WebGL Poses New Security Problems

Julie188 writes "Researchers are warning that the WebGL standard undermines existing operating system security protections and offers up new attack surfaces. To enable rendering of demanding 3D animations, WebGL allows web sites to execute shader code directly on a system's graphics card. This can allow an attacker to exploit security vulnerabilities in the graphics card driver and even inject malicious code onto the system."

WebGL was always a bad idea

Now that we finally have sandboxing in browsers they want to let any website run directly code on your hardware. Insane! Just forget the WebGL stuff. Silverlight has direct support for XNA which handles it everything better and safer anyway. Are we also supposed to write WebGL games with notepad? At least XNA games can be written with a solid IDE like Visual Studio. Not only that but the games also work on Xbox360 and mobile phones without such a major porting. What a developers dream...

Leave my hardware alone and secure!

Re:WebGL was always a bad idea

Silverlight has direct support for XNA
[snip]
a solid IDE like Visual Studio.
[snip]
Not only that but the games also work on Xbox360 and mobile phones
[snip]
Leave my hardware alone and secure!

Translation: "WebGL is insecure! Use Microsoft products instead!"

Sorry, I need to stop laughing hysterically before I can post any more.

Re:WebGL was always a bad idea

[armanox]

But you'd lose a lot of platforms too - many phones, PS3/Wii, Linux, Mac, UNIX, etc, using Silverlight.

Re:WebGL was always a bad idea

[Jeremy+Erwin]

Are we also supposed to write WebGL games with notepad?

No.

Re:WebGL was always a bad idea

It may be ironic, but he's right, even the MS solution is inherently more secure than WebGL. Security vulnerabilities have to break out of a sandbox and the sandbox can be fixed much more easily than a straight passthrough to various graphics drivers.

Re:WebGL was always a bad idea

[h4rr4r]

No, VIM is a far better choice for not only WebGL but everything else as well :)

Re:WebGL was always a bad idea

I think the Microsoft shill decided to start posting anonymously.

Re:WebGL was always a bad idea

Forgo iOS and Android? Relegate yourself to Microsoft's little vertical romper room if you want.

Re:WebGL was always a bad idea

[Unoriginal_Nickname]

The main vector of attack in WebGL is through shaders. Silverlight doesn't support shaders (it only supports the Reach profile,) which - for better or for worse - means it really is more secure.

Re:WebGL was always a bad idea

[Culture20]

None of those platforms are paying him to first-post.

Re:WebGL was always a bad idea

[Sc4Freak]

Silverlight does support shaders - Reach profile just means that you're limited to Shader Model 2. SM2 is sort of like a baseline requirement these days for a lot of things including Windows Aero. On the desktop it's supported by the old-school ATI Radeon 9 series or higher or Nvidia Geforce FX or higher. On the mobile, GPUs that support OpenGL ES 2.0 are generally SM2-compliant.

Re:WebGL was always a bad idea

[hairyfeet]

While this may be true, something has seriously been bothering me lately, maybe someone here at /. can explain...WTF is it with the obvious MSFT shills here lately? Did they get a deal on that HB Gary Fed software or something?

I just don't get it. I mean sure the WinPhone ain't doing so hot, but the X360 is a hit and fulfilled its stated goal to get MSFT out of the office and into the living room, Windows 7 frankly rocks, and this is from someone who hung onto Win2K and XP X64 because frankly I thought their consumer OSes were lame, and last numbers I saw had fully two thirds of new servers being sold with WinServer and WinSBS Server was racking up the numbers. So WTF? The obvious shilling now makes NO sense, and just turns folks off. So why do it?

As for TFA this is something else that I think deserves a WTF and that is JavaScript and the current way we are doing things. Sites like FB are twisting JScript in ways it was never designed and now that we are starting to make real process on killing drive bys with low rights mode and getting rid of those damned "hey lets run as admins!" XP boxes now everyone wants to run third party web code bare metal? WTF?

Maybe with all this Web 3.0 crud we really ought to think about starting over with a new design built from top to bottom with security in mind. Maybe something with multiple isolation layers and least permissions, because there ought to be some way other than NoScript or hoping everything will stay in the sandbox to make it so everyone can have their FB games and bling bling without going through another ActiveX mess all over again. Perhaps instead of calling content from all over the web just to render a single page only allow code to be kept in a "time out room" on the server serving the web pages in such a way that the browser can do malware scans before calling it?

I'm just a humble PC fixit guy, not a security expert so I can't give you the answers, only ask the questions. But it seems to me there ought to be a way to allow people to have things like hardware acceleration without just running everything or blocking everything. Sandboxes to me always felt like a band aid on a bullet wound, and we tell folks not to run untrusted .exe files they trip over yet we are supposed to trust all the ads and flash and everything else, often which isn't even controlled by the website admin? It just doesn't seem like the right way to be going about this. Am I crazy?

Re:WebGL was always a bad idea

[Kagetsuki]

Adobe Molehill, the new accelerated 3D architecture for Flash and Flex basically does the same things.

Are we also supposed to write WebGL games with notepad?

I've tried out WebGL several times now and I can tell you it's disgusting. JavaScript is a terrible language, the only thing that makes it close to bearable is jQuery but even then you're still dealing with something there is almost no way to efficiently debug, no editor really fully supports, and still doesn't have a full standard or a standard everyone abides by. Imagine writing a full 3D game in JavaScript, somehow getting it to pass data efficiently with AJAX, then opening it up in IE to see it doesn't run at all and then in a WebKit browser only to find random areas are transparent or some of the models are all screwed up. This is exactly what will happen. Seriously, Silverlight+XNA or Flash/Flex are the only real solutions out there. WebGL will be a disaster and trying to code in it will be a waste of your time.

Re:WebGL was always a bad idea

[Unoriginal_Nickname]

Right, my mistake. I was thinking of WP7.

Re:WebGL was always a bad idea

[justforgetme]

Well, sandboxing has proven itself to be a very good solution to priviledge encapsulation. As for the driver issue well, I would love to dismiss it as hot air but unfortunately until now the graphics driver wasn't the goto vector so obviously gfx drivers could be riddled with exploitable behavior.

I can't ignore the fact though that running native browser functionality instead of plugins (which in my opinion is content encapsulation and inherently bad) is a much better approach than the other one. IMHO people who defend the plugin now are kind of lying to themselves. After all looking about a decade back the plugin was the newcommer (see flash & shockwave) and those who chose to use it were exposed to a very real security threat that escalated to many hororstories. In fact I remember that at some point I had read in a respectable security blog that best practice was to use the Internet without any plugins (which actually is true even now).

So why are plugins better? Because you, who tells me so, are too invested in them to let go? No buddy sorry, that is not enough. WebGL is a very well thought out implementation, the only thing that has to be done before it acquires critical mass is for gfx driver developers to pull their shit together and secure their work.

I don't want content encapsulation.
I don't want to give up my browser's security for fancy (read:easy to make) websites which usually are less usable and ridden with inter-platform bugs
I don't want my computer's security to be compromised by the idiocy of each and every one plugin vendor
I don't want plugin vendors (corporations) to force my platform decisions because of their critical mass

If you think the above are good things then sorry I wasted your time, please keep on reading lolcats on your iDontHaveMyOwnOpinion-Phone ;-)

Re:WebGL was always a bad idea

[justforgetme]

Adobe Molehill...

really?

I've tried out WebGL several times now and I can tell you it's disgusting.

what you mean is: "I don't understand GL"

JavaScript is a terrible language....

what you mean is: "I don't undrestand prototype based OOP and first class functions"

...no way to efficiently debug....

what you mean is: "I don't know how to use firebug, opera firefly or google to find a better debugging tool"

...somehow getting it to pass data efficiently with AJAX....

what you mean is: "I'dont know how XHR works and have never heard of JSON or XML"

I think you did approach web development a but too fast. You should better tak a step or two back and look again at what you have done there, how much you understand of it and focus on developing your skills first before starting developing another web application. Why don't you start with something basic and then go up the ladder?

Re:WebGL was always a bad idea

[hbxnseo]

http://www.shzqz.com/

Re:WebGL was always a bad idea

[JackDW]

Not true.

Firstly, you can run Silverlight applications on Linux and Mac with Moonlight.

Secondly, in the case of C# applications that use Direct3D you can use Wine and Mono together.

Thirdly, for phones, there is Mono for Android, and iOS support on the way, as described here.

Re:WebGL was always a bad idea

[LifesABeach]

In the fullness of time, WebGL will handle the security stuff. Maybe for those who bathe in Silver-Lite, they will ask questions like, "why?"

Re:WebGL was always a bad idea

[hairyfeet]

Where did I say anything about plugins? The only plug in I mentioned was noScript, because frankly browsers suck ass (which I'm sure that you will agree) when it comes to giving the user control over what scripts run and which don't. BTW I've switched to Dragon (Chreomium based) so the only extensions I have is ABP and Forecastfox.

But as I said all we really have right now is band aids on bullet wounds. wanna see one in action? This seems to work in both FF 4 and Chromium based browsers so take your pick. Make an account in Yahoo mail beta, load some phoney addresses (you'll see why in a minute) and save and close them out. Then relaunch your browser and start surfing some NSFW porntube sites like DrTuber and Xhamster, be sure to click on the links to some of the other sites advertising there. In about an hour of doing that you'll find they have managed to copy your address book and will send you spam from yourself! Sandboxes, NoScript, somehow they've managed to cut through all that and read the address book which Yahoo must be storing unencrypted somewhere on the drive.

So I still think we are gonna end up needing a new language, because JavaScript simply wasn't designed for security. We need it to be built from the bottom up with least privileges and security in mind, lots of isolation and nothing running that isn't approved. Like I said I'm just a fixit guy I don't have the answers, i'm just asking the questions. And I agree with you on the things you do NOT want, the problem is how to allow you to have the good content without the bad. Any ideas on that?

Re:WebGL was always a bad idea

[Kagetsuki]

Actually I started coding OpenGL on an SGI octane well before it was considered a consumer technology and I understand it quite well. I've written many applications using OpenGL and have written quite a few things with GLES 1 and 2. I do like GLES, I don't like GLES in JavaScript because as a language JavaScript really is terrible. It's slow, the context of "this" can sometimes change randomly, it's terrible at dealing with binary data and it runs differently on everything.

I do use firebug and it easily the best tool for debugging but that doesn't change the fact that there are much better debuggers for other languages. And I do know how XHR works and I use JSON.

Don't just assume I'm an idiot because I have an opinion. Maybe you should go download the mxmlc compiler and actually check out Away3D and compare what you have there to any tool in WebGL/JavaScript. I write ActionScript3 in vim and use makefiles to compile it by the way.

Oh, and fuck you for wasting my time.

Re:WebGL was always a bad idea

[justforgetme]

Bla... Bla... blablahhh.....

Sorry for the misunderstanding, let me clarify:
I don't assume you are an idiot because you have an opinion. I know you have something seriously wrong in your head because you think the way forward is clinging to a badly conceived, badly executed, proprietary browser plugin in stead of using fresh and native tools to express yourself.

Re:WebGL was always a bad idea

[Kagetsuki]

I used to hate Flash too, but then I realized Adobe really did an excellent job with ActionScript3 and the compiler, API, and a lot of tools are completely free (as in beer). AS3 as a language is much more powerful than JavaScript and it has many less issues. On top of that AS3 had noticably faster communication time for XHR when making a ton of tiny parallel requests. And don't think I'm just bad with JavaScript, I've done a lot of it and at times have found it a very good tool for the job (I wrote the SpinShot script and JavaScript was and is the superior solution: http://spinshot.info./

I found all this out just as I was having a terrible time trying to get an SNS game working in JavaScript/HTML5. The client wanted it to run on iPhone as well as on the desktop and also wanted IE compatibility - so that meant a lot of fall-backs. A month in the whole thing was a disaster - massive massive amounts of code and everything looked and acted different on different browsers despite the fact we were using canvas. Oh and the iPhone just didn't work because you couldn't drag properly unless you jumped through all sorts of ridiculous "because it's Apple" hoops. Our designer, who uses Adobe stuff, somehow ran across someone posting on a forum they were using the "free" mxmlc compiler to do raw AS3. I grabbed it, popped open VIM, did hello world, figured out some compiler flags and threw together a Makefile with local-debugging and release profiles, and spent the weekend porting the application (on Ubuntu x64!). Not only did it work gorgeously but AS3 has much more robust OO and the language is a lot more streamlined so I was able to decompose the code much more efficiently, break it up into more files and have more logical objects, and deal with image affines and other things with native object features. I ported the whole thing in a weekend and it ran better, was easier to understand, and debugging was much more solid process.

The thing is the client wanted iPhone, so I asked my designer about that and he informed me there were tools to port Flash applications to iPhone apps. I called the client, showed her the JavaScript version and the Flash version, explained about the iPhone and how we would have to port which we had not done so we didn't know about the complexity. She chose Flash, we finished way sooner than we expected, and the whole experience really opened my eyes as to why so many web apps use Flash. You are doing yourself a disservice if you don't check it out. The client ended up not wanting an iPhone app so we never actually did port it but we're about to do just that in a few weeks with an in-house SNS app so we'll see how that goes.

I don't like that flash is proprietary, I don't like that it isn't even fully open standard, but I also need to make money an I need to code quickly and efficiently. The truth is there are more users with Flash than there are with capable HTML5 browsers. Flash runs on Android now, including 3D, and the 3D is actually impressively smooth (we're testing on the Galapagos phone). On top of that is Air, which you can use to make your Flash apps into full desktop software that is fully cross platform AND runs on Android and can be sold as an app in the market. Open or not Adobe has saved me time and made me money all while delivering a fairly nice development experience - and it didn't cost me anything.

Re:WebGL was always a bad idea

[Kagetsuki]

Oh, and the truth is I think the idea of WebGL is a very good one. I'd really like to see sites where there is just one canvas tag with a script injecting WebGL into it. The thing is I've tried the samples, I've played with it, and it was a terrible experience. The sole defamer of WebGL is JavaScript. JavaScript is a text language, really everything is text and that is right down to the fact that you can change the text of the script while the script is running ["feature"?]. GLES is a very binary/data oriented experience and that just did not translate well to JavaScript at all. On top of that FireBug just can't deal with WebGL scripts at the moment. Maybe all this will change, but how many more years is that going to take? I want 3D web apps now.

I also love OpenGL. I've been using it since I was 16. I'm a little dissatisfied with how Khronos is dealing with it in some respects, but in others I'm quite happy. GLES 2.0 in particular I like a lot - I like the control it gives me and I love how quickly the world has embraced it.

Really?

[internerdj]

I mean what could possibly be dangerous about allowing random websites to run hardware level code?

Re:Really?

[binarylarry]

GLSL and HLSL are about as hardware level as javascript.

Re:Really?

s/javascript/c

Re:Really?

[binarylarry]

orly? Since when do you get pointers, direct memory access, etc.

I must have missed that part of writing shaders when I write them! Maybe you could bang out a tutorial!

Usually your shader code is compiled into an intermediate format by the driver and then that is JIT'd and converted into something executable on the gpu. Even in the case of OpenGL ARB shaders, which look like assembly, those are just converted into yet another internal assembly language, are optimized and executed on the gpu.

Re:Really?

The shaders CAN cause problems. There is a reason why the Linux open GPU kernel drivers have command stream filtering and command parameter checking on the extremely hot path between anything else and the GPU. Mind you, no proprietary driver does that, because the performance hit is *quite* noticeable.

And on IOMMU-less systems (or where it is turned off/set to bypass which is the vast majority), changes are high that any PCIe GPU can directly access all of the system RAM.

Do the math.

Re:Really?

[binarylarry]

Ever wonder why HLSL stands for High Level Shading Language?

You should ponder it for a while and get back to me.

Re:Really?

[flimflammer]

Then you clearly have not been here more than 10 minutes.

Re:Really?

[davidbrit2]

Oh, then that's a relief. Nobody's ever used Javascript as an attack vector.

Re:Really?

And yet despite all that you can still use Javascript to execute arbitrary code!

Integer overflow in the NewIdArray function in Mozilla Firefox before
    3.5.16 and 3.6.x before 3.6.13, and SeaMonkey before 2.0.11, allows
    remote attackers to execute arbitrary code via a JavaScript array with
    many elements.

Re:Really?

[peragrin]

Ask Adobe. Flash requires direct hardware support in order to function. It is why Flash on Windows performance is faster than all other OS's combined.

Re:Really?

[spun]

http://en.wikipedia.org/wiki/HLSL

Hmm, sure as hell looks a lot more hardware-level than javascript to me. I've never heard of javascript execution depending on the hardware you have, but the features of this HLSL and GLSL stuff seem to be closely tied to the particular make and model of graphics card you own. For instance, the question "can Javascript do X?" can be answered without knowing what hardware it is running on. The question "can HSLS or GSLS do X?" can not always be answered without knowing what hardware it is running on.

To make the example specific, let me ask you, can HSLS or GSLS do geometry shading? Answer yes or no without reference to hardware specifications.

Re:Really?

Don't make it worse. Every post just convinces more people that the AC above was right in his assessment.

Re:Really?

[drpimp]

Who cares as long as I can get Duke Nukem Forever in my browser ... /holds-breath

Re:Really?

It's ALL hardware level code, bro, and always was. The question is how many layers are there between the hardware and the scripting layer, and whether there are any leaks.

Re:Really?

that might be because windows has more users than all other OS's combined and they bother to get Flash working properly (or in the case of Apple machines are able to.)

Funny how that works!

Re:Really?

[tepples]

To make the example specific, let me ask you, can HSLS or GSLS do geometry shading?

Can HTML5 do Canvas, JavaScript Web Workers, SVG filters, and XMLHttpRequest 2? That's environment-specific too. Just as one has to fall back to other methods when certain HTML-family technologies turn out unavailable, one has to fall back to other methods when geometry shaders turn out unavailable.

Re:Really?

[spun]

Who asked anything about HTML 5? Who said anything about "environment specific?" Your entire post is a non-sequitur, relating to nothing that was actually under discussion. Let me refresh your memory. We were comparing HSLS or GSLS to javascript and asking which was more hardware specific. Now, do you have anything to add that is relevant to the topic under discussion?

Re:Really?

Well I sure hope it's better than all other OSs combined. If I'm on Windows, I don't want to wait for a video to render on OS X, then on Linux, before I watch it!

Re:Really?

[segin]

I am no graphics programmer, but I am going to stretch out my experience in other areas (audio APIs), and say that, while these are hardware-dependent in terms of features offered, I highly doubt the same low-level shaders that work on an ATI card will work on an NVIDIA card; in fact, I see HLSL and GLSL as wrappers, sorta of like Direct3D and OpenGL themselves a generation or two ago - certain Direct3D calls or OpenGL calls depended on what features are provided by the underlying hardware, and this also translates to bindings for interpreted languages (Python, for example). One graphics card might have you push 16-bit word 0xFEED to IO port 0x14f3, whereas another might have you put a 32-bit double-word to physical memory address 0xD4001337, while the program behind the high-level interface simply called the same exact function and arguments for both.

While this is an example describing purely native code, I believe it translates (maybe not so well) to interpreted things, like EMCA-262 (ISO/IEC 16262, aka JavaScript) and WebGL.

Let's say I want to send MPEG audio data directly to an MPEG-decoding sound card. With Open Sound System v4, I do this:

int dsp_fd = open("/dev/dsp", O_RDWR | O_ASYNC);
int format = AFMT_MPEG;
int ret = ioctl(dsp_fd, SNDCTL_DSP_SETFMT, &format);

If the underlying hardware supports decoding MPEG audio, it works, I can then write() all the MPEG audio data I want to my hearts content. If the hardware doesn't support decoding MPEG audio, I better hope the driver includes a licensed software decoder, or 'ret' there will contain the value -1, meaning I'm fucked.

When I see you idiots complaining about APIs that are essentially driving hardware functions lack certain functionality when the underlying hardware also lacks said functionality, and that you expect APIs to either "always work in full or completely break in full", I want to punch you in the face. From what I gather from a comment thrown around here (correct me if I am wrong), Silverlight's 3D APIs are intentionally crippled in the shader department to take the worry of hardware support away from developers (at the expense of being unable to use all of the features of the underlying hardware, I guess), and somehow that is the right thing to do. This AC here makes a pretty good point, in that, at the end of the day, it's all hardware-level code anyways. And I will direct you at, say, mpg123, which compiles in entirely different source files whether the target is x86 or PowerPC or whatever, if MMX or SSE or Altivec is to be used, etc., all hardware features of a CPU.

TL;DR: If you bitch because parts of an API used to drive hardware are unavailable in response to the hardware not supporting those features, and instead want an API that has all features always working no matter what the underlying hardware supports, either find an API that doesn't mind falling back to software rendering, or pull your head out of your ass and realize that the programming world (mostly) doesn't work that way.

Also, let me know how my knuckles taste, I'm going to punch you in the mouth for being stupid, while I'm at it.

Re:Really?

"I mean what could possibly be dangerous about allowing random websites to run hardware level code?"

I'm gonna say running them on IE.

Re:Really?

> And on IOMMU-less systems (or where it is turned off/set to bypass which is the vast majority), changes are high that any PCIe GPU can directly access all of the system RAM.

The AC I'm replying to is exactly on the mark: there is an excellent chance the graphics device can modify system memory arbitrarily. The number of possible attacks against the graphics system is quite large, and completely validating a command buffer consumes performance.

The more general purpose GPUs become, the worse this problem gets, too.

It's unfortunate that so many of the higher modded comments here have no clue what they're talking about. It's created a lot of confusion. People should mod up the AC I'm replying to - he or she is saying something that's actually true, unlikely many of the other comments on this thread.

Re:Really?

Depends. If you see it as a hardware virtual machine... oh wait!

On a more serious note: I donâ(TM)t know for sure, but I think graphics cards already separate different programs running on them by render surface. Which, unless you go fullscreen, would be a window. And I think that means, if the OS tells the graphics driver to kill the render surface, all related code in the card will be marked as free (what laymen would call "delete") and any read access as an error, making execution impossible.

Now if someone would be able to force the driver to treat it as GPGPU code...

But it should really not be hard to have the card put everything in its own sandbox.

And by the way: Plain text is hardware level code too, since it gets passed on in bit-exact form to the graphics driver. So if you think basic terminal and lynx, you fail too. ;)

Re:Really?

Hmm, thank you.

Trying to run fglrx in an IOMMU-capable box taught me fast that you really want that IOMMU enforcing sanity if you have a modern GPU anywhere in your system.

You see, about an year ago, fglrx (ATI's closed-source GPU driver for Linux) had a bunch of really really nasty driver bugs. You could watch the IOMMU filter out an impressive amount of illegal accesses (the fglrx driver was shutting down the PCIe mappings *before* quiescing the GPU properly) any time you felt like it. Some of those accesses were to hardware page 0. If the GPU can do a NULL pointer dereference because of a driver bug uploading crap in the command stream, and try to fetch data from page 0 *after the driver has been shutdown*, well, it can pretty much do _anything_ to the box.

Re:Really?

[Bacon+Bits]

I mean what could possibly be dangerous about allowing random websites to run hardware level code?

The same thing that's dangerous about allowing anyone to run random code on your system. This is not a new security problem. It's the same old security problem in a flashy new suit. Any access higher than no access risks infection.

Personally, I'm curious about what, if any, protections WDDM provides against this type of attack (by design or by accident).

Re:Really?

"what could possibly be dangerous about allowing random websites to run hardware level code?"

Is said hardware a PC, or a death bot?

With record-setting speed and efficiency!

[jeffb+(2.718)]

You can dedicate hundreds of threads to high-volume malware, while freeing up your CPU to maintain a smooth phishing experience!

Re:With record-setting speed and efficiency!

[MrEricSir]

And running your nuclear centrifuge at the same time!

Re:With record-setting speed and efficiency!

[liqs8143]

exactly!

Glad I'm not using Binary Blob drivers

[xiando]

An attack based on "exploit security vulnerabilities in the graphics card driver" seems less likely using the FOSS graphics drivers. I'm not saying they can not be exploited, I'm just saying that this makes me feel somewhat safer than I would feel if I were using the closed Binary Blob drivers.

Re:Glad I'm not using Binary Blob drivers

[MrEricSir]

Do any FOSS drivers even support shaders?

Re:Glad I'm not using Binary Blob drivers

probably why he feels more secure!

Re:Glad I'm not using Binary Blob drivers

[m50d]

Given the general quality level I'd have to disagree; the nvidia drivers work perfectly, even supporting e.g. S3 suspend, and most of the code is the same as their (quite widely tested) windows driver. Wheras with the free intel drivers I still get lots of random display corruption, and those're supposed to be on the good end of free drivers.

Re:Glad I'm not using Binary Blob drivers

[binkzz]

Do any FOSS drivers even support shaders?

No, OpenGL only recently added support for Phong shading. But one day!

Re:Glad I'm not using Binary Blob drivers

zOMG! How do you get the filled trianglez?! Is there a patch?

Re:Glad I'm not using Binary Blob drivers

[r6144]

AFAIK the r600 driver for Radeon cards does support shaders, at least well enough to implement the OpenGL fixed-function pipeline.

Re:Glad I'm not using Binary Blob drivers

[Ant+P.]

OpenGL renderer string: Gallium 0.4 on AMD CEDAR
OpenGL version string: 2.1 Mesa 7.11-devel (git-6807438)
OpenGL shading language version string: 1.20

Looks like it. GLSL 1.2 isn't exactly new, but I'd take old standards with a real, safe memory manager over the likes of nvidia with their history of root exploits.

Re:Glad I'm not using Binary Blob drivers

[ginbot462]

>>>> Do any FOSS drivers even support shaders?
>> probably why he feels more secure!

I hope this was intended funny, but others might be naive enough to worry about it. There is a limited capability of shaders right. As far as output, you only have a collection of graphic (or historically graphic) buffers et cetera that would have to be explicitly read THEN used in a manner to execute (either partial or in full). I hope the JPEG fiasco (Windows of course) squashed developers like that.

That being said, anything is possible and I am aware of pass-crackers that use graphic/CUDA technologies for crazy speeds at low cost (obviously, this could only useful in a support role for the other trojans/worms/malware at large). Given that people that don't know history are doomed to repeat it (Superfriends!), I expect the CUDA-leveraging virus within the year (for Windows of course).

Re:Glad I'm not using Binary Blob drivers

[Desler]

Googling "nvidia driver root explots" only brings up a single instance dating to 2006. Yes that is quite the "history of root explots" there.

Re:Glad I'm not using Binary Blob drivers

[godefroi]

the nvidia drivers work perfectly, even supporting e.g. S3 suspend

Wait, is that uncommon on your platform? On my platform of choice, if S3 suspend didn't work, I'd definitely be returning some hardware or other.

Re:Glad I'm not using Binary Blob drivers

[m50d]

The free drivers for my graphics card don't support it, and my sound card modules have to be manually unloaded and reloaded. Maybe I just got unlucky.

Re:Glad I'm not using Binary Blob drivers

[godefroi]

I'm going to assume you're running Linux or one of the *BSDs. I run Windows, and in my humble opinion, this is one of those things that ABSOLUTELY must work flawlessly before any sort of meaningful headway can be made into the desktop world.

Just my opinion.

Re:Glad I'm not using Binary Blob drivers

[m50d]

Shrug; I hardly used suspend on my desktop back when I had it working (no idea whether it still works). Laptops sure you need it (and in fact I run windows on my laptop), but my desktop is half server these days, if I suspended it my website would go down. I don't care so much for OS wars nowadays, but BSD fits my needs (ZFS, apache, customizable desktop transparency) better than anything else I've found.

Anyway, my actual point was that the nvidia binary drivers tend, in my experience, to be better quality than free software video drivers, S3 suspend support being one example of this.

Re:Glad I'm not using Binary Blob drivers

[godefroi]

Shrug; I hardly used suspend on my desktop back when I had it working (no idea whether it still works).

Fair enough, but in a business environment, sleeping several thousand machines every night can lead to real cost savings.

Info and thoughts

[TopSpin]

WebGL is a Javascript expression of OpenGL ES 2.0, the same OpenGL edition that appears on Apple's iOS and recent versions of Android. OpenGL ES 2.0 is essentially OpenGL 2.0 with the fixed function pipeline removed. This reduces the size of the API substantially.

Some may remember the little ARM11 based computer that appeared last week supports OpenGL ES 2.0. OpenGL ES 2.0 is also the choice of Wayland developers. There seems to be a big convergence happening around this particular edition of OpenGL due to embedded GPUs

WebGL is manifested as a context of a HTML5 canvas element. Javascript has been extended with new data types to provide aligned, dense arrays for loading vertex attributes into the GL. WebGL allows vertex and fragment shader code to be loaded into the GL.

The end result is very high performance graphics driven by Javascript hosted in a browser. WebGL integrates with the browser in some convenient ways; texture data is loaded from Javascript image objects and CSS can apply 3D transforms, for example.

WebGL has been supported in experimental form by Webkit and Mozilla since late 2010. Opera also supports WebGL. Microsoft is no where to be found.

Operating systems compromise security for the sake of GPUs. Obviously, exposing graphics subsystems to inevitably malicious code will get machines compromised. I think Google, Mozilla, et al. should adopt the 'no-script' paradigm for this stuff and require the operator to explicitly enable WebGL content case by case. The graphics subsystem will never prioritize security over performance so securing these code paths well enough for public exposure will never happen.

It would be nice if they gave this some thought before millions of people get owned and WebGL gets a huge black eye......

Re:Info and thoughts

Javascript is a language for use on the Web. You know, hypertext: text, links, and images.
There's no reason ever for this to have access to your GPU.
Are people clamoring to play processing-intensive 3D games in a web browser?

Re:Info and thoughts

I can't be the only one who is completely flabbergasted that the same folks who complain about the inherent insecurity of browser plugins that can extend the browser to "do more" than it currently can are enthusiastically driving towards a world where the browser itself is the vehicle of those attack vectors, sans plugins.

Re:Info and thoughts

The web should always be the same as it was in 1989! It was created perfect for all future uses, and all deviation is merely corruption!

Down with progress!

Who wants to play video games anyway!

That's not to say these security problems aren't real. They most certainly are. But actually asking "are people clamoring to play processing-intensive 3D games in a web browser?"

Yes. Yes they are. They play simple flash games now, and that sort of genre is likely to always exist, but the distinction between "browser games" and "outside the browser games" is not one that typical people want to uphold. There are technical reasons to make that distinction, but that's about it.

Re:Info and thoughts

[SanityInAnarchy]

I am. Certainly, I'm clamoring to develop processing-intensive 3D games for web browsers.

Think of the success of free-to-play stuff online now. Imagine you could just click a link and jump into a demo, no downloading, no security risk (assuming this crap gets fixed), you could try games out without the "download random crap" problem. Even once you decide to pay for it, compare this to approaches like Steam -- the instant gratification of having a game right now with the rest of it progressively downloaded as needed, versus waiting a few hours for it to download, and that's on my 100 mbit fiber connection.

You can actually see some of this effect by, say, buying Half-Life on Steam, then just start playing -- it won't be long till you can actually start playing, and then it's just 30 seconds to load a level instead of half a second. Downside is you still need to download Steam and they don't continue downloading it in the background, or in any particularly smart way, so you pretty much always need to load the next level from the Internet.

It's not immediately obvious how much an improvement this would be. Think about the difference between YouTube and BitTorrent. If it's a movie, I'd rather just download it, I can wait. Even on YouTube, it took awhile before I saw it -- I would mostly download YouTube videos and play them in mplayer, to avoid the Flash overhead -- it would seriously lag and get out of sync on Linux, though it's better now. But compare that process to just following a link -- or, better yet, clicking a "play" button in the middle of a webpage. The dynamics are entirely different -- it's not just a matter of being faster or more convenient, you end up viewing content in a different way, and you end up with a community that actually would not work if it was built around downloading videos first and then playing them.

And, be honest, how many hours have you wasted on Flash games? What if those didn't suck?

Never mind that it would kick Flash's ass for the places where Flash actually sort of almost makes sense now. Google Street View? Do that with better performance and no plugins. Google Earth? No plugins, and someone could literally give you a hyperlink to a location.

Re:Info and thoughts

Yes, clearly there's a market for them. You may not be in said market but it clearly exists. Not all Flash games are Farmville-like crap. Developers very much want an open platform to deliver their games and clearly there is a market for their games. There's no surprise that there is a push for this.

Ultimately, even if we solve the security issues, I can't say that this will be an overall positive thing for gaming, but I can say it will happen, because there's a huge desire on both sides of the equation.

Re:Info and thoughts

And now I know why so many douchebags are still developing for Flash.

Re:Info and thoughts

[SanityInAnarchy]

If WebGL breaks, I can disable it, fix it in my own browser (it's open source), or switch to a different browser with an entirely different implementation. If it breaks because of my video driver, I can upgrade my video driver, or switch to a different one, even swap out my entire video card, or run it on top of a software GL implementation.

If Flash breaks, I can either disable it and wait till Adobe gets off their lazy asses and fixes it, or leave it enabled and thus be vulnerable.

Hey, I'm not even necessarily anti-plugin. If Adobe Reader breaks, I can switch to Chrome and its built-in PDF viewer, or I can switch to one of several excellent PDF viewers -- I like Okular on Linux. The reason this doesn't bother me is that PDF actually is an open standard, not just in theory (like Silverlight or Flash), but in practice, with several excellent competing implementations.

If Silverlight breaks, I can either disable it till Microsoft fixes it, or switch to Mono and Moonlight -- which is about as effective as avoiding Flash vulnerabilities by switching to Gnash. In other words, for the majority of websites requiring Silverlight (or Flash), this is effectively the same as disabling it anyway.

By contrast, if Java breaks, there's OpenJDK. Not as nice as JavaScript, where there are three or four good engines in separate browsers, but there's still at least the possibility of fixing it myself, and wasn't Apache building their own VM anyway?

Now, because we have so many different browsers with entirely different implementations of the actual core web technologies, when a new technology like WebGL is proposed, you either need one open source implementation with a liberal enough license for code to be shared between browsers, or you need a brand-new implementation for each browser, and the latter seems to be happening more often -- especially for stuff like Canvas. Because there are so many browsers, they are actually competing on who can implement the most features in the most standards-compliant way, so this stuff actually gets done.

By contrast, even with a very good open-source plugin, there's no guarantee that there's more than a single implementation, so there's a chance for a buggy implementation to become the defacto standard (if there's a disagreement between the Silverlight standard and MS Silverlight, which wins?), and there's a chance for a proprietary implementation to become a defacto standard whether or not there's an "open standard" to appeal to (howmuch of the Web is on Flash now?). In fact, Flash pretty much proves that it only takes one plugin to plunge us back into the days of IE6 in terms of one proprietary implementation -- security is impacted, but so is everything else.

Re:Info and thoughts

[0123456]

Even once you decide to pay for it, compare this to approaches like Steam -- the instant gratification of having a game right now with the rest of it progressively downloaded as needed, versus waiting a few hours for it to download, and that's on my 100 mbit fiber connection.

Kind of like Guild Wars, you mean? An installer that's a couple of megabytes and downloads the rest as required?

Re:Info and thoughts

[pak9rabid]

It would be nice if they gave this some thought before millions of people get owned and WebGL gets a huge black eye......

WebGL has been supported in experimental form by Webkit and Mozilla since late 2010. Opera also supports WebGL. Microsoft is no where to be found.

Well, that sounds like a good first step.

Re:Info and thoughts

[Lennie]

I'm much more worried about the 'hardware acceleration' browser makers are using. WebGL is a very well defined subset of OpenGL.

Anyway I've seen many browser/drivers/operating systems and other parts of the stack fail on it.

I think it will take time for the driver, operating system, browser makers to get it right.

You can also look at it differently: We've had exploits with images, do people disable it by default ?

If you want to disable something, do it like the HTML5 Geolocation, pop up a bar: "do you want to share location information with this site ?"

Re:Info and thoughts

[SanityInAnarchy]

I haven't played Guild Wars, so I can't say, but I do know I haven't really seen this done right. What does "as required" mean in this case? With a sufficiently fast connection, could I conceivably walk through the entire world without seeing a loading screen?

And even in that case, there's still the part where you have to download that installer, and trust it with your system.

Re:Info and thoughts

The reason this doesn't bother me is that PDF actually is an open standard, not just in theory (like Silverlight or Flash), but in practice, with several excellent competing implementations.

How many competing PDF implementations are out there? I only know about Adobe's and the poppler thing that most (all?) free viewers are using.

The latter is a horrible '95-style C++ piece of shit, slow, plagued by buffer overflows and other bugs, and very nasty to interface with.

Where are those 'excellent' implementations?

Re:Info and thoughts

[nstlgc]

I think Google, Mozilla, et al. should adopt the 'no-script' paradigm for this stuff and require the operator to explicitly enable WebGL content case by case.
I agree, the users usually make the right choice. Cue "click here for awesome smileys!". /s

Gee

[TimeElf1]

Something, that was just put out that undermines the security of something else......I never saw that one coming.

And...

The only difference is this provides access to driver vulnerabilities. But those same unsuspecting users are likely to download random games and run them locally anyway.

The outcome seems surprisingly similar to flash:
This vulnerability (CVE-2011-0609) could cause a crash and potentially allow an attacker to take control of the affected system.

Astroturf much?

[SanityInAnarchy]

Now that we finally have sandboxing in browsers they want to let any website run directly code on your hardware.

As opposed to what?

Keep in mind that sandboxing is a way to deal with websites having direct hardware access. That's how they can do NaCL safely.

Silverlight has direct support for XNA which handles it everything better and safer anyway.

What's "better" or "safer" about XNA? Never mind that nothing's stopping you from porting frameworks to this anyway -- having a lower-level standard means that, ultimately, you can have something like XNA, and others can have other things.

Never mind that XNA doesn't have a particularly good OpenGL implementation, and that Silverlight is barely an open standard as it is. Why on earth would we go from one proprietary plugin to another, when we can just use the native, open Web?

Are we also supposed to write WebGL games with notepad?

If you like. Or with TextMate, or with Eclipse, and you've got tools like Firebug and Chrome's Developer Tools.

Never mind that Chrome is actually cross-platform and free-as-in-beer, and Chromium is open source. Why should I have to boot Windows, let alone pay a massive licensing fee, in order to use a giant, clunky IDE just to build a web app?

I remember developing HD-DVD using Visual Studio. It was the best tool we had, which was really sad -- no way to make that work in Eclipse, and no good way to debug otherwise. Never mind that the whole thing would only work on XP -- not Vista or 7. Do you have any idea what a relief it was to start doing web development again, where I could have my choice of tools, OSes, and working environment, instead of being stuck on an admin account in XP?

Not only that but the games also work on Xbox360 and mobile phones without such a major porting.

Know what else mobile phones have? The web. And it actually works natively, as opposed to attempts to get XNA working on Android and iOS, which are kludges running on top of Mono.

Re:Astroturf much?

Well, someone got their ass trolled.

Re:Astroturf much?

No, that's not how Native Client is done safely. That's how modern ActiveX is done "safely." Sandboxing on Native Client is a "we fucked up" everything-gone-totally-wrong last measure prevention mechanism.

Re:Astroturf much?

[Unoriginal_Nickname]

XNA doesn't have a particularly good OpenGL implementation? As someone with years of experience with XNA, Direct3D, OpenGL, and even some experience with WebGL, I feel ethically responsible for saying that you have absolutely no idea what you're talking about at all.

Re:Astroturf much?

XNA doesn't have any OpenGL implementation so far as I'm aware, so he's right.

Re:Astroturf much?

[sjames]

Mono=an infectous disease that leaves you exhausted long after the virus is gone.

Quake Live

[mfh]

I raised this concern with Quake Live, but was quickly shut down by people. Nobody wants to listen to the possible security holes in something they want to ram through at all cost. Forgive my tone if I'm a little annoyed hearing this. Sometimes you want to be wrong about something, but now I have been proven correct, I'm annoyed with myself.

Re:Quake Live

[jonescb]

Quake Live isn't WebGL. Even if it was, Quake Live wouldn't be affected. This security concern is only about a user visiting a web page that runs a malicious WebGL program, which Quake Live is not.

Re:Quake Live

[mfh]

My concern with Quake Live was related to this problem, even if WebGL was not present. To be clear, the concern had to do with browsers connecting to executable software packages, which Quake Live is, although if I remember correctly they shielded a lot of their game with technology from Adobe but it's still probably porous. Not enough people playing Quake Live for it to matter, much, however. I mean when you compare Sony Playstation Network's problems with what could happen to Quake Live's audience. Night and day audience sizes, right?

The critical point here is that the more complicated browsers try to be, the more terrible they become.

I don't see the benefit of embedding a video game in a browser, either. It's the kind of thing you'd expect to hear about during an internet bubble, with a lot of web jargon. The reality? Quake 3 was a superior product except for the advancements Id put into Quake Live. Had Id Software put the same advancements into a platform independent package that was not associated to a browser, the result would have been much superior. I am saying they changed tack down a blind alley and lost market share as a result.

I don't get it

[multi+io]

So they're saying that enabling shader code execution allows web sites to exploit hypothetical vulnerabilities in the graphics driver? How's that different from saying that enabling Javascript code execution allows web sites to exploit hypothetical vulnerabilities in the Javascript interpreter?

Re:I don't get it

[Lord+Bitman]

because up until now the response from graphics card manufacturers has been "security auditing? Open specifications? What, are you running arbitrary binaries on your PC and complaining when they take over your system?", whereas now they'll need to say "security auditing? Open specifications? What, are you running a web browser conceived of before 2010?"

Re:I don't get it

JS interpreter gets CPU protections, user mode execution, limited user access, and a restricted context (low integrity mode).

OTOH some shader languages are very simplistic, extremely trivial to secure.

Re:I don't get it

[amorsen]

So they're saying that enabling shader code execution allows web sites to exploit hypothetical vulnerabilities in the graphics driver?

They're not particularly hypothetical. Graphics driver code is such that games programmers carefully work around bugs in order to not crash anything. Imagine if every program running on the main CPU had to carefully avoid certain instruction sequences in order to not crash the system -- would you run a multi-user system on that?

Then again, that was how it was in the 80's on many time sharing systems...

Re:I don't get it

[Peter+Amstutz]

The key here is "attack surface". Having relatively uninhibited access to low level graphics APIs that were not previously assumed to be public means there are probably lots of bugs with security implications. I wouldn't be surprised if graphics drivers eschew error checking in order to gain performance, but now malicious programmers can use that to crash the browser or OS. Shader compilers are also quite complex, and may present opportunities for specially crafted invalid programs to overflow buffers or otherwise screw things up. Security has always always always taken a back seat to performance in the graphics world, and it may take a while for the driver writers to come around.

Re:I don't get it

[Bengie]

Your JS interpreter doesn't run at kernel level with full access to your low level hardware.

Re:I don't get it

[Dutch+Gun]

Because, like Adobe formats before it (like PDF or Flash), graphics card drivers were designed well before any serious thought was given to security issues. Even now, graphics drivers are 100% focused on speed, speed, speed, and security concerns are probably barely even on the radar. As GPUs move closer to general-purpose computing devices with true logic paths, this problem is only going to get worse. In other words, it's probably a softer target than a Javascript runtime environment is, and that's saying something, given how many Java-based exploits there are.

One of the big problems of coders is that most of us don't give much thought to how technology can be abused. It either takes a security consultant or a lot of experience dealing with folks that actively attempt to exploit your products to get in the correct mindset for net-based development. I'm an MMO developer, and any new feature we come up with has to be prefaced with "how could this be abused or exploited?" Sort of frustrating, but that's the way it goes.

It's going to take a different inherent mentality when dealing with Internet technologies going forward in order to keep things actually secure, but honestly, I'm not really sure if or when that's actually going to happen. People are too dazzled by shiny new technology still, and just rush forward without seriously considering security.

Re:I don't get it

you've never done low level development or compiler design, have you?

It's called errata, learn it, love it, live it. "hmm, well, the problem is being caused by out of order execution in the PPC processor, but there's an errata on the instruction to disable out of order execution. Oh balls."

Not that that's an actual problem I ran into or anything. And that was on a chip put to market an entire 2 years ago.

Re:I don't get it

[yuhong]

Why do you think the OpenType sanitizer had to be created?

Re:I don't get it

[nhaehnle]

Your JS interpreter doesn't run at kernel level with full access to your low level hardware.

Neither does your graphics driver, at least on Linux (I suspect that Windows is similar, but I have no knowledge of it). Everything related to OpenGL is implemented in user space, and then the user space component simply sends a command stream to the GPU via the kernel. The kernel module (drm) verifies the command stream to ensure that it does not violate any of the security constraints, and/or sets up the GPU access control registers appropriately (yes, modern GPUs have such features).

Of course, these security checks are geared towards the requirements of a multi-user system. Basically, one user's OpenGL program is not allowed to mess with a different user's data. So it's entirely plausible that exposing WebGL will cause problems to be noticed that simply haven't been visible before. But then those get fixed, people get used to the new security constraints, and we all move on.

Big deal

Browsers can statically analyze shader code if need be, even if that means only allowing a subset of instructions.

Example of GPU overload?

[DavidR1991]

They got BSODs by 'overloading' GPUs. By doing what, continuous high-stress activity? In which case, surely they should be sufficiently ventilated etc. isn't that the real issue - surely it's not possible to kill GPUs by just making them a lot of work? Imagine if CPUs did that, we'd be pretty screwed by now

If they don't mean high-stress/high-throughput activities, what do they actually mean - overloading them with textures or something?

Re:Example of GPU overload?

[Sarten-X]

Yes.

Re:Example of GPU overload?

[skids]

No, GPUs do DMA bus mastering and other newer sorts of independent access to RAM and the bus address space at large. If the command stream is not filtered, or the hardware does not have provisions for contexts that restrict the GPU's memory access capabilities depending on what control channel is being used, a GPU can pretty much read and scribble all over the entire system RAM.

GPU manufacturers have been historically oblivious to this and not bothered to put much in the way of security features into the hardware. Filtering command streams on the CPU side has never been popular, as it kills performance. (I'm actually surprised to learn open source drivers are now starting to actually provide it as an option, I gave up on getting buy in on that idea a decade ago when KGI failed to gain traction.)

Re:Example of GPU overload?

[tamyrlin]

Actually, at least early NVIDIA cards had pretty good hardware support for this as far as I understood it. I don't know the status of their current cards, but their early cards had hardware support for different contexts and would generate an error if a user tried to do something it was not allowed to do. (For example, rendering outside of the selected window.) So the cards could allow a user to send commands via DMA to the card (this is often called direct rendering) in a secure manner without any risk of privilege escalation.

Also, NVIDIA wasn't the first company to have this support. GPUs from SGI were designed around the concept of secure direct rendering a long time before PC level GPUs got popular. As far as I understood it, the original DRI developers for Linux were quite security conscious from the beginning as well.

Disclaimer: I haven't been involved in 3D driver development for quite some time now, so I don't know the current hardware/software status at all, but I would be surprised if NVIDIA has started to design hardware that does not allow for secure direct rendering. However, just because the hardware is secure doesn't mean that the driver is free of security related bugs...

Frankly, at least on Linux with open source drivers and/or NVIDIA hardware I would not be very worried about unknown privilege escalation bugs related to being able to issue arbitrary DMA commands. However, I would be quite worried about bugs in the driver which would allow for arbitrary native code execution as the current user. While not a problem for normal OpenGL applications (as they are already executing as native code), it is a huge problems for web application since this could be a way to escape from the javascript sandbox.

Re:Example of GPU overload?

[Sc4Freak]

It actually is very possible. I recall recently AMD had to place a block on FurMark in their drivers because it was stressing their video cards too much - causing them to fail. AMD had designed their power circuitry and cooling designs around "typical" use cases and not around the theoretical maximums - meaning you could overload the power circuitry or burn out your graphics card with just software.

Re:Example of GPU overload?

[ginbot462]

Surely NVidia guys (i.e the ex-Sun guys) knew of this SGI feature having worked in that same market earlier.

Man, I miss the days when computer shows weren't swap meets .. and you saw all these cool public demos with SGI/Sun/NeXT. I was just a kid then, but hey it inspired me to do what I do today.

Rubbish

GPU shaders have no access to main memory so where is the attack vector ?

Re:Rubbish

[0123456]

GPU shaders have no access to main memory so where is the attack vector ?

GPUs have access to main memory, quite possibly the entire address space of the machine (I only briefly worked on Vista drivers so I'm not sure how they compare to XP). The shaders may not be able to access memory directly through a pointer, but if you can somehow exploit a driver bug to get a texture configured to use an arbitrary system memory address, then they could potentially access any memory on the machine.

Of course that's physical memory, so you'd need an exploit which can also map logical to physical memory addresses to determine which place to configure the texture at.

Re:Rubbish

[gmueckl]

The truly dangerous attack vector is not any shader code. It's all the half-decent shader compilers out there that are part of the OpenGL runtime. GLSL shaders always need to be compiled from source at runtime by the driver. So the Browser must pass off a big piece of code/data to the driver's compiler, a complex, non-secure and typically also annoyingly buggy piece of software. In other words: the compilers' fragile parsers are now directly exposed to remote websites. They were never intended to take potentially insecure input. I've been aware of that attack vector for at least 6 months now.

I can't wait for Native Client!

Can anyone remind me why we're putting EVERYTHING in a web browser anyway?

Re:I can't wait for Native Client!

NaCl is to native what BASIC is to asm.

Re:I can't wait for Native Client!

[tepples]

Can anyone remind me why we're putting EVERYTHING in a web browser anyway?

Because Native Client is specific to Google Chrome. What other instant, sandboxed application deployment method do you recommend before other companies' browsers begin to support Native Client?

Re:I can't wait for Native Client!

[perry64]

Why? Because this is what happens when security Nazi's or bad administration make it impossible for users to actually use their computers.

I work in the military training game area, and people in that area want to deliver content without having to install thick clients (or preferably, not have to install ANY client) on the machine because doing so is almost impossible because of the requirements to get anything approved and installed. Systems like the Navy Marine Corps Internet (NMCI) don't allow users to do much besides e-mail and browse; to get anything else installed generally takes months, and if it's specialty software it's a minimum of years.

I've always said that if the security types had their way, we'd all be working on machines in a locked room without a network connection, as that is the only way to guarantee security. Security is important, but computers are designed to be USED - any policy that makes that impossible leads to people trying to get around it. Thus, policy and security measures need to take both into account - the answer, "Can't do it, sorry." doesn't cut it.

Re:I can't wait for Native Client!

Adsense. And why is it the reverse on smartphones where webapps would often make more sense? Admob.
We did give this a chance on the desktop, but everybody screamed ADWARE!!! So this is what you get :-)

Re:I can't wait for Native Client!

[VortexCortex]

Can anyone remind me why we're putting EVERYTHING in a web browser anyway?

Simple. Because we really don't give a fuck about web browsers.

All we really want / need is a cross platform widely distributed standardized* text & graphics display environment that can be manipulated via client side scripting, and can communicate with server side processes; And for "applications" or "services" created with such a system to be easily discoverable by our users.

* Yes, we need across the board standards conformance for stability and to reduce development costs, too bad we don't really have it yet.

We couldn't really give two shits if that's HTML in a browser with JavaScript, or a any other technology -- it just so happens that Browsers are ubiquitous. Ergo, the success of: Software Repositories on *nix, App Stores for mobile devices, the Internet + HTML/Scripting & search.

IMHO, we should ditch JS for Lua -- it can be compiled or interpreted, and has a much simpler design which takes less code (and is easier to secure as a result) It's easier to optimize and its language constructs can be used to provide any feature that JS language has. Other VM and scripting languages come to mind as well... actually, It's hard NOT to find a language that's better than JS*. (Hence Chrome <script type="python"> and other native client features -- though this is the wrong way to go, we need a broadly supported language with a standardized feature-set that isn't slow as frozen molasses.)

*inb4 brainfuck, et al.

Re:I can't wait for Native Client!

[FooBarWidget]

So that users don't have to install anything, making it easier to distribute software.

Re:I can't wait for Native Client!

I agree. Why do we need anything more than we already have on websites? All I want to do is read text, and occasionally watch videos, that's it. This is just more bullshit that drags down your system and slows it to a crawl. Just imagine the '3D' adverts using WebGL - who needs it?

Re:I can't wait for Native Client!

[ChunderDownunder]

to reach critical mass, any alternative language such as lua would require sponsorship by each open source browser effort. Given each has its own javascript engine as a selling point (mine is 10% faster than yours), such consensus might be difficult. Perhaps a higher level API than DOM is needed to shield the language runtime from the underlying impl.
Perhaps a more realistic solution is to translate lua (or other) into javascript that can then be forwarded to the js engine. Coffescript uses this approach. It would then be a matter of maintaining a source-js translator for each language. If the engine uses an intermediate bytecode then a browser might support compiling certain languages to that bytecode.

Re:I can't wait for Native Client!

I have been screaming for a while, but it is companies like Micro$oft and Adobe that want you run/view everything in the browser. At least now I can convince some people it is a bad idea, since the vulnerabilities are well known. A browser is very insecure piece of code and needs to be treated that way.

I hate brain-dead marketing.

Re:I can't wait for Native Client!

[mgiuca]

IMHO, we should ditch JS for Lua

Can I offer an alternative suggestion? How about we DON'T replace JavaScript with <insert favourite scripting language here>. Okay, part of the problem with web scripting is that we're using JavaScript, which sucks. But the majority of the problem is that we're using a programming language at all. We've just reinvented the biggest, clunkiest wheel on the planet.

Look at the number of projects that are taking programming code, or in some cases bytecode, and compiling it up to JavaScript (GWT, Pyjamas, Emscripten, CoffeeScript, and the rest). If we replace JS for Lua, we'll need to write a new generation of tools to compile everybody's programming language into Lua. Can we please have a standardised low-level virtual machine (hint) that will run in all browsers, which all languages can target, so we don't have to go through the ridiculous hoop of taking, in many cases, low-level statically typed code, throwing away all the type information and converting it into high-level dynamic scripting code, and then having the browser optimise the hell out of it and try to figure out the types? Google's PNaCl is apparently going to get the ball rolling on this, with LLVM.

Re:I can't wait for Native Client!

[steelfood]

Because that's Google's business plan.

And people are too lazy to deal with installation, patching, etc.

Re:I can't wait for Native Client!

[Flammon]

Ubiquity

Re:I can't wait for Native Client!

[AmiMoJo]

Are you kidding?

Browsers are cross platform, supposedly secure and sandboxed, easy to develop for and provide an easy way to make applications while delivering ads and data-raping your users. There is nothing for the user to install and no way to pirate your app or game. Updates are instant and require no user intervention.

Re:I can't wait for Native Client!

[ginbot462]

>> standardised low-level virtual machine

Any day now ... comment inserted by viral C# app through Powershell 2.0.50727.4959 via Mono

Re:I can't wait for Native Client!

[mgiuca]

If you're implying that .NET meets the above criteria, it doesn't.

Firstly, a lot of people, myself included, are wary of Mono due to Microsoft's historically negative stance towards open source and accusations of patent infringement by the open source community. There's an ongoing debate about that now which I don't want to get into, but suffice to say that forcing all web browsers to adopt .NET will not sit well with a lot of the free software people. It's also extremely Windows-centric (as you would imagine, being a virtual machine designed for Windows only). But leaving that one aside... .NET is far too bloated to be the standard scripting language of the web. If you notice one thing JS and Lua have in common is they are extremely small and have extremely lightweight libraries. JS has a few dozen built-in functions and a handful of built-in types, and everything else you must bring along yourself (such as jQuery). Compare that to .NET, whose standard library has hundreds of classes and even the latest "compact" runtime (4.0) is 54 MB. Also, .NET may be available on non-Windows operating systems, but it isn't on any smartphones that I know of, and Apple will certainly fight against implementing it.

Lastly, it isn't there yet. Incorporating it into the browser like JS is would require careful definition of a subset of the standard library to make available on the browser, as well as an interface to all of the standard and upcoming HTML5 browser features.

still?

[_0xd0ad]

You keep using that word. I do not think it means what you think it means.

Mozilla Firefox before 3.5.16 and 3.6.x before 3.6.13, and SeaMonkey before 2.0.11

Everything old is new again, huh?

I remember the days when folks predicted JavaScript would expose surfer's computers to viruses.

Re:Everything old is new again, huh?

It did; but most of those problems were ironed out such that some interpreters now are basically immune. Same trend would probably occur here.

Re:Everything old is new again, huh?

Yeah, and it *did*. And it continues to. Drive-by download-and-execute attacks from malicious ads can absolutely hijack your machine even in 2011. And that's just the more exotic possibility. It doesn't even consider the more common XSS attacks.

Xbox 360 doesn't have the web

[tepples]

Not only that but the games also work on Xbox360 and mobile phones without such a major porting.

Know what else mobile phones have? The web.

Xbox 360 doesn't have the web. What do you recommend to get a game ported to a console?

Re:Xbox 360 doesn't have the web

[segin]

Not only that but the games also work on Xbox360 and mobile phones without such a major porting.

Know what else mobile phones have? The web.

Xbox 360 doesn't have the web. What do you recommend to get a game ported to a console?

PSN hack aside, the PLAYSTATION3 *does* have the web (WebGL support is another story). Without a PSN account, even! What say you now?

Re:Xbox 360 doesn't have the web

[tepples]

the PLAYSTATION3 *does* have the web [...] What say you now?

I've heard it's rubbish, even compared to the Android browser that runs on less RAM. Does the PS3 web browser support even the 2D canvas? And how does it expose button presses on the controllers as events? Google failed me somehow.

Re:Xbox 360 doesn't have the web

[justforgetme]

well, my ps3 runs firefox4 so I don't know what you are talkin about ;-)

Forgo iOS and Android or forgo Xbox 360

[tepples]

If I use .NET, I forgo iOS and Android. If I use anything else, I forgo Xbox 360. So are people supposed to make one game exclusively for Xbox 360 and a completely unrelated game for iOS and Android?

Relegate yourself to Microsoft's little vertical romper room if you want.

If I ignore Xbox 360, I relegate myself to single-player and online multiplayer, as opposed to local multiplayer within a household. PCs can be connected to HDTVs and gamepads, but the majority of people appear unwilling to do so.

JavaScript, GPU, and graphics

[tepples]

Javascript is a language for use on the Web. You know, hypertext: text, links, and images.

Another word for "images" is "graphics".

There's no reason ever for this to have access to your GPU.

"GPU" stands for "graphics processing unit". You appear to claim that a language for use in a graphical environment shouldn't have access to capabilities exposed by a graphics processing unit. Can you clarify?

Are people clamoring to play processing-intensive 3D games in a web browser?

Yes. Otherwise, Adobe would not have added rudimentary 3D capability to Adobe Flash.

Re:JavaScript, GPU, and graphics

Yes. Browsers have been able to display images for 25 years or so. Your CPU needs no help with that.
A web browser is not a video game console; it's for rendering pages of hypertext.

Re:JavaScript, GPU, and graphics

[tepples]

A web browser is not a video game console

Millions of FarmVille fans would disagree with your claim. Browser-based video games have been around since Flash and DHTML first came into use.

Re:JavaScript, GPU, and graphics

I'm going to have to quote despair.com here:

"Just because you've always done it that way doesn't mean it's not incredibly stupid."

Remember shockwave-based games? 12 years later, gaming in a web browser is still a bad idea.

Re:JavaScript, GPU, and graphics

[amn108]

The CPU has needed help with everything since it was invented, otherwise we would still have the same CPUs we had back in the 60s with absolutely no need for improvements. Your conservatism is baseless.

Re:JavaScript, GPU, and graphics

So our multi-gigahertz multicore CPUs need an external accelerated 3D graphics board to render jpegs on a web page?

Re:JavaScript, GPU, and graphics

[amn108]

Obviously.

Fix it in your own Gnash

[tepples]

If Flash breaks, I can either disable it and wait till Adobe gets off their lazy asses and fixes it, or leave it enabled and thus be vulnerable.

Or switch to Gnash and Moonlight, and fix any deficiencies in your own copy the same way you claimed that you can "fix [WebGL] in your own browser". Ultimately, your complaint appears to be that you haven't had the opportunity to help Gnash and Moonlight become viable.

Reference software renderers

[tepples]

Are you talking about theory or practice? As I understand it, in theory, HLSL and GLSL are not hardware-specific because they have reference software renderers that can run on a CPU, albeit with drastically reduced performance. Even in practice, I understand that Intel's GMA offloads vertex and geometry shading to the CPU, for example.

Re:Reference software renderers

[spun]

Let me summarize the conversation so far. Someone said "GLSL and HLSL are about as hardware level as javascript." Someone else disagreed in no uncertain terms. I gave evidence that GLSL and HLSL were not as hardware level as javascript. You attempted to sidetrack the discussion into the realms of HTML5 and "environment" specificity. When I pointed out that that was off topic, you brought up some supposed "theory versus practice" debate, as if that would actually change the answer to the original question: Are GLSL and HLSL about as hardware level as javascript?

However, I have since determined that this question is itself a red herring, as the original poster appeared to be using "hardware level" when the concept he really meant to address was security: can these languages be used to directly manipulate hardware, bypassing normal operating system security measures? I think the answer to that is actually, "No. Not really any more than javascript."

So! I believe we've solved the dilemma in such a way that everyone can go home thinking they were right all along.

Re:Reference software renderers

> can these languages be used to directly manipulate hardware, bypassing normal operating system security measures? I think the answer to that is actually, "No. Not really any more than javascript."

Then you think wrong. These languages are roughly analogous to C or C++, not javascript. Javascript is sandboxed. HLSL and GLSL compile to native machine code, not for the x86 processor, but for the GPU. Formerly, there were serious limitations to the nature of this code, but the magnitude of that difference has been steadily declining. Modern GPUs support SIMD analogs of pointers, for instance.

Furthermore, some types of graphics devices have r/w access to the same address space the host CPU does, *without* going through the device's ring buffer - that is, they use the same TLBs. So while the same high level HLSL or GLSL code may compile to code run on devices from multiple vendors, just as C++ can do, it is in no way similar to a sandboxed languages like javascript.

Please don't post about topics you do not understand. It just creates confusion for many people who read it, and does no service for anyone.

wheres the directions on how to write exploit code

[elucido]

and how can we have fun experimenting with this on our LANs? This would be perfect for pen testers to play with.

Perhaps now Mozilla will finally enable their whit

[Derek+Pomery]

Which they had already written for WebGL.

http://mxr.mozilla.org/mozilla-central/source/content/canvas/src/WebGLContextUtils.cpp#101

At least then users have to click ok before trusting a site, in a similar fashion to location data.
And hopefully that check will be strongly worded.

Personally, I'm glad I run NoScript

Re:Perhaps now Mozilla will finally enable their w

[Derek+Pomery]

What's also funny is I remember discussing precisely this attack method a few weeks ago w/ webgl folks.
Thought at the time it'd be a bit slower than the end result, in terms of image extraction.

Also joked about combining it with a webgl game to keep the user occupied, where their clicks on the "red ball" or "blue ball"
would steal more pixels.

Speed up the attack while keeping them occupied.

Not that big deal

[rasmusneckelmann]

I doubt this is going to be a major cause of future security problems.

As far as I'm aware, WebGL is only allowing shaders to be specified in GLSL which is a pretty high level shading language. Obviously there's no such thing as pointers, and unlike something like javascript there's no interaction with complex objects. Shaders form a very clean and thin interface, basically just being a bunch of floating point vector operations. The only complex objects you're really going to interact with is various texture samplers.

It's easy to make a dangerous bug in a javascript interface to a complete HTML DOM object (or whatever else you can do in javacript these days), it's much harder to make a dangerous bug in a function that calculates a dot product. Sure, shaders are more complicated than that, but you get the drift.

Re:Not that big deal

I've never crashed a computer writing JavaScript, or writing any user-space program that executes on the CPU. I've crashed plenty of computers with simple bugs in GLSL shaders. There are two common problems:

1) GPU drivers often don't deal well with a shader that simply runs forever. At best, the kernel will restart the drivers which will then reset the GPU. All too often, however, this fails and you're stuck with a deadlocked or otherwise non-functioning GPU. Sure, it's only a DOS vulnerability, but it's still pretty bad and really easy to exploit.

2) The GPU drivers don't generally clear memory when you allocate a new buffer. I've seen plenty of instances where a shader accidentally reads from a buffer which was never written to. You can get anything from the last thing that was in a similar buffer to random bits of images or other data from the window manager or other applications using OpenGL.

To disable WebGL in FF4

[molo]

about:config

webgl.disabled = true

-molo

This is FUD from traditional platform vendors

[vivarin]

The natural progression of "web as platform" is to (safely) expose your hardware to web-based applications, for your benefit. Vendors who currently enjoy being the gatekeepers of various walled gardens (I'm lookin' at you, AppleSoft) are going to try to stall this progression as long as they possibly can, as it threatens their cash-cow businesses. I very much doubt the handful of web platform vendors integrating WebGL right now are going to allow it to run amok in the same way that ActiveX and Flash have over the last decade.

The "user"

The "user" have no clue about what no-script is. He/She will just see this as some hinder.

Validation Impossible

Every time you fail to properly sanitize your inputs, a kitten dies.

Not an easy task

Hacking using shaders is simple when using a fixed hardware/driver like on 360.
But is not simple todo using different browser versions, different hardware, and different drivers versions.
I would like to see a proof of concept that works on several platforms/browsers/driver versions.... Good luke LOL

Doesn't Linux solve this?

[ShawnX]

With Mesa and at least, Radeon drivers all commands written to GPU are checked by a parser to prevent certain violations from occurring? The CP (Command Parser) in the Mesa/Gallium3D driver checks all commands written.

Re:Doesn't Linux solve this?

[royallthefourth]

As a Linux/ATI user, I'm completely protected because there are no Linux browsers that currently support WebGL on ATI hardware with the official drivers.

Suck it, Windows users.

Re:Doesn't Linux solve this?

Nice plan, but unfortunately Mesa only supports OpenGL 2.1 (released on July 2, 2006), which is now deprecated by OpenGL 3.0 (released on July 11, 2008), and the rest of the gaming world has moved on to 4.0 (released on March 11, 2010), which deprecates a lot of 3.0.

Much ado about nothing

[KewlPC]

For the most part this is a lot of security handwaving.

While the GPU itself can do DMA and whatnot, shaders don't have access to any of that. If a shader can access texture memory that hasn't been assigned to it *in certain browsers* then it sounds like a bug in the browser or the browser's WebGL plugin. Being able to "overload" the GPU and blue screen the computer sounds like Yet Another Windows Bug.

A shader isn't just some arbitrary binary blob that gets executed directly by the GPU. Even native programs can't do this. You provide the driver your shader source code, the driver does the rest. It's intentionally a black-box process so that the driver can optimize the shader for the GPU and not force a specific instruction set or architecture onto GPU designers. Thus allowing the underlying GPU design to evolve, possibly radically or in unforseen ways, without breaking compatibility.

Furthermore, a shader can only access memory via the texture sampler units, which must be set up by the application. If the WebGL application (which is just JavaScript) can set things up to access texture memory it isn't supposed to be able to, the problem is with the WebGL and/or HTML5 implementation, not the concept of WebGL or the GPU driver.

Re:Much ado about nothing

I think the issue is allowing someone to code a fragment or vertex shader that crashes the graphics driver in such a way that an attacker could compromise other areas of the system. It doesn't seem like it would be that hard to deliberately create malicious shader code. I'm not sure what happens with that though.

Re:Much ado about nothing

[Sc4Freak]

It was never stipulated that there's anything fundamentally insecure about WebGL. The problem is that exposing hardware acceleration to untrusted code significantly increases your attack surface. With WebGL, suddenly graphics drivers and hardware acceleration subsystems must also be made secure because they're running untrusted code from the web.

Graphics drivers aren't even close to being secure enough to allow untrusted code - I remember seeing a case a couple of months ago where a game developer had accidentally read from a NULL texture in OpenGL and instead of a blank texture he had somehow managed to get an image of his webbrowser window wrapped around his model in-game. The graphics driver hadn't bothered to flag a NULL texture as an error and had just allowed the application to read from random places in video memory - in this case he just happened to grab an area of video memory that the OS window manager was using to store the his webbrowser's window.

Re:Much ado about nothing

[KewlPC]

Shaders themselves are pretty limited in scope, though. You can't really access anything beyond the GPU, textures, and model geometry.

GLSL (the language WebGL and OpenGL shaders are written in) doesn't have pointers and is most definitely NOT a general purpose language.

Even without shader support in WebGL you'd have the potential for intentionally bad model geometry crashing a really poorly written driver.

Re:Much ado about nothing

[KewlPC]

Yes, something similar was mentioned in the article, and it *should* be fixed. But beyond that, shaders themselves don't expose anything particularly dangerous. GLSL, the language WebGL and OpenGL shaders are written in, doesn't have language features to access anything beyond the GPU. You can't access the user's hard disk from within a shader.

You can't get rid of shaders. Modern GPUs don't have a fixed function pipeline, it's totally gone from the silicon. Instead, for apps that try to use the old fixed function pipeline, the driver generates a shader that does what the fixed function pipeline *would* have done given the current state. Sooner or later the drivers are going to stop even emulating it.

Which is part of the reason WebGL has shader support in the first place, it wouldn't do anyone any good if it was obsolete right out of the gate.

Shaders aren't the problem, crappy web browsers are.

Re:Much ado about nothing

Actually, AFAIK, you can precompile shader code. However, your points about accessing texture memory is probably true though.

Re:Much ado about nothing

[KewlPC]

IIRC OpenGL ES 2.0 can, but it's all vendor-specific. And it's still intermediary bytecode, not something that will execute directly on the hardware.

Misleading

[Eravnrekaree]

This is overstated and inaccurate headline. A large area of harm can come from a software application accessing memory space which is a hardware adapter mapped into address space of the app, and manipulation of pointers and so on. This is a issue with C level programming where you have direct access to memory addresses and pointers. A javascript implementation of WebGL does not offer access to OpenGL functions by addresses or pointers to the functions at all. Instead it should use a dispatch table below the javascript environment. JS is thus isolated from direct access to hardware and IS NOT using hardware addresses in any way to access functions.The WebGL program can only therefore access the functions via that dispatch table. There are still possible issued with problems with the OpenGL API itself that may need to be addressed for safety. However, direct access to video hardware by a Javascript app is out of the question, it should not be done, and should not be allowed in a Javascript environment. the Javascript is a sandbox and does not provide direct access to memory address space, system calls or other such things. if security is a concern, due to Hardware faults that could be triggered by sending a series of OpenGL commands, the web browser can be configured to use software renderer instead of the hardware rendering, or selectively block that series of OpenGL commands in some way. If there are significant problems with hardware rendering, that may be sometjhing that may have to be considered as a default option. this is something that can affect all applications that are used over a network including gaming applications, since, even a gaming app that sends abstracted updates such as "soldier moves forward 200px" can trigger OpenGL calls in a predictable way. However, these nor WebGL should not expose the graphics hardware directly to Javascript or the network protocol, nor the address space, only OpenGL functions can be called by some sort of token or symbol which is contained within the sandbox environment and does not directly referfence a memory location. Those OpenGL functions are used by a wide range of different network applications, so this is not a problem particular to WebGL.

I am a web rendering engine developer so I have an interest in making sure these things are safe. If necessary we will software render by default until we can be sure about safety with direct rendering. Furthermore this is not a WebGL problem,s, these are bugs in OpenGL itself. There are software rendering workarounds. So this will not affect the availability of WebGL.

I do support WebGL since it will help the web environment compete against Flash.

If not web-based, then what?

[tepples]

12 years later, gaming in a web browser is still a bad idea.

Browser gaming offers on-demand zero-install cross-OS deployment of video games over the Internet. It also offers sandboxed execution so that a game doesn't end up with permission to overwrite or disclose all of a user's documents. What better solution do you have that offers both of these features? Would you recommend Java Web Start or Adobe AIR?

Re:If not web-based, then what?

[justforgetme]

Actually its cross platform ie: pcs (whatever os), mobile devices (whatever os), other specific use appliances (game consoles, fridges, etc.)

Rubbish

I fail to see how it is specific to WebGL, all web content is dangerous if you take it this way. Lets say, if you had a buggy PNG decoder, that could be exploited with a specially crafted PNG image which is posted on the site.

Mod parent up

[nhaehnle]

He's right. Using WebGL, you do not directly upload executable code to the GPU. You send textual shader programs, which are Just-in-Time compiled by the OpenGL driver into hardware instructions. This is pretty much exactly what modern JavaScript engines are doing already.

Now it is true that things can go wrong in this translation stage. A JavaScript engine can have a bug that allows arbitrary code execution, and so can an OpenGL driver. So adding WebGL increases the amount of code that can have security-relevant bugs, but so what? This happens every time you add a new feature. Flash or Silverlight are no different in this respect, and neither is JavaScript itself for this matter. If you're really that paranoid, you should already be browsing without JavaScript enabled.

PS3 with Firefox lacks new games

[tepples]

well, my ps3 runs firefox4

I'm assuming that your PLAYSTATION 3 console is running Firefox under Linux under Other OS under pre-3.21 PS3 system software. (Please correct me if I'm wrong.) But new PS3 games require a PS3 with post-3.21 firmware. This means people who still run a PS3 with pre-3.21 firmware aren't buying new PS3 games; they can be considered closer to the PC market than to the PS3 market.

Or has Sony replaced NetFront in the PS3 system software with Firefox?

Re:PS3 with Firefox lacks new games

[justforgetme]

For what I care you can assume anything you like darling ;-)

Cross platform Silverlight

Moonlight on Android preview.

Also... ExEn

mmm PERT

[ginbot462]

>> Suck it, Windows users.

Sounds like you're telling Win users to suck upon the perfected formed, pert ... um fragments of their lovely detailed (and d^Hphong shaded of course) ...uh models. I don't see the issue.

response from WebGL PR: Now is the time to have a harden member lead us out of the Uncanny Valley (of the Dolls)!