

WebGL - A New Dimension for Browser Exploitation - pwg
http://www.contextis.com/resources/blog/webgl/

======
modeless
Response from Mozilla: <http://blog.jprosevear.org/2011/05/13/webgl-security>

~~~
nkassis
I think their response is very good. Basically Context is claiming that there
is a possibility of WebGL being used for kernel level attacks but has not
shown any proof. And as for crashing users machines, my boss reported that my
app crashed his computer a few times, now he's more careful to save all his
work before launching my app ;p But it hasn't happened in a few months now so,
I think I fixed it or his browser got updated. :)

~~~
ajross
The standard for security mitigation in architecture is now ... proof of
exploit? Seriously?

This issue is very real. Anyone who has ever done significant 3D work is aware
that these drivers crash machines regularly when exercised with edge cases.
Those crashes are all kernel exploits waiting to happen.

~~~
windsurfer
Javascript, IE, and Skype are all very vulnerable to all sorts of security and
privacy problems, yet people still leave them on all the time.

I'd like to see some exploits first.

~~~
nkassis
That's sort of the way I see, yes gfx card drivers are terribly brittle but
this is something the card manufacturers need to start looking into. We can't
blame this all on the people trying to bring something awesome like WebGL
which I think is crucial for the future of things like chromeOS. The browser
vendor are aware of the issues and do a lot of checking (at least chrome does)
of shaders.

~~~
windsurfer
Checking is still obviously not the answer, due to the halting problem.

------
illumen
The old 3d driver model relied on trust. If you ran a 3d program, you have
probably installed it and you trust it.

3d program writers spend a lot of time fixing bugs to try and make sure their
program does not crash users machines. I've been writing 3d code for over 15
years now, and have yet seen a machine that I don't accidentally crash whilst
writing code against it.

This has all now changed. WebGL allows anyone to access a much greater section
of the 3d hardware than before. The 3d driver writers have not accounted for
this in writing their software.

Good for 3d drivers, because now there will be much wider testing with more
easily repeatable bug reports. Since it is such a nice attack vector, we
should also see more 3rd party testing. Also, this can only increase the
amount of people using 3d - so driver writers will definitely need to spend
more work on making their code safer against evil input.

I don't think it is as bad with WebGL compared to what you can do with opengl.
There's less pointer passing of shared memory regions. Also, all the browsers
have black lists for 3d hardware/OS versions already. So if a particular
card/driver combination is found to be buggy, they can black list it easily
for all users.

tl;dr it definitely is unsafe, but the sky isn't necessarily falling... yet.

------
comex
I can't count the number of different contexts where I've seen an OpenGL
application show a patchwork of chunks of different applications mixed with
crap... I wonder if a third type of exploit could send sensitive screenshots
back to the server by intentionally triggering such an uninitialized memory
bug.

