[webkit-dev] Timing attacks in rendering, was: Re: Timing attacks on CSS Shaders
chuck at jumis.com
Thu Dec 8 13:51:23 PST 2011
On 12/3/11 11:37 PM, Dean Jackson wrote:
> On 04/12/2011, at 6:06 PM, Adam Barth wrote:
>> On Mon, Oct 24, 2011 at 9:51 PM, Adam Barth<abarth at webkit.org> wrote:
>>> Personally, I don't believe it's possible to implement this feature
>>> securely, at least not using the approach prototyped by Adobe.
>> I spent some more time looking into timing attacks on CSS Shaders. I
>> haven't created a proof-of-concept exploit, but I believe the current
>> design is vulnerable to timing attacks. I've written up blog post
>> explaining the issue:
> Thanks for writing this up.
> I'm still interested to know what the potential rate of data leakage is.
> Like I mentioned before, there are plenty of existing techniques that could
> expose information to a timing attack. For example, SVG Filters can
> manipulate the color channels of cross-domain images, and using CSS overflow
> on an iframe could potentially detect rendering slowdowns as particular
> colors/elements/images come into view. CSS shaders increase the rate of leakage
> because they execute fast and can be tweaked to exaggerate the timing, but
> one could imagine that the GPU renderers now being used in many of WebKit's ports
> could be exploited in the same manner (e.g. discover a CSS "trick" that drops
> the renderer into software mode).
> Is there something we can do to make rendering-based timing attacks
> less feasible?
> Or maybe rAF is inherently insecure?
Is there an active interest in investigating these issues? I understand
that CSS Shaders is bringing them to the forefront.
I am confident we can move Shaders forward in a limited and safe manner,
by starting first on CORS Media elements, essentially bringing them to
parity with WebGL Canvas.
That is to say: <canvas></canvas> -- with WebGL is up on the web and
tested as a means to apply filters to <img> and <video>.
Surely we can provide a CSS short-cut.
But back to my concern: Sometimes a new idea or use case brings up real
engineering issues that get pushed-back as people push-back on the use
case or broader implications. I experienced that phenomenon to a large
degree with the <canvas> tag in Canvas 2d. I'd like to do better with
Is there an objection to CSS Shaders for media elements, origin safe
video, img and canvas? They work in WebGL, they should work fine in CSS.
Is there reasonable support for investigating timing issues inside of
the browser? We have baseline issues from latency in network requests:
If I request an image from a site you've already visited, it's likely to
load quicker than a subsequent request for a random 404 page from that
site. I feel that this baseline issues can help us take some of the
controversy away from future studies on timing issues. They already
exist, they're accepted and acceptable for consumer-grade browsers.
I'm getting the feeling that these very interesting and important cases
brought up by Dean Jackson, are not being evaluated.
Webkit vendors, and many w3c vendors, should have an interest in seeing
So I'm reaching out here and saying, does anyone think this is a
worthwhile avenue for serious study? Is it simply not important for this
generation of browsers?
Though webkit has a bias against "scientific experiment" on the code
base, being that it's an "engineering" project, it seems to me like
engineering and science as well as security and quality, benefit from
asking these questions and doing focused research.
More information about the webkit-dev