Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Graphics Security Technology

WebGL Poses New Security Problems 178

Julie188 writes "Researchers are warning that the WebGL standard undermines existing operating system security protections and offers up new attack surfaces. To enable rendering of demanding 3D animations, WebGL allows web sites to execute shader code directly on a system's graphics card. This can allow an attacker to exploit security vulnerabilities in the graphics card driver and even inject malicious code onto the system."
This discussion has been archived. No new comments can be posted.

WebGL Poses New Security Problems

Comments Filter:
  • by Anonymous Coward
    Now that we finally have sandboxing in browsers they want to let any website run directly code on your hardware. Insane! Just forget the WebGL stuff. Silverlight has direct support for XNA which handles it everything better and safer anyway. Are we also supposed to write WebGL games with notepad? At least XNA games can be written with a solid IDE like Visual Studio. Not only that but the games also work on Xbox360 and mobile phones without such a major porting. What a developers dream...

    Leave my hardware
    • Now that we finally have sandboxing in browsers they want to let any website run directly code on your hardware.

      As opposed to what?

      Keep in mind that sandboxing is a way to deal with websites having direct hardware access. That's how they can do NaCL [google.com] safely.

      Silverlight has direct support for XNA which handles it everything better and safer anyway.

      What's "better" or "safer" about XNA? Never mind that nothing's stopping you from porting frameworks to this anyway -- having a lower-level standard means that, ultimately, you can have something like XNA, and others can have other things.

      Never mind that XNA doesn't have a particularly good OpenGL implementation, and that Silverlight is barely an open standard as i

      • XNA doesn't have a particularly good OpenGL implementation? As someone with years of experience with XNA, Direct3D, OpenGL, and even some experience with WebGL, I feel ethically responsible for saying that you have absolutely no idea what you're talking about at all.

      • Not only that but the games also work on Xbox360 and mobile phones without such a major porting.

        Know what else mobile phones have? The web.

        Xbox 360 doesn't have the web. What do you recommend to get a game ported to a console?

      • by sjames ( 1099 )

        Mono=an infectous disease that leaves you exhausted long after the virus is gone.

    • by armanox ( 826486 )

      But you'd lose a lot of platforms too - many phones, PS3/Wii, Linux, Mac, UNIX, etc, using Silverlight.

      • None of those platforms are paying him to first-post.
      • by JackDW ( 904211 )

        Not true.

        Firstly, you can run Silverlight applications on Linux and Mac with Moonlight.

        Secondly, in the case of C# applications that use Direct3D you can use Wine and Mono together.

        Thirdly, for phones, there is Mono for Android, and iOS support on the way, as described here [tirania.org].

    • Are we also supposed to write WebGL games with notepad?

      No. [gnu.org]

    • Adobe Molehill, the new accelerated 3D architecture for Flash and Flex basically does the same things.

      Are we also supposed to write WebGL games with notepad?

      I've tried out WebGL several times now and I can tell you it's disgusting. JavaScript is a terrible language, the only thing that makes it close to bearable is jQuery but even then you're still dealing with something there is almost no way to efficiently debug, no editor really fully supports, and still doesn't have a full standard or a standard everyone abides by. Imagine writing a full 3D game in JavaScri

      • Adobe Molehill...

        really?

        I've tried out WebGL several times now and I can tell you it's disgusting.

        what you mean is: "I don't understand GL"

        JavaScript is a terrible language....

        what you mean is: "I don't undrestand prototype based OOP and first class functions"

        ...no way to efficiently debug....

        what you mean is: "I don't know how to use firebug, opera firefly or google to find a better debugging tool"

        ...somehow getting it to pass data efficiently with AJAX....

        what you mean is: "I'dont know how XHR works and have never heard of JSON or XML"

        I think you did approach web development a but too fast. You should better tak a step or two back and look again at what you have done there, how much you understand of it and focus on developing your skills first before starting developing another web application. Why don't you start with something basic [fisher-price.com] and then go up the ladder?

        • Actually I started coding OpenGL on an SGI octane well before it was considered a consumer technology and I understand it quite well. I've written many applications using OpenGL and have written quite a few things with GLES 1 and 2. I do like GLES, I don't like GLES in JavaScript because as a language JavaScript really is terrible. It's slow, the context of "this" can sometimes change randomly, it's terrible at dealing with binary data and it runs differently on everything.

          I do use firebug and it easily the

  • Really? (Score:5, Funny)

    by internerdj ( 1319281 ) on Tuesday May 10, 2011 @02:48PM (#36086752)
    I mean what could possibly be dangerous about allowing random websites to run hardware level code?
    • by drpimp ( 900837 )
      Who cares as long as I can get Duke Nukem Forever in my browser ... /holds-breath
    • I mean what could possibly be dangerous about allowing random websites to run hardware level code?

      The same thing that's dangerous about allowing anyone to run random code on your system. This is not a new security problem. It's the same old security problem in a flashy new suit. Any access higher than no access risks infection.

      Personally, I'm curious about what, if any, protections WDDM provides against this type of attack (by design or by accident).

  • by jeffb (2.718) ( 1189693 ) on Tuesday May 10, 2011 @02:49PM (#36086770)
    You can dedicate hundreds of threads to high-volume malware, while freeing up your CPU to maintain a smooth phishing experience!
  • by xiando ( 770382 ) on Tuesday May 10, 2011 @02:51PM (#36086792) Homepage Journal
    An attack based on "exploit security vulnerabilities in the graphics card driver" seems less likely using the FOSS graphics drivers. I'm not saying they can not be exploited, I'm just saying that this makes me feel somewhat safer than I would feel if I were using the closed Binary Blob drivers.
    • by MrEricSir ( 398214 ) on Tuesday May 10, 2011 @02:55PM (#36086838) Homepage

      Do any FOSS drivers even support shaders?

      • by Anonymous Coward on Tuesday May 10, 2011 @03:13PM (#36087046)

        probably why he feels more secure!

      • by binkzz ( 779594 )

        Do any FOSS drivers even support shaders?

        No, OpenGL only recently added support for Phong shading. But one day!

      • by r6144 ( 544027 )

        AFAIK the r600 driver for Radeon cards does support shaders, at least well enough to implement the OpenGL fixed-function pipeline.

      • by Ant P. ( 974313 )

        OpenGL renderer string: Gallium 0.4 on AMD CEDAR
        OpenGL version string: 2.1 Mesa 7.11-devel (git-6807438)
        OpenGL shading language version string: 1.20

        Looks like it. GLSL 1.2 isn't exactly new, but I'd take old standards with a real, safe memory manager over the likes of nvidia with their history of root exploits.

    • by m50d ( 797211 )
      Given the general quality level I'd have to disagree; the nvidia drivers work perfectly, even supporting e.g. S3 suspend, and most of the code is the same as their (quite widely tested) windows driver. Wheras with the free intel drivers I still get lots of random display corruption, and those're supposed to be on the good end of free drivers.
      • by godefroi ( 52421 )

        the nvidia drivers work perfectly, even supporting e.g. S3 suspend

        Wait, is that uncommon on your platform? On my platform of choice, if S3 suspend didn't work, I'd definitely be returning some hardware or other.

  • Info and thoughts (Score:5, Informative)

    by TopSpin ( 753 ) on Tuesday May 10, 2011 @02:51PM (#36086796) Journal

    WebGL is a Javascript expression of OpenGL ES 2.0, the same OpenGL edition that appears on Apple's iOS and recent versions of Android. OpenGL ES 2.0 is essentially OpenGL 2.0 with the fixed function pipeline removed. This reduces the size of the API substantially.

    Some may remember the little ARM11 based computer that appeared [slashdot.org] last week supports OpenGL ES 2.0. OpenGL ES 2.0 is also the choice of Wayland developers. There seems to be a big convergence happening around this particular edition of OpenGL due to embedded GPUs

    WebGL is manifested as a context of a HTML5 canvas element. Javascript has been extended with new data types to provide aligned, dense arrays for loading vertex attributes into the GL. WebGL allows vertex and fragment shader code to be loaded into the GL.

    The end result is very high performance graphics driven by Javascript hosted in a browser. WebGL integrates with the browser in some convenient ways; texture data is loaded from Javascript image objects and CSS can apply 3D transforms, for example.

    WebGL has been supported in experimental form by Webkit and Mozilla since late 2010. Opera also supports WebGL. Microsoft is no where to be found.

    Operating systems compromise security for the sake of GPUs. Obviously, exposing graphics subsystems to inevitably malicious code will get machines compromised. I think Google, Mozilla, et al. should adopt the 'no-script' paradigm for this stuff and require the operator to explicitly enable WebGL content case by case. The graphics subsystem will never prioritize security over performance so securing these code paths well enough for public exposure will never happen.

    It would be nice if they gave this some thought before millions of people get owned and WebGL gets a huge black eye......

    • It would be nice if they gave this some thought before millions of people get owned and WebGL gets a huge black eye......

      WebGL has been supported in experimental form by Webkit and Mozilla since late 2010. Opera also supports WebGL. Microsoft is no where to be found.

      Well, that sounds like a good first step.

    • by Lennie ( 16154 )

      I'm much more worried about the 'hardware acceleration' browser makers are using. WebGL is a very well defined subset of OpenGL.

      Anyway I've seen many browser/drivers/operating systems and other parts of the stack fail on it.

      I think it will take time for the driver, operating system, browser makers to get it right.

      You can also look at it differently: We've had exploits with images, do people disable it by default ?

      If you want to disable something, do it like the HTML5 Geolocation, pop up a bar: "do you want

    • by nstlgc ( 945418 )
      I think Google, Mozilla, et al. should adopt the 'no-script' paradigm for this stuff and require the operator to explicitly enable WebGL content case by case.
      I agree, the users usually make the right choice. Cue "click here for awesome smileys!". /s
  • Something, that was just put out that undermines the security of something else......I never saw that one coming.
  • Quake Live (Score:3, Interesting)

    by mfh ( 56 ) on Tuesday May 10, 2011 @03:00PM (#36086902) Homepage Journal

    I raised this concern with Quake Live, but was quickly shut down by people. Nobody wants to listen to the possible security holes in something they want to ram through at all cost. Forgive my tone if I'm a little annoyed hearing this. Sometimes you want to be wrong about something, but now I have been proven correct, I'm annoyed with myself.

    • Quake Live isn't WebGL. Even if it was, Quake Live wouldn't be affected. This security concern is only about a user visiting a web page that runs a malicious WebGL program, which Quake Live is not.

  • I don't get it (Score:2, Insightful)

    by multi io ( 640409 )
    So they're saying that enabling shader code execution allows web sites to exploit hypothetical vulnerabilities in the graphics driver? How's that different from saying that enabling Javascript code execution allows web sites to exploit hypothetical vulnerabilities in the Javascript interpreter?
    • because up until now the response from graphics card manufacturers has been "security auditing? Open specifications? What, are you running arbitrary binaries on your PC and complaining when they take over your system?", whereas now they'll need to say "security auditing? Open specifications? What, are you running a web browser conceived of before 2010?"

    • Re:I don't get it (Score:4, Insightful)

      by amorsen ( 7485 ) <benny+slashdot@amorsen.dk> on Tuesday May 10, 2011 @03:41PM (#36087332)

      So they're saying that enabling shader code execution allows web sites to exploit hypothetical vulnerabilities in the graphics driver?

      They're not particularly hypothetical. Graphics driver code is such that games programmers carefully work around bugs in order to not crash anything. Imagine if every program running on the main CPU had to carefully avoid certain instruction sequences in order to not crash the system -- would you run a multi-user system on that?

      Then again, that was how it was in the 80's on many time sharing systems...

    • The key here is "attack surface". Having relatively uninhibited access to low level graphics APIs that were not previously assumed to be public means there are probably lots of bugs with security implications. I wouldn't be surprised if graphics drivers eschew error checking in order to gain performance, but now malicious programmers can use that to crash the browser or OS. Shader compilers are also quite complex, and may present opportunities for specially crafted invalid programs to overflow buffers or

    • by Bengie ( 1121981 )

      Your JS interpreter doesn't run at kernel level with full access to your low level hardware.

    • Because, like Adobe formats before it (like PDF or Flash), graphics card drivers were designed well before any serious thought was given to security issues. Even now, graphics drivers are 100% focused on speed, speed, speed, and security concerns are probably barely even on the radar. As GPUs move closer to general-purpose computing devices with true logic paths, this problem is only going to get worse. In other words, it's probably a softer target than a Javascript runtime environment is, and that's say

    • by yuhong ( 1378501 )

      Why do you think the OpenType sanitizer had to be created?

  • They got BSODs by 'overloading' GPUs. By doing what, continuous high-stress activity? In which case, surely they should be sufficiently ventilated etc. isn't that the real issue - surely it's not possible to kill GPUs by just making them a lot of work? Imagine if CPUs did that, we'd be pretty screwed by now

    If they don't mean high-stress/high-throughput activities, what do they actually mean - overloading them with textures or something?

    • Yes. [geek.com]
    • by skids ( 119237 )

      No, GPUs do DMA bus mastering and other newer sorts of independent access to RAM and the bus address space at large. If the command stream is not filtered, or the hardware does not have provisions for contexts that restrict the GPU's memory access capabilities depending on what control channel is being used, a GPU can pretty much read and scribble all over the entire system RAM.

      GPU manufacturers have been historically oblivious to this and not bothered to put much in the way of security features into the h

      • by tamyrlin ( 51 )

        Actually, at least early NVIDIA cards had pretty good hardware support for this as far as I understood it. I don't know the status of their current cards, but their early cards had hardware support for different contexts and would generate an error if a user tried to do something it was not allowed to do. (For example, rendering outside of the selected window.) So the cards could allow a user to send commands via DMA to the card (this is often called direct rendering) in a secure manner without any risk of

    • It actually is very possible. I recall recently AMD had to place a block on FurMark in their drivers because it was stressing their video cards too much - causing them to fail. AMD had designed their power circuitry and cooling designs around "typical" use cases and not around the theoretical maximums - meaning you could overload the power circuitry or burn out your graphics card with just software.

  • by Anonymous Coward on Tuesday May 10, 2011 @03:22PM (#36087118)

    Can anyone remind me why we're putting EVERYTHING in a web browser anyway?

    • by tepples ( 727027 )

      Can anyone remind me why we're putting EVERYTHING in a web browser anyway?

      Because Native Client is specific to Google Chrome. What other instant, sandboxed application deployment method do you recommend before other companies' browsers begin to support Native Client?

    • Can anyone remind me why we're putting EVERYTHING in a web browser anyway?

      Simple. Because we really don't give a fuck about web browsers.

      All we really want / need is a cross platform widely distributed standardized* text & graphics display environment that can be manipulated via client side scripting, and can communicate with server side processes; And for "applications" or "services" created with such a system to be easily discoverable by our users.

      * Yes, we need across the board standards conformance for stability and to reduce development costs, too bad we don't real

      • to reach critical mass, any alternative language such as lua would require sponsorship by each open source browser effort. Given each has its own javascript engine as a selling point (mine is 10% faster than yours), such consensus might be difficult. Perhaps a higher level API than DOM is needed to shield the language runtime from the underlying impl.
        Perhaps a more realistic solution is to translate lua (or other) into javascript that can then be forwarded to the js engine. Coffescript uses this approach. I

      • by mgiuca ( 1040724 )

        IMHO, we should ditch JS for Lua

        Can I offer an alternative suggestion? How about we DON'T replace JavaScript with <insert favourite scripting language here>. Okay, part of the problem with web scripting is that we're using JavaScript, which sucks. But the majority of the problem is that we're using a programming language at all. We've just reinvented the biggest, clunkiest wheel on the planet.

        Look at the number of projects that are taking programming code, or in some cases bytecode, and compiling it u

    • So that users don't have to install anything, making it easier to distribute software.

    • Because that's Google's business plan.

      And people are too lazy to deal with installation, patching, etc.

    • by Flammon ( 4726 )

      Ubiquity

    • by AmiMoJo ( 196126 )

      Are you kidding?

      Browsers are cross platform, supposedly secure and sandboxed, easy to develop for and provide an easy way to make applications while delivering ads and data-raping your users. There is nothing for the user to install and no way to pirate your app or game. Updates are instant and require no user intervention.

  • Which they had already written for WebGL.

    http://mxr.mozilla.org/mozilla-central/source/content/canvas/src/WebGLContextUtils.cpp#101 [mozilla.org]

    At least then users have to click ok before trusting a site, in a similar fashion to location data.
    And hopefully that check will be strongly worded.

    Personally, I'm glad I run NoScript

    • What's also funny is I remember discussing precisely this attack method a few weeks ago w/ webgl folks.
      Thought at the time it'd be a bit slower than the end result, in terms of image extraction.

      Also joked about combining it with a webgl game to keep the user occupied, where their clicks on the "red ball" or "blue ball"
      would steal more pixels.

      Speed up the attack while keeping them occupied.

  • I doubt this is going to be a major cause of future security problems.

    As far as I'm aware, WebGL is only allowing shaders to be specified in GLSL which is a pretty high level shading language. Obviously there's no such thing as pointers, and unlike something like javascript there's no interaction with complex objects. Shaders form a very clean and thin interface, basically just being a bunch of floating point vector operations. The only complex objects you're really going to interact with is various texture

  • by molo ( 94384 ) on Tuesday May 10, 2011 @05:28PM (#36088188) Journal

    about:config

    webgl.disabled = true

    -molo

  • by ShawnX ( 260531 ) on Tuesday May 10, 2011 @06:45PM (#36088934) Homepage Journal
    With Mesa and at least, Radeon drivers all commands written to GPU are checked by a parser to prevent certain violations from occurring? The CP (Command Parser) in the Mesa/Gallium3D driver checks all commands written.
    • As a Linux/ATI user, I'm completely protected because there are no Linux browsers that currently support WebGL on ATI hardware with the official drivers.

      Suck it, Windows users.

  • by KewlPC ( 245768 ) on Tuesday May 10, 2011 @06:58PM (#36089008) Homepage Journal

    For the most part this is a lot of security handwaving.

    While the GPU itself can do DMA and whatnot, shaders don't have access to any of that. If a shader can access texture memory that hasn't been assigned to it *in certain browsers* then it sounds like a bug in the browser or the browser's WebGL plugin. Being able to "overload" the GPU and blue screen the computer sounds like Yet Another Windows Bug.

    A shader isn't just some arbitrary binary blob that gets executed directly by the GPU. Even native programs can't do this. You provide the driver your shader source code, the driver does the rest. It's intentionally a black-box process so that the driver can optimize the shader for the GPU and not force a specific instruction set or architecture onto GPU designers. Thus allowing the underlying GPU design to evolve, possibly radically or in unforseen ways, without breaking compatibility.

    Furthermore, a shader can only access memory via the texture sampler units, which must be set up by the application. If the WebGL application (which is just JavaScript) can set things up to access texture memory it isn't supposed to be able to, the problem is with the WebGL and/or HTML5 implementation, not the concept of WebGL or the GPU driver.

    • It was never stipulated that there's anything fundamentally insecure about WebGL. The problem is that exposing hardware acceleration to untrusted code significantly increases your attack surface. With WebGL, suddenly graphics drivers and hardware acceleration subsystems must also be made secure because they're running untrusted code from the web.

      Graphics drivers aren't even close to being secure enough to allow untrusted code - I remember seeing a case a couple of months ago where a game developer had accid

  • Misleading (Score:3, Interesting)

    by Eravnrekaree ( 467752 ) on Tuesday May 10, 2011 @08:08PM (#36089500)

    This is overstated and inaccurate headline. A large area of harm can come from a software application accessing memory space which is a hardware adapter mapped into address space of the app, and manipulation of pointers and so on. This is a issue with C level programming where you have direct access to memory addresses and pointers. A javascript implementation of WebGL does not offer access to OpenGL functions by addresses or pointers to the functions at all. Instead it should use a dispatch table below the javascript environment. JS is thus isolated from direct access to hardware and IS NOT using hardware addresses in any way to access functions.The WebGL program can only therefore access the functions via that dispatch table. There are still possible issued with problems with the OpenGL API itself that may need to be addressed for safety. However, direct access to video hardware by a Javascript app is out of the question, it should not be done, and should not be allowed in a Javascript environment. the Javascript is a sandbox and does not provide direct access to memory address space, system calls or other such things. if security is a concern, due to Hardware faults that could be triggered by sending a series of OpenGL commands, the web browser can be configured to use software renderer instead of the hardware rendering, or selectively block that series of OpenGL commands in some way. If there are significant problems with hardware rendering, that may be sometjhing that may have to be considered as a default option. this is something that can affect all applications that are used over a network including gaming applications, since, even a gaming app that sends abstracted updates such as "soldier moves forward 200px" can trigger OpenGL calls in a predictable way. However, these nor WebGL should not expose the graphics hardware directly to Javascript or the network protocol, nor the address space, only OpenGL functions can be called by some sort of token or symbol which is contained within the sandbox environment and does not directly referfence a memory location. Those OpenGL functions are used by a wide range of different network applications, so this is not a problem particular to WebGL.

    I am a web rendering engine developer so I have an interest in making sure these things are safe. If necessary we will software render by default until we can be sure about safety with direct rendering. Furthermore this is not a WebGL problem,s, these are bugs in OpenGL itself. There are software rendering workarounds. So this will not affect the availability of WebGL.

    I do support WebGL since it will help the web environment compete against Flash.

In the long run, every program becomes rococco, and then rubble. -- Alan Perlis

Working...