Jump to content


Welcome to Tech-101 Free Computer Support

Welcome to Tech-101 Free Computer Support, join us now to get access to all our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, and so, so much more. It's also quick and totally free, so what are you waiting for?

>Register Now or >Sign In.
Guest Message by DevFuse
Photo
- - - - -

WebGL has an architecure exposure


  • Please log in to reply
No replies to this topic

#1 jobeard

jobeard

    Site Admin

  • Administrators
  • 2,009 posts

Posted 10 May 2011 - 01:43 PM

The following is an excerpt from Contextis.Com

  • A number of serious security issues have been identified with the specification and implementations of WebGL.
  • These issues can allow an attacker to provide malicious code via a web browser which allows attacks on the GPU and graphics drivers. These attacks on the GPU via WebGL can render the entire machine unusable.
  • Additionally, there are other dangers with WebGL that put users’ data, privacy and security at risk.
  • These issues are inherent to the WebGL specification and would require significant architectural changes in order to remediate in the platform design. Fundamentally, WebGL now allows full (Turing Complete)[AA] programs from the internet to reach the graphics driver and graphics hardware which operate in what is supposed to be the most protected part of the computer (Kernel Mode).
  • Browsers that enable WebGL by default put their users at risk to these issues.

The Attack looks like this Posted Image
(graphi is from >http://www.contextis.com/resources/blog/webgl/)

During the development of WebGL it seems that all the browser vendors supporting it have encountered issues with certain drivers being unstable or crashing completely. The current work around for this seems to be a driver black list (or in Chrome’s case not running WebGL on Windows XP at all). (See >https://wiki.mozilla.org/Blocklisting/Blocked_Graphics_Drivers). This does not seem to be a very tenable approach long term.

Conclusions

Based on this limited research Context does not believe WebGL is really ready for mass usage, therefore Context recommends that users and corporate IT managers consider disabling WebGL in their web browsers.

While there is certainly a demand for high-performance 3D content to be made available over the web, the way in which WebGL has been specified insufficiently takes into account the infrastructure required to support it securely. This is evident from the development of ways to mitigate the underlying security issues by introducing validation layers and driver black-lists; however this still pushes much of the responsibility of securing WebGL on the hardware manufacturers. Perhaps the best approach would be to design a specification for 3D graphics from the ground up with these issues in mind.

Please see the >Contextis.com article for the details

[AA] see >this Wiki for Turing Complete; it's all computer science stuff

J. O. Beard; you + tech-101.com => synergism. Secure your system now