insanity workout WebGL is Fundamentally Flawed

WebGL is Fundamentally Flawed

But there more! Not only is WebGL inherently flawed, but Google one of WebGL strongest proponents even knew about the DoS and cross domain image vulnerabilities months before they were thrust into the limelight by Context report. Not deterred by these flaws in the WebGL spec or its implementation, Google pushed ahead and turned on WebGL by default in February 2011, in Chrome 9.

As terrifying as that is, we now have to wonder why Google rushed the deployment of a nascent, dangerous technology. Hardware accelerated HTML5 Canvas and JavaScript was coming along very nicely and indeed, Google led the charge on breakneck JavaScript in 2008 and 9 so why the sudden need to throw WebGL into the mix? Could it be because Internet Explorer 9 came out and matched or bettered Chrome 2D performance?

It is telling that Google of Microsoft famous FishIE Tank benchmark at Google I/O in May. Back in 2010, when all three browser vendors were rushing to one up each other, Chrome never quite managed to beat IE9 FishIE Tank scores. Instead of a confrontation, is it possible that Google simply shifted gears to WebGL a technology that Internet Explorer has no intention of sup insanity workout porting? After all, Chrome main draw is its speed and if IE is demonstrably faster, then Google is in trouble.

Irrespective of whether Google strong armed the introduction of WebGL or not, the fact remains: WebGL is now included by default in the world second and third most popular browsers. Apple will be including WebGL support in the version of Safari that ships with Mac OS X Lion, and Opera is toying with WebGL in its development builds. The cat is well and truly out of the bag and it missing a leg.

So what can we do about it? If you really concerned about the security implications of the flawed, another 0 day vulnerability is just around the corner spec, it very easy to disable WebGL in Firefox and Chrome. It also not too late to simply retire WebGL and seek out a new specification for web facing, low level 3D graphics. Instead of asking the Khronos Group to work on it, ask a real, tried and tested, web facing consortium to design the new specification. Instead of utilizing some kind of Frankenstein stopgap, a web based 3D technology should be a web technology. In short, we should ask the World Wide Web Consortium (W3C) to create a specification for 3D graphics that can proudly stand alongside HTML, CSS, and JavaScript. First of all, even OpenGL applications don have such a thing. Even in OpenGL, shaders can only execute a small set of operations that revolve around computing colors and vertex positions. Then, WebGL shaders are more restricted than OpenGL shaders (no dynamic control flow, etc). Then, WebGL implementations don even allow scripts to pass any string as a shader straight to the GPU, instead they compile it first with the ANGLE compiler to check that it valid and since WebGL shaders don have dynamic control flow, you could check about everything by static analysis. That not to say that it can be secured but as it stands, as the specification is outlined, I think it only a matter of time until a WebGL flaw is found which allows elevated access to the GPU (or other hardware).

The hole will be fixed, like the DoS and cross domain image exploit (yay Mozilla!), but I more worried that bugs like cross domain imaging were identified but still ended up in production builds of Firefox and Chrome.

Do you think that similar bugs will be found in the future? Do you think that another, more inherently secure spec could replace WebGL?

It sure has a more direct line to the _GPU_ than any other Web technology, but other web technologies have a more direct line to other, actually even more important parts of the hardware. For example, JIT compiled JS has a pretty line to main memory and CPU.

> That not to say that it can be secured but as it

stands, as the specification is outlined, I think it only a matter of

time until a WebGL flaw is found which allows elevated access to the GPU

First of all, exploits are possible in any piece of code, so here I focus only on what is specific to the WebGL spec and GPUs and not about any bug that a particular WebGL implementation might have like any other piece of code.

The thing that one might legitimately fear with WebGL is that a shader would make an illegal access to video memory, allowing it to read video memory belonging to another page or application. However, if that ever became a concern, since everything a WebGL shader does can be statically check insanity workout ed, it would be possible to check for that in the ANGLE compiler. A bug has even been filed on the ANGLE bug tracker about that, insanity workout so you can track progress on this (if this ever gets deemed necessary):If you wondering why this bug is only concerned with uniform arrays and not other kinds of video memory buffers, that because that the only case where the shading language itself doesn have completely well defined semantics. In other cases, out of bounds access is simply impossible. For textures, the semantics are explicitly controlled by texture wrap modes. you write and not The hole will be fixed, like the DoS and cross domain image exploit

(yay Mozilla!), but I more worried that bugs like cross domain imaging

were identified but still ended up in production builds of Firefox

> Do you think that similar bugs will be found in the future?

Of course, security vulnerabilities are found all the time, everywhere. That ev insanity workout en more true in new technologies like WebGL that expand the attack surface in new ways.


Posted in insanity workout and tagged , by with comments disabled.