Sign in to follow this  
Followers 0

WebGL has an architecure exposure

1 post in this topic

Posted

The following is an excerpt from Contextis.Com

  • A number of serious security issues have been identified with the specification and implementations of WebGL.
  • These issues can allow an attacker to provide malicious code via a web browser which allows attacks on the GPU and graphics drivers. These attacks on the GPU via WebGL can render the entire machine unusable.
  • Additionally, there are other dangers with WebGL that put users’ data, privacy and security at risk.
  • These issues are inherent to the WebGL specification and would require significant architectural changes in order to remediate in the platform design. Fundamentally, WebGL now allows full (Turing Complete)[AA] programs from the internet to reach the graphics driver and graphics hardware which operate in what is supposed to be the most protected part of the computer (Kernel Mode).
  • Browsers that enable WebGL by default put their users at risk to these issues.


The Attack looks like this
(graphi is from http://www.contextis.com/resources/blog/webgl/)

During the development of WebGL it seems that all the browser vendors supporting it have encountered issues with certain drivers being unstable or crashing completely. The current work around for this seems to be a driver black list (or in Chrome’s case not running WebGL on Windows XP at all). (See https://wiki.mozilla.org/Blocklisting/Blocked_Graphics_Drivers). This does not seem to be a very tenable approach long term.

Conclusions

Based on this limited research Context does not believe WebGL is really ready for mass usage, therefore Context recommends that users and corporate IT managers consider disabling WebGL in their web browsers.

While there is certainly a demand for high-performance 3D content to be made available over the web, the way in which WebGL has been specified insufficiently takes into account the infrastructure required to support it securely. This is evident from the development of ways to mitigate the underlying security issues by introducing validation layers and driver black-lists; however this still pushes much of the responsibility of securing WebGL on the hardware manufacturers. Perhaps the best approach would be to design a specification for 3D graphics from the ground up with these issues in mind.

Please see the Contextis.com article for the details

[AA] see this Wiki for Turing Complete; it's all computer science stuff

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Who's Online   0 Members, 0 Anonymous, 34 Guests (See full list)

    There are no registered users currently online

  • Member Statistics

    26,577
    Total Members
    2,849
    Most Online
    Newest Member
    clubgitmo
    Joined