WebGL vulnerabilities [LWN.net]

By Jake Edge
May 25, 2011

A recent report that highlighted some potential and actual security vulnerabilities in WebGL has been widely circulated. It should probably not come as a surprise that a new whiz-bang feature that is meant to allow web content to interact with complex 3D graphics hardware might lead to problems. Since it is all-but-certain that browser makers will be enabling—in many cases already have enabled—this feature, it will be interesting to see how the security holes will be filled as they make their way from theoretical to actual vulnerabilities.

WebGL is a low-level 3D graphics API that is based on the OpenGL ES 2.0 standard implemented by libraries for most fairly recent 3D graphics cards. For browsers with WebGL support, the HTML canvas element can be used to display accelerated graphics in the browser that can be controlled via JavaScript. For gaming, exploring 3D landscapes, undoubtedly annoying advertisements, and plenty of other uses, WebGL will be a welcome addition to web browsers. But allowing arbitrary content flowing across the internet to interact with complex hardware certainly seems like it might lead to security problems.

Graphics hardware typically consists of one or more graphics processing units (GPUs) that are accessed through a driver. The driver provides some standardized interface to higher-level libraries that implement a graphics standard like OpenGL. But, in order to provide the most flexibility for graphics programmers, much of what gets handed off to the libraries are special-purpose programs called shaders. Shaders are written to handle the complexities of the graphics to be rendered, and the libraries and drivers turn those programs into the proper form for the GPU(s) in the hardware.

Essentially it means that malicious web sites can craft semi-arbitrary programs to run on the hardware of the user. That alone should be enough to give one pause from a security perspective. One obvious outcome is that malicious shaders could be written to essentially monopolize the graphics hardware, to the detriment of anything else that's trying to write to the display (e.g. other windows). In the worst case, it could lead to the user having to reinitialize the graphics hardware—possibly requiring a reboot.

That kind of denial of service could be extremely annoying to users, but doesn't really directly impact the security of the desktop. It would not leak user data to the malicious site, though it could potentially result in data loss depending on what else the user was doing at the time. It is, in some ways, similar to the problems of malicious, infinitely looping JavaScript, which can lock up a browser (but not generally the whole desktop). Running browser tabs as separate processes, as Chromium does and Firefox is moving to, also mitigates the JavaScript problem to a large extent.

But that's not the only problem that the report from Context, a UK-based security consulting company, outlined. Another potential attack is a cross-domain image theft. When canvas elements include cross-domain content, say an image from another site, there is a "origin-clean" flag that gets cleared in the browser which disables some of the JavaScript functions that might be used to extract the, potentially sensitive, image data from the other domain. However, a malicious canvas element could create shaders that will effectively leak the image contents.

The attack relies on a technique long-used to extract cryptographic keys by doing a timing analysis. If shaders were written to take longer based on the "brightness" of a pixel, JavaScript could be used to regenerate the image based on how long each pixel takes to render. It is a complicated attack to do, and finding real-world exploits using it may be somewhat convoluted, but it is a cross-domain vulnerability. An example that Context gives is a victim site that puts up a specific profile image based on the session information stored in a browser cookie for the site, which gets sent to the site as part of the request for the image. The malicious site that included the victim image couldn't get at the cookie, but could infer the logged-in user by comparing the displayed image to a list of known "interesting" profile images.

Mozilla hacker JP Rosevear responded to Context's report noting that the cross-domain image theft problem is real, even though it may be difficult to exploit in practice: "While it is not immediately obvious that it can be exploited in a practical attack right now, experience in security shows that this is a matter of when, not if." His suggested fix is the cross-origin resource sharing (CORS) proposal that would allow sites to explicitly list which other sites can include their content.

The denial of service problem is harder, though. The only real defense against maliciously written shaders is to validate that code in ways that, hopefully, eliminates bad shaders. That, of course, is something of an arms race, so Rosevear also suggests that some kind of user confirmation before displaying WebGL content may be required.

There are also some efforts afoot to try to handle denial of service issues in the hardware itself. GL_ARB_robustness (and GL_ARB_robustness_2) are mechanisms that the hardware makers can use to detect these kinds of problems and reset the hardware when they occur. As Context's FAQ indicates, though, that may not be real solution in the long term:

The resetting of the graphics card and driver should be seen as a crutch to OS stability when exceptional conditions occur and not as a mechanism to protect users from malicious code. Resetting the graphics card isn't guaranteed to be a trouble free operation; all other users of the graphics subsystem will need to correctly handle the event. The graphics stack would have to ensure that any hardware resources are recreated before use to guard against another application misusing it. This operation, while not causing a DoS [denial of service] directly, could still indirectly [affect] the entire system and the applications running on it.

From a security standpoint, allowing any random web site to send code that is more-or-less directly executed on system hardware is always going to be somewhat problematic. Rosevear points out that there is separation between the components of WebGL that should provide some isolation: "Nevertheless, claims of kernel level hardware access via WebGL are speculative at best since WebGL shaders run on the GPU and shader compilers run in user mode." That assumes that the libraries and drivers don't have exploitable bugs of their own, of course. As Rosevear notes, "significant attacks against [WebGL] may be possible". This is clearly an area that bears watching.

(Log in to post comments)

WebGL vulnerabilities

Posted May 26, 2011 4:34 UTC (Thu) by bjacob (subscriber, #58566) [Link]

I'm disappointed to see this article on LWN since this has been a huge press failure 2 weeks ago and I was happy that LWN had stayed away from it.

The Context announcement had one useful bit of information: that the timing attack on shaders to get cross-domain images, that had been theorized on the public WebGL list (their announcement links to the archived email), was actually implementable. That was indeed important news --- I just wished Context had followed the standard practice of letting browser vendors know sufficiently ahead of time to fix the bug before it becomes public. Anyway, this has been the top area of focus of the WebGL working group since. You can track Mozilla's response to this here: https://bugzilla.mozilla.org/show_bug.cgi?id=656277

Unfortunately, this interesting part of Context's blog post is not what caught the most attention from the press. Rather, what generated the most noise was Context's bold claims about the possibility of exploits:

"Fundamentally, WebGL now allows full (Turing Complete) programs from the internet to reach the graphics driver and graphics hardware which operate in what is supposed to be the most protected part of the computer (Kernel Mode)."

This sentence is wrong on several different levels, since WebGL shaders (contrary to desktop OpenGL shaders) are not Turing-complete, they run on the GPU where there is no such thing as "kernel mode", and in case they were instead talking about the shader compilers, these certainly don't run in kernel mode.

Context never says clearly that there are WebGL code execution exploits, but makes a series of vague claims like the above, and like this gem:

"These issues can allow an attacker to provide malicious code via a web browser which allows attacks on the GPU and graphics drivers. These attacks on the GPU via WebGL can render the entire machine unusable."

The key in the above sentence is "can". The English language is vague enough that "can" could mean "might perhaps" or "can for sure". This allowed Context, without ever claiming clearly that they know of any code execution exploit, to generate a huge stream of press articles.

Regarding the DOS issue, this has been openly discussed since the beginning, and WebGL has been very influential in nudging GPU makers to reduce the DOS risk. This has concretized in the form of the GL_ARB_robustness extension and a GL_ARB_robustness_2 extension is planned. Let's not forget that DOS risks are omnipresent, even without WebGL: for example, just creating a large array, reduces the amount of RAM available for other tasks. So handling DOS is all about mitigation and not about eradication. That's why Context is missing the point when it claims that ARB_robustness is not a solution to the DOS problem. To further put Context's claims into perspective, let's mention that WebGL doesn't even show up among the top 300 Firefox crashers: https://crash-stats.mozilla.com/topcrasher/byversion/Firefox/4.0.1 Of course the DOS problem is not only about Firefox crashes, but you get the idea.

Context is also wrong when it downplays the effectiveness of graphics driver blacklists. During the Firefox 4 Beta process, graphics driver bugs have often been the top crashers. Blacklisting has allowed to eradicate these crashes, to such an extent that they are no longer a significant source of crashes (see above crash-stats link). Blacklisting is also used to avert any kind of security flaw that we find. Firefox crash reports contain the information that we need to update the blacklist in an almost automatic way, and we can ship blacklist updates without requiring a software update. Moreover, by proactively documenting our blacklist, https://wiki.mozilla.org/Blocklisting/Blocked_Graphics_Drivers we enable collaboration on it with other browser vendors, and this is already happening with another major vendor.

WebGL vulnerabilities

Posted May 26, 2011 12:59 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]

>This sentence is wrong on several different levels, since WebGL shaders (contrary to desktop OpenGL shaders) are not Turing-complete, they run on the GPU where there is no such thing as "kernel mode", and in case they were instead talking about the shader compilers, these certainly don't run in kernel mode.

Well, command submission to GPU is performed in the kernel mode. And it contains quite a bit of non-trivial code (relocation handling, the whole GEM/TTM stack, etc.). Additionally, as far as I understand, closed-source drivers really have shader compilers in the kernel mode.

WebGL vulnerabilities

Posted May 26, 2011 13:20 UTC (Thu) by bjacob (subscriber, #58566) [Link]

Come on, the kernel mode driver is considerably less complex than the user mode part, and doesn't care about the details of what shaders do. And I've never seen a driver where the shader compiler was in kernel mode. Certainly not on Windows since the shader compiler is a DLL, D3DCompiler_43.dll; not on Mac either since I've seen lots of Firefox crash reports in the shader compiler showing that the compiler runs in the application process; and I *think* I've also seen such reports for the NVIDIA binary driver on linux too (plus, the NVIDIA linux kernel-mode driver is tiny and open-source and clearly doesn't have a shader compiler). So I really don't know any example of a kernel-mode shader compiler.

WebGL vulnerabilities

Posted May 26, 2011 14:08 UTC (Thu) by mjg59 (subscriber, #23239) [Link]

The open source part of the nvidia kernel driver is tiny. The driver itself is 13MB, which is sufficiently larger than my actual kernel that I think "tiny" really isn't the word.

WebGL vulnerabilities

Posted May 26, 2011 14:23 UTC (Thu) by bjacob (subscriber, #58566) [Link]

I stand corrected:

$ ls -l `find /lib/modules/ -name nvidia.ko`
-rw-r--r-- 1 root root 14827598 Apr 1 23:33 /lib/modules/2.6.32-5-amd64/nvidia/nvidia.ko

So do you think that NVIDIA's linux driver has a shader compiler in the kernel mode part?

Is there any reason why they would want to do that, as opposed to running the compiler in user mode?

WebGL vulnerabilities

Posted May 26, 2011 14:29 UTC (Thu) by bjacob (subscriber, #58566) [Link]

`nm nvidia.ko` doesn't show anything about 'compile' or 'shader', but there are definitely lots of cryptic symbol names like _nv025298rm, no idea what they do.

WebGL vulnerabilities

Posted May 26, 2011 16:53 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]

Up to DX10 Windows graphics drivers worked totally in the kernel mode, without any usermode helpers (you can check it). So NVidia did have kernelmode compiler.

I guess that they just ported Windows code to Linux without rearchitecting it. They might have moved parts of the compiler to usermode, but there's still a huge amount of code in the kernel.

WebGL vulnerabilities

Posted Jun 10, 2011 1:36 UTC (Fri) by johntb86 (guest, #53897) [Link]

D3D Shader bytecode->gpu code compilation happens in kernel mode (session space) for XP and below. For Vista and above all shader compilation, even for D3D9, happens in usermode inside the process that created the shader. OpenGL shader compilation happens in usermode on every platform.

Infinite loops in JavaScript

Posted May 27, 2011 15:44 UTC (Fri) by Simetrical (guest, #53439) [Link]

It is, in some ways, similar to the problems of malicious, infinitely looping JavaScript, which can lock up a browser (but not generally the whole desktop). Running browser tabs as separate processes, as Chromium does and Firefox is moving to, also mitigates the JavaScript problem to a large extent.

Infinite loops in JavaScript will usually not lock up the whole browser. In Chrome, they usually only lock up the tab. (They might lock up other tabs in some cases, AFAIK, but they'll never lock up the browser UI, so you can always close the offending tab to stop the script.) In Opera, script runs in a separate thread, so the browser remains usable while script in running. IE9 works similarly to Chrome. I don't know about Safari. Firefox's UI does get locked up by script, but they're working on fixing that.

But even when the script does lock up the browser UI, all browsers normally pop up a dialog after a while giving you the chance to stop the script. And in the occasional case where Firefox seems not to do that, restarting the browser is usually a simple and effective solution, since it will remember all the tabs you had open, including (usually?) everything you've entered into forms, etc., and you can choose not to reopen particular tabs if they're causing trouble.

So it's not really comparable in the slightest. As for allowing embedding of cross-origin images in canvas but not giving script access to their content, well, that's usually a bad idea anyway.