[webkit-dev] Timing attacks on CSS Shaders (was Re:Security problems with CSS shaders)

Vincent Hardy vhardy at adobe.com
Fri Dec 9 18:24:57 PST 2011 

Hi Nat,

I wont argue on how precise or not the timing channel is because I think, as I was saying below, that we need to protect against the threat no matter what.

Cheers,
Vincent.

From: Nat Duca <nduca at google.com<mailto:nduca at google.com>>
Date: Fri, 9 Dec 2011 16:30:50 -0800
To: Adobe Systems <vhardy at adobe.com<mailto:vhardy at adobe.com>>
Cc: Adam Barth <abarth at webkit.org<mailto:abarth at webkit.org>>, "webkit-dev at lists.webkit.org<mailto:webkit-dev at lists.webkit.org>" <webkit-dev at lists.webkit.org<mailto:webkit-dev at lists.webkit.org>>
Subject: Re: [webkit-dev] Timing attacks on CSS Shaders (was Re:Security problems with CSS shaders)

I do not think its safe to assume that timing of CSS shaders is coarse. webkitRequestAnimationFrame tells you when the browser draws. If you start with something that takes exactly 16ms to composite, then everything you add to it from there is timing..



On Fri, Dec 9, 2011 at 2:40 PM, Vincent Hardy <vhardy at adobe.com<mailto:vhardy at adobe.com>> wrote:

On Dec 7, 2011, at 7:29 PM, Adam Barth wrote:

> On Wed, Dec 7, 2011 at 7:23 PM, Vincent Hardy <vhardy at adobe.com<mailto:vhardy at adobe.com>> wrote:
>> @chris
>>
>>>>  So I take back my statement that CSS Shaders are less dangerous than
>>>> WebGL. They are more!!!
>>
>> It seems to me that the differences are:
>>
>> a. It is easier to do the timing portion of a timing attack in WebGL because
>> it all happens in a script and the timing is precise. With CSS shaders, the
>> timing is pretty coarse.
>>
>> b. The content that a CSS shader has access to may be more sensitive than
>> the content a WebGL shader has access to because currently, WebGL cannot
>> render HTML (but isn't it possible to render an SVG with a foreignObject
>> containing HTML into a 2D canvas, and then use that as a texture? In that
>> case, wouldn't the risk be the same? Or is the canvas tainted in that case
>> and cannot be used as a texture?).
>
> Bear in mind that these security problems have been addressed in
> WebGL.  WebGL no long suffers from these vulnerabilities.

Yes, I understand WebGL now assumes CORS for allowing/disallowing access to resources. But my point was to clarify what is possible in terms of timing and what is possible (or may become possible) in terms of rendering.

Timing on CSS shaders is coarse (because there is not precise way to time how long rendering of the shader takes unlike in WebGL). The attacker would rely on requestAnimationFrame, and the time that is measured with that method includes other processing than just the shader. So the timing measure is rough. It is definitely important that we protect against the threat, but my point is that the time measure is not great.

>
>> @charles
>>
>>>>  Can this proposal be moved forward on CORS +
>>>> HTMLMediaElement, HTMLImageElement and HTMLCanvasElement?
>>
>> At the last FX meeting, I got an action to sync. up with the CORS group and
>> discuss how CORS would apply to CSS shaders.
>
> It's very unclear to me how CORS can help in this situation.  Can you
> explain what you have in mind?

When a shader that applies to an element comes from a different origin than the rendered content, then rendering of the element would be blanked. The shader origin would be the shader's own url, the url of the page it is embedded in or the url of the script that created it dynamically (e.g., by injecting one dynamically with data: url for example, something Dean just mentioned to me in a conversation we had). If there is any mismatch between the origin of the shader and the origin of the shaded content, then the rendering would be blanked (unless CORS on the shaded content gives permission to the shader's origin). This would be done recursively on the content. It is unclear to me if any mismatch should blank out the whole rendering or if only the nodes in the tree that do not match should be blanked.

The action item is to discuss this with the WebApps group.

Kind regards,
Vincent
_______________________________________________
webkit-dev mailing list
webkit-dev at lists.webkit.org<mailto:webkit-dev at lists.webkit.org>
http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-dev/attachments/20111209/1256b97e/attachment.html>

More information about the webkit-dev mailing list