WebGL Poses New Security Problems

Julie188 writes "Researchers are warning that the WebGL standard undermines existing operating system security protections and offers up new attack surfaces. To enable rendering of demanding 3D animations, WebGL allows web sites to execute shader code directly on a system's graphics card. This can allow an attacker to exploit security vulnerabilities in the graphics card driver and even inject malicious code onto the system."

WebGL was always a bad idea

Now that we finally have sandboxing in browsers they want to let any website run directly code on your hardware. Insane! Just forget the WebGL stuff. Silverlight has direct support for XNA which handles it everything better and safer anyway. Are we also supposed to write WebGL games with notepad? At least XNA games can be written with a solid IDE like Visual Studio. Not only that but the games also work on Xbox360 and mobile phones without such a major porting. What a developers dream...

Leave my hardware alone and secure!

Re:WebGL was always a bad idea

[h4rr4r]

No, VIM is a far better choice for not only WebGL but everything else as well :)

Re:WebGL was always a bad idea

[Sc4Freak]

Silverlight does support shaders - Reach profile just means that you're limited to Shader Model 2. SM2 is sort of like a baseline requirement these days for a lot of things including Windows Aero. On the desktop it's supported by the old-school ATI Radeon 9 series or higher or Nvidia Geforce FX or higher. On the mobile, GPUs that support OpenGL ES 2.0 are generally SM2-compliant.

Re:WebGL was always a bad idea

[justforgetme]

Adobe Molehill...

really?

I've tried out WebGL several times now and I can tell you it's disgusting.

what you mean is: "I don't understand GL"

JavaScript is a terrible language....

what you mean is: "I don't undrestand prototype based OOP and first class functions"

...no way to efficiently debug....

what you mean is: "I don't know how to use firebug, opera firefly or google to find a better debugging tool"

...somehow getting it to pass data efficiently with AJAX....

what you mean is: "I'dont know how XHR works and have never heard of JSON or XML"

I think you did approach web development a but too fast. You should better tak a step or two back and look again at what you have done there, how much you understand of it and focus on developing your skills first before starting developing another web application. Why don't you start with something basic and then go up the ladder?

Really?

[internerdj]

I mean what could possibly be dangerous about allowing random websites to run hardware level code?

Re:Really?

[davidbrit2]

Oh, then that's a relief. Nobody's ever used Javascript as an attack vector.

Re:Really?

[segin]

I am no graphics programmer, but I am going to stretch out my experience in other areas (audio APIs), and say that, while these are hardware-dependent in terms of features offered, I highly doubt the same low-level shaders that work on an ATI card will work on an NVIDIA card; in fact, I see HLSL and GLSL as wrappers, sorta of like Direct3D and OpenGL themselves a generation or two ago - certain Direct3D calls or OpenGL calls depended on what features are provided by the underlying hardware, and this also translates to bindings for interpreted languages (Python, for example). One graphics card might have you push 16-bit word 0xFEED to IO port 0x14f3, whereas another might have you put a 32-bit double-word to physical memory address 0xD4001337, while the program behind the high-level interface simply called the same exact function and arguments for both.

While this is an example describing purely native code, I believe it translates (maybe not so well) to interpreted things, like EMCA-262 (ISO/IEC 16262, aka JavaScript) and WebGL.

Let's say I want to send MPEG audio data directly to an MPEG-decoding sound card. With Open Sound System v4, I do this:

int dsp_fd = open("/dev/dsp", O_RDWR | O_ASYNC);
int format = AFMT_MPEG;
int ret = ioctl(dsp_fd, SNDCTL_DSP_SETFMT, &format);

If the underlying hardware supports decoding MPEG audio, it works, I can then write() all the MPEG audio data I want to my hearts content. If the hardware doesn't support decoding MPEG audio, I better hope the driver includes a licensed software decoder, or 'ret' there will contain the value -1, meaning I'm fucked.

When I see you idiots complaining about APIs that are essentially driving hardware functions lack certain functionality when the underlying hardware also lacks said functionality, and that you expect APIs to either "always work in full or completely break in full", I want to punch you in the face. From what I gather from a comment thrown around here (correct me if I am wrong), Silverlight's 3D APIs are intentionally crippled in the shader department to take the worry of hardware support away from developers (at the expense of being unable to use all of the features of the underlying hardware, I guess), and somehow that is the right thing to do. This AC here makes a pretty good point, in that, at the end of the day, it's all hardware-level code anyways. And I will direct you at, say, mpg123, which compiles in entirely different source files whether the target is x86 or PowerPC or whatever, if MMX or SSE or Altivec is to be used, etc., all hardware features of a CPU.

TL;DR: If you bitch because parts of an API used to drive hardware are unavailable in response to the hardware not supporting those features, and instead want an API that has all features always working no matter what the underlying hardware supports, either find an API that doesn't mind falling back to software rendering, or pull your head out of your ass and realize that the programming world (mostly) doesn't work that way.

Also, let me know how my knuckles taste, I'm going to punch you in the mouth for being stupid, while I'm at it.

With record-setting speed and efficiency!

[jeffb+(2.718)]

You can dedicate hundreds of threads to high-volume malware, while freeing up your CPU to maintain a smooth phishing experience!

Glad I'm not using Binary Blob drivers

[xiando]

An attack based on "exploit security vulnerabilities in the graphics card driver" seems less likely using the FOSS graphics drivers. I'm not saying they can not be exploited, I'm just saying that this makes me feel somewhat safer than I would feel if I were using the closed Binary Blob drivers.

Re:Glad I'm not using Binary Blob drivers

[MrEricSir]

Do any FOSS drivers even support shaders?

Re:Glad I'm not using Binary Blob drivers

probably why he feels more secure!

Re:Glad I'm not using Binary Blob drivers

[m50d]

Given the general quality level I'd have to disagree; the nvidia drivers work perfectly, even supporting e.g. S3 suspend, and most of the code is the same as their (quite widely tested) windows driver. Wheras with the free intel drivers I still get lots of random display corruption, and those're supposed to be on the good end of free drivers.

Info and thoughts

[TopSpin]

WebGL is a Javascript expression of OpenGL ES 2.0, the same OpenGL edition that appears on Apple's iOS and recent versions of Android. OpenGL ES 2.0 is essentially OpenGL 2.0 with the fixed function pipeline removed. This reduces the size of the API substantially.

Some may remember the little ARM11 based computer that appeared last week supports OpenGL ES 2.0. OpenGL ES 2.0 is also the choice of Wayland developers. There seems to be a big convergence happening around this particular edition of OpenGL due to embedded GPUs

WebGL is manifested as a context of a HTML5 canvas element. Javascript has been extended with new data types to provide aligned, dense arrays for loading vertex attributes into the GL. WebGL allows vertex and fragment shader code to be loaded into the GL.

The end result is very high performance graphics driven by Javascript hosted in a browser. WebGL integrates with the browser in some convenient ways; texture data is loaded from Javascript image objects and CSS can apply 3D transforms, for example.

WebGL has been supported in experimental form by Webkit and Mozilla since late 2010. Opera also supports WebGL. Microsoft is no where to be found.

Operating systems compromise security for the sake of GPUs. Obviously, exposing graphics subsystems to inevitably malicious code will get machines compromised. I think Google, Mozilla, et al. should adopt the 'no-script' paradigm for this stuff and require the operator to explicitly enable WebGL content case by case. The graphics subsystem will never prioritize security over performance so securing these code paths well enough for public exposure will never happen.

It would be nice if they gave this some thought before millions of people get owned and WebGL gets a huge black eye......

Re:Info and thoughts

[nstlgc]

I think Google, Mozilla, et al. should adopt the 'no-script' paradigm for this stuff and require the operator to explicitly enable WebGL content case by case.
I agree, the users usually make the right choice. Cue "click here for awesome smileys!". /s

Quake Live

[mfh]

I raised this concern with Quake Live, but was quickly shut down by people. Nobody wants to listen to the possible security holes in something they want to ram through at all cost. Forgive my tone if I'm a little annoyed hearing this. Sometimes you want to be wrong about something, but now I have been proven correct, I'm annoyed with myself.

Re:Quake Live

[jonescb]

Quake Live isn't WebGL. Even if it was, Quake Live wouldn't be affected. This security concern is only about a user visiting a web page that runs a malicious WebGL program, which Quake Live is not.

Re:I don't get it

[Lord+Bitman]

because up until now the response from graphics card manufacturers has been "security auditing? Open specifications? What, are you running arbitrary binaries on your PC and complaining when they take over your system?", whereas now they'll need to say "security auditing? Open specifications? What, are you running a web browser conceived of before 2010?"

I can't wait for Native Client!

Can anyone remind me why we're putting EVERYTHING in a web browser anyway?

Re:I can't wait for Native Client!

[mgiuca]

IMHO, we should ditch JS for Lua

Can I offer an alternative suggestion? How about we DON'T replace JavaScript with <insert favourite scripting language here>. Okay, part of the problem with web scripting is that we're using JavaScript, which sucks. But the majority of the problem is that we're using a programming language at all. We've just reinvented the biggest, clunkiest wheel on the planet.

Look at the number of projects that are taking programming code, or in some cases bytecode, and compiling it up to JavaScript (GWT, Pyjamas, Emscripten, CoffeeScript, and the rest). If we replace JS for Lua, we'll need to write a new generation of tools to compile everybody's programming language into Lua. Can we please have a standardised low-level virtual machine (hint) that will run in all browsers, which all languages can target, so we don't have to go through the ridiculous hoop of taking, in many cases, low-level statically typed code, throwing away all the type information and converting it into high-level dynamic scripting code, and then having the browser optimise the hell out of it and try to figure out the types? Google's PNaCl is apparently going to get the ball rolling on this, with LLVM.

Re:Astroturf much?

[Unoriginal_Nickname]

XNA doesn't have a particularly good OpenGL implementation? As someone with years of experience with XNA, Direct3D, OpenGL, and even some experience with WebGL, I feel ethically responsible for saying that you have absolutely no idea what you're talking about at all.

Re:I don't get it

[amorsen]

So they're saying that enabling shader code execution allows web sites to exploit hypothetical vulnerabilities in the graphics driver?

They're not particularly hypothetical. Graphics driver code is such that games programmers carefully work around bugs in order to not crash anything. Imagine if every program running on the main CPU had to carefully avoid certain instruction sequences in order to not crash the system -- would you run a multi-user system on that?

Then again, that was how it was in the 80's on many time sharing systems...

Re:I don't get it

[Peter+Amstutz]

The key here is "attack surface". Having relatively uninhibited access to low level graphics APIs that were not previously assumed to be public means there are probably lots of bugs with security implications. I wouldn't be surprised if graphics drivers eschew error checking in order to gain performance, but now malicious programmers can use that to crash the browser or OS. Shader compilers are also quite complex, and may present opportunities for specially crafted invalid programs to overflow buffers or otherwise screw things up. Security has always always always taken a back seat to performance in the graphics world, and it may take a while for the driver writers to come around.

Re:I don't get it

[Bengie]

Your JS interpreter doesn't run at kernel level with full access to your low level hardware.

JavaScript, GPU, and graphics

[tepples]

Javascript is a language for use on the Web. You know, hypertext: text, links, and images.

Another word for "images" is "graphics".

There's no reason ever for this to have access to your GPU.

"GPU" stands for "graphics processing unit". You appear to claim that a language for use in a graphical environment shouldn't have access to capabilities exposed by a graphics processing unit. Can you clarify?

Are people clamoring to play processing-intensive 3D games in a web browser?

Yes. Otherwise, Adobe would not have added rudimentary 3D capability to Adobe Flash.

Re:JavaScript, GPU, and graphics

[tepples]

A web browser is not a video game console

Millions of FarmVille fans would disagree with your claim. Browser-based video games have been around since Flash and DHTML first came into use.

Re:I don't get it

[Dutch+Gun]

Because, like Adobe formats before it (like PDF or Flash), graphics card drivers were designed well before any serious thought was given to security issues. Even now, graphics drivers are 100% focused on speed, speed, speed, and security concerns are probably barely even on the radar. As GPUs move closer to general-purpose computing devices with true logic paths, this problem is only going to get worse. In other words, it's probably a softer target than a Javascript runtime environment is, and that's saying something, given how many Java-based exploits there are.

One of the big problems of coders is that most of us don't give much thought to how technology can be abused. It either takes a security consultant or a lot of experience dealing with folks that actively attempt to exploit your products to get in the correct mindset for net-based development. I'm an MMO developer, and any new feature we come up with has to be prefaced with "how could this be abused or exploited?" Sort of frustrating, but that's the way it goes.

It's going to take a different inherent mentality when dealing with Internet technologies going forward in order to keep things actually secure, but honestly, I'm not really sure if or when that's actually going to happen. People are too dazzled by shiny new technology still, and just rush forward without seriously considering security.

Not that big deal

[rasmusneckelmann]

I doubt this is going to be a major cause of future security problems.

As far as I'm aware, WebGL is only allowing shaders to be specified in GLSL which is a pretty high level shading language. Obviously there's no such thing as pointers, and unlike something like javascript there's no interaction with complex objects. Shaders form a very clean and thin interface, basically just being a bunch of floating point vector operations. The only complex objects you're really going to interact with is various texture samplers.

It's easy to make a dangerous bug in a javascript interface to a complete HTML DOM object (or whatever else you can do in javacript these days), it's much harder to make a dangerous bug in a function that calculates a dot product. Sure, shaders are more complicated than that, but you get the drift.

To disable WebGL in FF4

[molo]

about:config

webgl.disabled = true

-molo

Doesn't Linux solve this?

[ShawnX]

With Mesa and at least, Radeon drivers all commands written to GPU are checked by a parser to prevent certain violations from occurring? The CP (Command Parser) in the Mesa/Gallium3D driver checks all commands written.

Much ado about nothing

[KewlPC]

For the most part this is a lot of security handwaving.

While the GPU itself can do DMA and whatnot, shaders don't have access to any of that. If a shader can access texture memory that hasn't been assigned to it *in certain browsers* then it sounds like a bug in the browser or the browser's WebGL plugin. Being able to "overload" the GPU and blue screen the computer sounds like Yet Another Windows Bug.

A shader isn't just some arbitrary binary blob that gets executed directly by the GPU. Even native programs can't do this. You provide the driver your shader source code, the driver does the rest. It's intentionally a black-box process so that the driver can optimize the shader for the GPU and not force a specific instruction set or architecture onto GPU designers. Thus allowing the underlying GPU design to evolve, possibly radically or in unforseen ways, without breaking compatibility.

Furthermore, a shader can only access memory via the texture sampler units, which must be set up by the application. If the WebGL application (which is just JavaScript) can set things up to access texture memory it isn't supposed to be able to, the problem is with the WebGL and/or HTML5 implementation, not the concept of WebGL or the GPU driver.

Misleading

[Eravnrekaree]

This is overstated and inaccurate headline. A large area of harm can come from a software application accessing memory space which is a hardware adapter mapped into address space of the app, and manipulation of pointers and so on. This is a issue with C level programming where you have direct access to memory addresses and pointers. A javascript implementation of WebGL does not offer access to OpenGL functions by addresses or pointers to the functions at all. Instead it should use a dispatch table below the javascript environment. JS is thus isolated from direct access to hardware and IS NOT using hardware addresses in any way to access functions.The WebGL program can only therefore access the functions via that dispatch table. There are still possible issued with problems with the OpenGL API itself that may need to be addressed for safety. However, direct access to video hardware by a Javascript app is out of the question, it should not be done, and should not be allowed in a Javascript environment. the Javascript is a sandbox and does not provide direct access to memory address space, system calls or other such things. if security is a concern, due to Hardware faults that could be triggered by sending a series of OpenGL commands, the web browser can be configured to use software renderer instead of the hardware rendering, or selectively block that series of OpenGL commands in some way. If there are significant problems with hardware rendering, that may be sometjhing that may have to be considered as a default option. this is something that can affect all applications that are used over a network including gaming applications, since, even a gaming app that sends abstracted updates such as "soldier moves forward 200px" can trigger OpenGL calls in a predictable way. However, these nor WebGL should not expose the graphics hardware directly to Javascript or the network protocol, nor the address space, only OpenGL functions can be called by some sort of token or symbol which is contained within the sandbox environment and does not directly referfence a memory location. Those OpenGL functions are used by a wide range of different network applications, so this is not a problem particular to WebGL.

I am a web rendering engine developer so I have an interest in making sure these things are safe. If necessary we will software render by default until we can be sure about safety with direct rendering. Furthermore this is not a WebGL problem,s, these are bugs in OpenGL itself. There are software rendering workarounds. So this will not affect the availability of WebGL.

I do support WebGL since it will help the web environment compete against Flash.