, which is where I see the bottleneck right now.
Or, I mean, Apple could just rewrite their OS infrastructure in a memory-safe language. If I had the two options, I would put all my chips on the language change.
(I think P0 is extremely cool and valuable to Google in a bunch of ways and would be thrilled to see more major vendors try to replicate it, even I doubt they'll be successful).
Most likely the M1 optimizations related to ARC are also a step into that direction.
And they are also moving all kernel extensions to user space anyway.