

Khronos Releases OpenGL 4.3 Specification with Major Enhancements - Tsiolkovsky
http://www.khronos.org/news/press/releases/khronos-releases-opengl-4.3-specification-with-major-enhancements

======
scottfr
I noticed one bullet point:

"increased memory security that guarantees that an application cannot read or
write outside its own buffers into another application’s data"

I don't know much about OpenGL, but would this address some of the WebGL
security concerns?

~~~
cscheid
WebGL is based on OpenGL ES, not OpenGL. (ES here stands for "embedded
systems") Concurrently with OpenGL 4.3, Khronos also released OpenGL ES 3.0,
the update for the spec which can reasonably expected to guide a later version
of WebGL. On my reading, OpenGL ES 3.0 does not seem to require a comparable
level of data safety.

The security aspects of the interaction between GPU code and HTML clients are
all well-addressed by the current WebGL spec. Which particular concerns are
you talking about?

One possibility where the new OpenGL 4.3 requirements might help is in current
desktop WebGL implementations which translate WebGL (which is OpenGL ES) to
OpenGL (the desktop). But WebGL is sometimes translated to OpenGL, sometimes
to Direct3D via ANGLE, sometimes to OpenGL ES directly. Finally, relatively
few desktop drivers actually implement the latest OpenGL spec anyway; OS X
does not even have OpenGL 4.2 yet, despite being out for a long while now.

All this is to say that 1) I don't believe the new requirements will have no
immediate impact on WebGL security and 2) WebGL buffer security is a non-issue
(whether WebGL clients crash the video drivers or not is a different story).

~~~
malkia
Well for example an uint32_t index buffer - it might contain indices that are
outside of what's allowed. If the kernel/driver verifies this everytime, it
might slow down somehow the operation. It's totally possible that the
driver/chip somehow "clips" this, or being a bit of undefined operation -
simply ignores it.

There might be other cases too.

~~~
cscheid
WebGL mandates that the user agent check indices:
[http://www.khronos.org/registry/webgl/specs/latest/#ATTRIBS_...](http://www.khronos.org/registry/webgl/specs/latest/#ATTRIBS_AND_RANGE_CHECKING)

As I alluded above, the current WebGL spec is actually fairly well-designed
with respect to trying to crash display drivers.

The word "undefined" actually only appears once in the current spec, in a bit
about canvas drawing buffers being preserved across frames. And, in fact, in
that case it mandates implementations to clear the buffer before any WebGL
call can read the contents to prevent leakage.

Most of the claims of WebGL security issues are either to old versions of the
spec (which leaked data to shaders and led to things like timing attacks) or
are currently a bit on the hyperbolic side.

------
bryanlarsen
very useful summary:

[http://www.anandtech.com/show/6134/khronos-announces-
opengl-...](http://www.anandtech.com/show/6134/khronos-announces-opengl-
es-30-opengl-43-astc-texture-compression-clu)

------
ginko
One of the main problems of previous texture compression methods like DXT2 was
that they were encumbered in software patents.

This made implementing OpenGL in opensource quite problematic.

Does anyone know if this is also the case for ETC2 / EAC texture compression?
I didn't really find any details on this.

~~~
nitrogen
Read the summary posted by bryanlarsen:
<https://news.ycombinator.com/item?id=4345768>

Basically, ETC and ASTC are royalty-free parts of OpenGL.

------
Ra1d3n
naD Qo'noS Daq vam jaj

