Slashdot Mirror

← Back to Stories (view on slashdot.org)

WebGL Flaw Leaves GPU Exposed To Hackers

Posted by Soulskill on from the out-in-the-cold dept.

recoiledsnake writes "Google spent a lot of time yesterday talking up WebGL, but UK security firm Context seems to think users should disable the feature because it poses a serious security threat, and the US Computer Emergency Readiness Team is encouraging people to heed that advice. According to Context, a malicious site could pass code directly to a computer's GPU and trigger a denial of service attack or simply crash the machine. Ne'er-do-wells could also use WebGL and the Canvas element to pull image data from another domain, which could then be used as part of a more elaborate attack. Khronos, the group that organizes the standard, responded by pointing out that there is an extension available to graphics card manufacturers that can detect and protect against DoS attacks, but it did little to satisfy Context — the firm argues that inherent flaws in the design of WebGL make it very difficult to secure."

15 of 120 comments (clear)

  1. dupe by erroneus · · Score: 3, Informative

    dupe dupe dupe

    1. Re:dupe by Shotgun · · Score: 3, Insightful

      Do you mean that the article is a dupe, or that Google is duplicating the mistake Microsoft made with ActiveX and the whole "it is so convenient to let anyone in the world do whatever they please on my computer" mentality?

      --
      Aah, change is good. -- Rafiki
      Yeah, but it ain't easy. -- Simba
    2. Re:dupe by Desler · · Score: 3, Insightful

      Don't worry, just like with the previous story they'll just claim it wasn't a flaw in Chrome (despite it bypassing the Chrome sandbox) and downplay it.

  2. I asked about this at Google I/O! by MostAwesomeDude · · Score: 4, Insightful

    http://www.youtube.com/watch?v=WgbK0ztUkDM&feature=player_detailpage#t=3195s is the video. In short, I asked the NaCl guy whether they knew what they were doing by letting NaCl clients access GPUs directly. His response was that they were doing everything WebGL does to protect the system from malicious code. That's unfortunately not sufficient.

    --
    ~ C.
  3. Re:When will it end? by pushing-robot · · Score: 3, Funny

    Welcome to "Everyone Else"—we're happy to have you as a member! Here's your complimentary iPad.

    --
    How can I believe you when you tell me what I don't want to hear?
  4. Horrible Article by ace123 · · Score: 5, Interesting

    This is nothing more than a scary article about the well-known risk of denial-of-service and using shaders to extract pixels from a remote image -- and the media is slurping it up, using senteces like "run arbitrary code on the GPU ... render an entire machine unusable". Ugh.

    It's a completely over-hyped article about something the spec designers have known since day one. The article takes the fact that bad OpenGL drivers can crash a computer to mean a security hole, something which driver vendors are actively participating in resolving for future cards.

    I wasted my time reading that whole report a few days ago, and it basically said nothing that wasn't obvious and well-known. The only thing new is they are showing that there is no way to stop GPU code from extracting pixels from remote images embedded in a canvas, which is a real "security" hole, though there's not a whole lot of use for this.

    Basically, the extent to which this *should* affect webgl is that they will disallow textures from remote sites -- in other words, it could add an extra annoying implementation step for collaborative spaces that could include models from multiple sites. Also, they might choose to add an Infobar to prevent arbitrary websites from crashing the computer or making it run slowly.

    However, thanks to the media slurping this up and using words like "run arbitrary code on the GPU", "render an entire machine unusable", etc., people who read these articles and know nothing about the subject (i.e. idiots) will start to ask browser vendors to turn those features off. But to be honest, I hope people aren't this stupid and "FUD"-y articles like these are forgotten.

    Also, the title is plain misleading -- a denial of service attack on buggy drivers should not be described as "Leaves GPU Exposed". A website can not in any way take advantage of crashing a user's computer, and browser vendors will quickly respond with a blacklist patch when they learn of the affected GPU.

    If you disagree with anything I said, feel free to comment and I'll explain in more detail why what the article describes are not "security issues" in WebGL.

    1. Re:Horrible Article by Anonymous Coward · · Score: 3, Insightful

      "A website can not in any way take advantage of crashing a user's computer"

      Except those crashes are usually caused by buffer overflows which eventually lead to a well-crafted attack that causes remote code execution.

    2. Re:Horrible Article by ace123 · · Score: 2

      You said usually. That's not true in 99% of cases -- if you read the article (which is unfortunately slashdotted), the specific crashes in this case are in locking up the GPU itself by taking too long to render frames. This means that the computer will reset due to its watchdog timer, not because any malicious code was executed on the CPU.

      You are correct that the occasional graphics driver might be buggy, and that's why Mozilla has a whitelist of graphics manufacturers and cards that are actively patching their drivers, and a blacklist of any drivers which are out of date, incorrect, or may otherwise have a bugs.

      Not to mention a shader validator both in Chrome and Firefox (The ANGLE project) which will check for any malicious code. Yes, there may be bugs in any of these components, but this is defense in depth, and all of these components are going to be quickly patched and/or blacklisted if an exploit is found.

    3. Re:Horrible Article by Mysteray · · Score: 3, Interesting

      I agree it's misleading to imply that there's a specific 'flaw' that leaves the GPU 'exposed'. That's the entire point of WebGL: to expose the GPU to web applications. Whether or not you think that's a good idea depends on where you fall on the security vs. functionality spectrum. It's an interesting discussion.

      Look at it this way: GPUs are extremely complex hardware/software combination systems representing a huge attack surface. They're designed either for zero-cost (integrated graphics) or maximum game performance. Security has never been a big driver for this market. Newer graphics engines like WebGL allow the GPUs to be programmed with somewhat arbitrary code. These programs need lightning-fast parallel access to several different kinds of memory and the security model for this programming environment looks something like an afterthought.

      Once again, the developers probably thought they didn't need to put security first since the primary use case was running trusted applications on single-user systems (e.g., games).

      It's not uncommon to see crash bugs in GPU systems. They look a heck of a lot like the blue screens that used to plague MS Windows. There's no reason to think these bugs will be any less exploitable than those of Windows XP SP 0. We've seen this play out with Adobe Acrobat reader, Flash, and any number of other binary browser plugins. Hopefully the graphics developers are better, but their challenge is much harder too.

      In short, all the ingredients are present making in the recipe for disaster. It's probably only a matter of time for exploitable vulnerabilities to surface. I don't think we should kill off WebGL altogether, but the right thing to do is to put the focus on its security.

      Personally, I look forward to using it, but I'm going to turn it off by default. I'm counting on noscript to let me enable it selectively. This is just good practice anyway.

  5. How About the Response, Slashdot? by asa · · Score: 3, Informative

    Slashdot really should have published a link to this response from Mozilla http://blog.jprosevear.org/2011/05/13/webgl-security/

  6. The whole thing... by fyngyrz · · Score: 3, Insightful

    ...is part of a serious cultural error being made: an impetus by hopeful marketers towards applications that run in/on the browser rather than in the user's machine. Both putting data "in the cloud" and running apps "from the cloud" are fraught with pitfalls; insightful users (a minority, as always) will resist this trend with traditional in-machine applications and fully local storage of data. The rest will suffer as corporations (continue to) misuse their data.

    The key issue is: Putting your data in the hands of those you don't know is a uniformly bad idea. So is giving control of your computer's execution to those you don't know. There is no remedy for this kind of error, either -- once you hand your data over, you have lost control of it, and in turn, you have lost control over the consequences of random third parties misusing your information.

    The good news is that we have a broad set of extremely powerful applications available to us that run well in the local environment. Word processors, spreadsheets, sound, image and video editors, music and video library engines, educational software and a whole host more are all very well populated with traditional applications, so for the thinking user, there is no need to "go to the cloud" for classic compute tasks. Instead, the net can be used for communications, both as its heritage dictates and as the most sensible domain fit, while personal data and execution permissions remain secure in and at the local environment.

    To help protect yourself, I suggest beginning by disabling flash, scripting and use only CSS/HTML in the web-facing interface. As a side benefit, surfing is much more pleasant without pop-overs, flash ads, and many other corporate infections of the network.

    Neither Google or any other corporation has your best interests in mind. Start from that understanding, and the world will make considerably more sense.

    --
    I've fallen off your lawn, and I can't get up.
    1. Re:The whole thing... by SanityInAnarchy · · Score: 2, Insightful

      insightful users (a minority, as always) will resist this trend with traditional in-machine applications and fully local storage of data.

      Let's hope those insightful users are also insightful enough to actually have backups.

      The key issue is: Putting your data in the hands of those you don't know is a uniformly bad idea. So is giving control of your computer's execution to those you don't know.

      And it's not possible to avoid both of these, sorry. In fact, it's not possible to avoid the latter at all.

      The good news is that we have a broad set of extremely powerful applications available to us that run well in the local environment.

      The bad news is that any local application has at least as much access as these web apps do.

      To help protect yourself, I suggest beginning by disabling flash,

      Thus "protecting" yourself from YouTube, FreeFillableForms (the only way to file US taxes online that I know of), etc.

      scripting

      Thus "protecting" yourself from things like Gmail, Google Instant Search, and... Do I really need to spell it out? I get the noscript mentality, but disabling these things entirely is both paranoid and backwards. It's a bit like unplugging your machine from the Internet -- sure, it's more secure, but it's also much less useful.

      As a side benefit, surfing is much more pleasant without pop-overs, flash ads,

      For which we have more specific approaches, like Adblock.

      Neither Google or any other corporation has your best interests in mind.

      It does help when their interests are aligned with yours, however, and this usually isn't hard to determine. But I'm again at a loss to how you get from that understanding to railing against applications in the browser. The browser application has only the data I allow it. The local application, unless I take great pains to sandbox it, has access to everything I have locally and the network. I can understand wanting to be sure your data is stored safely, whatever "safely" means to you -- I care less about privacy and more about reliability, but you can tweak both knobs as you like. But given the choice between an application that runs locally, and one which runs in the browser, which is already a sandbox, I'll choose the browser app every time unless I have a compelling reason to trust the application and sensitive data I don't want to leave my machine -- and even in that case, it's possible to run some web apps offline and, at the user's discretion, give them more access than any arbitrary web app should.

      --
      Don't thank God, thank a doctor!
  7. Been there, crashed X11 by greed · · Score: 2

    I've already had a newer version of Firefox crash an older X11 display driver. Absolutely rock solid on Firefox 3.6 and down, and every other program I want to run. But the new GPU acceleration in Firefox? Could cause all of X11 to go away.

    And Flash inside Firefox would pretty much guarantee a visit from the Coredump Gods. Fixed with a newer driver, but man is updating annoying.

    Kinda sad that "web browsing" is the most intense job run on my work machine. I would have thought the massively parallel builds, or data simulation code, or something that actually pegs all the CPUs would be it. But no, it's the web.

  8. Still Much Ado About Nothing by KewlPC · · Score: 2

    As with the previous article, this is much ado about nothing.

    The GPU can only run "arbitrary code" in the loosest possible sense. What happens is that an OpenGL or WebGL application gives the shader source code to the driver, which then compiles it into the native GPU instructions. You *can* pre-compile your shaders in OpenGL ES 2.0, but even then it's just intermediary bytecode, and the bytecode is vendor-specific.

    Furthermore, GLSL, the language used for OpenGL and WebGL shaders, is *very* domain-specific. It has no pointers, and no language support for accessing anything outside the GPU other than model geometry and texture data. *AND* it can only access the model geometry and texture data that the application have provided to it, and for GPUs that don't have any on-board VRAM it's up to the *driver* to determine where in shared system memory that the texture will be located.

    And you can't get around using shaders on modern GPUs. Modern GPUs don't have a fixed function pipeline, it's not in the silicon at all. For apps that try to use the old OpenGL fixed function pipeline, the driver generates shaders that do what the fixed function pipeline *would* have done based on the current state. Drivers won't keep emulating the old fixed function pipeline forever, though.

  9. Re:ffs by Technomancer · · Score: 3, Interesting

    Can you promise that no SIMD scatter can be performed with offsets that it shouldn't?

    Yes I can. For instance in ATI r6xx it can only go to a surface defined by SX_MEMORY_EXPORT_BASE/SX_MEMORY_EXPORT_SIZE described on page 127 here http://www.x.org/docs/AMD/R6xx_3D_Registers.pdf
    In addition to that system memory is mapped to GPU via GPU VM page table, so only pages that were allocated by the process and that the kernel driver mapped into VM graphic context. See /usr/src/linux/drivers/gpu/drm/radeon and grep for VM_
    So there are two layers of hardware enforced protection in addition to software command buffer parser that checks the addresses. Safe enough for you?