User Tag List

Results 1 to 3 of 3

Thread: WebGL Considered Harmful

  1. #1
    Noblesse Oblige
    • CvP's Gadgets
      • Motherboard:
      • ASUS P8Z77 V Delux
      • CPU:
      • Intel Core i7 3770K @3.9GHz
      • RAM:
      • GSkill TridentX 2x8GB DDR3 @2400MHz
      • Hard Drive:
      • Crucial M4 256GB SSD; WD Caviar Black 2TB; Hitachi 250GB; Samsung S3 1.5TB; Hitachi 2TB
      • Graphics Card:
      • EVGA 980Ti 6GB
      • Display:
      • Samsung 17"+22"+22"
      • Sound Card:
      • Realtek HD Audio <internal>
      • Speakers/HPs:
      • Creative Inspire 5:1
      • Keyboard:
      • Razer BlackWidow Ultimate
      • Mouse:
      • G7
      • Power Supply:
      • Seasonic X 850W 80Plus Gold
      • Optical Drive:
      • External DVD-RW
      • USB Devices:
      • Logitech Carl Zeiss Tessar HD 1080p Webcam
      • UPS:
      • Mercury 1500VA with Large Lead-Acid Battery
      • Operating System:
      • Genuine Windows 10 Pro
      • Comment:
      • Everything packed in a NZXT Phantom 820
      • ISP:
      • Link3/Amber IT
      • Download Speed:
      • 10000
      • Upload Speed:
      • 10000
    CvP's Avatar
    Join Date
    Feb 2008
    Location
    Dhaka, Bangladesh
    Posts
    9,019

    Arrow WebGL Considered Harmful

    WebGL Considered Harmful


    The Khronos Group’s WebGL technology is a cross-platform, low-level 3D graphics API for the web. Recently, Context Information Security published two reports critical of the WebGL technology, WebGL – A New Dimension for Browser Exploitation and WebGL – More WebGL Security Flaws.

    One of the functions of MSRC Engineering is to analyze various technologies in order to understand how they can potentially affect Microsoft products and customers. As part of this charter, we recently took a look at WebGL. Our analysis has led us to conclude that Microsoft products supporting WebGL would have difficulty passing Microsoft’s Security Development Lifecycle requirements. Some key concerns include:

    • Browser support for WebGL directly exposes hardware functionality to the web in a way that we consider to be overly permissive
    The security of WebGL as a whole depends on lower levels of the system, including OEM drivers, upholding security guarantees they never really need to worry about before. Attacks that may have previously resulted only in local elevation of privilege may now result in remote compromise. While it may be possible to mitigate these risks to some extent, the large attack surface exposed by WebGL remains a concern. We expect to see bugs that exist only on certain platforms or with certain video cards, potentially facilitating targeted attacks.
    • Browser support for WebGL security servicing responsibility relies too heavily on third parties to secure the web experience
    As WebGL vulnerabilities are uncovered, they will not always manifest in the WebGL API itself. The problems may exist in the various OEM and system components delivered by IHV’s. While it has been suggested that WebGL implementations may block the use of affected hardware configurations, this strategy does not seem to have been successfully put into use to address existing vulnerabilities.




    It is our belief that as configurations are blocked, increasing levels of customer disruption may occur. Without an efficient security servicing model for video card drivers (eg: Windows Update), users may either choose to override the protection in order to use WebGL on their hardware, or remain insecure if a vulnerable configuration is not properly disabled. Users are not accustomed to ensuring they are up-to-date on the latest graphics card drivers, as would be required for them to have a secure web experience. In some cases where OEM graphics products are included with PCs, retail drivers are blocked from installing. OEMs often only update their drivers once per year, a reality that is just not compatible with the needs of a security update process.
    • Problematic system DoS scenarios
    Modern operating systems and graphics infrastructure were never designed to fully defend against attacker-supplied shaders and geometry. Although mitigatinos such as ARB_robustness and the forthcoming ARB_robustness_2 may help, they have not proven themselves capable of comprehensively addressing the DoS threat. While traditionally client-side DoS is not a high severity threat, if this problem is not addressed holistically it will be possible for any web site to freeze or reboot systems at will. This is an issue for some important usage scenarios such as in critical infrastructure.
    We believe that WebGL will likely become an ongoing source of hard-to-fix vulnerabilities. In its current form, WebGL is not a technology Microsoft can endorse from a security perspective.

    We recognize the need to provide solutions in this space however it is our goal that all such solutions are secure by design, secure by default, and secure in deployment.

    - MSRC Engineering


    -------

    What MSRC saying is perfectly valid. Allowing javascript to control your GPU will create various security problems depending on platforms/driver combinations. Sure, if you are making a device like iPhone where you control everything, WebGL is a good idea. But where you can have 1000s of different combinations of GPU/Driver/Platform, this is just madness.

    Expect Mozilla/Google fire back on this topic soon
    Last edited by CvP; June 17th, 2011 at 11:42.
    The abuse of greatness is when it disjoins remorse from power.
    Please do not PM me for support. You will NOT get a reply. Post in the relevant forum section.

  2. #2
    Moderator
    • Raihan081's Gadgets
      • Motherboard:
      • Asus Maximus VI Hero
      • CPU:
      • Intel Core i7 4770k
      • RAM:
      • Corsair Dominator Platinum 4x4GB DDR3-1866
      • Hard Drive:
      • WD 3TB Red, 256GB Samsung 840 Pro Series
      • Graphics Card:
      • EVGA GTX 780 Ti SC Dual Classified ACX in SLI
      • Display:
      • Samsung UD590 UHD
      • Speakers/HPs:
      • Turtle Beach - Call of Duty Spectre
      • Keyboard:
      • Razer Deathstalker Ultimate
      • Mouse:
      • SS Kana Ltd Ed. Dota 2
      • Power Supply:
      • Corsair AX1200i
      • Operating System:
      • Windows 8 64 bit
      • ISP:
      • Tellus
      • Download Speed:
      • 6656
      • Upload Speed:
      • 1536
      • Console:
      • 128
    Raihan081's Avatar
    Join Date
    Mar 2009
    Location
    Dhaka
    Posts
    2,099

    Default Re: WebGL Considered Harmful

    fireback? hell yeahh!

  3. #3
    Member
    • W1C|<3D's Gadgets
      • Motherboard:
      • Intel DG41RQ
      • CPU:
      • Intel Core 2 Duo
      • RAM:
      • 3GB
      • Hard Drive:
      • Samsung
      • Graphics Card:
      • Gigabyte 9500 1 GB[factory overclocked]
      • Display:
      • HP 1859m
      • Sound Card:
      • Onboard
      • Keyboard:
      • A4TECH GK-85
      • Mouse:
      • Logitech MX 518
      • Power Supply:
      • 500 watt
      • Optical Drive:
      • ASUS Sata DVD RW
      • Operating System:
      • Windows Se7en Ultimate X64
      • Benchmark Scores:
      • RAM 5.5,HDD 5.8,Processor 6.4,Gaming Graphics 6.2
      • Comment:
      • Meh....
      • ISP:
      • BTCL ADSL
      • Download Speed:
      • 64+
      • Upload Speed:
      • 30+
    W1C|<3D's Avatar
    Join Date
    Jul 2010
    Location
    Narnia :O
    Posts
    4,895

    Default Re: WebGL Considered Harmful

    Lets see what they say
    No 7. No discussion, sharing or referencing game hacks.
    BG Rule Book

Similar Threads

  1. Replies: 2
    Last Post: January 4th, 2011, 23:08

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Page generated in 0.16595 seconds with 14 queries.