Submit a News Story
Security tagged stories
WebGL pays strong attention to security - just as any web technology should. With growing recognition of WebGL in the press, we thought we would summarize Khronos' work and stance on this important topic.
- Khronos agrees that security is a vitally important consideration for any web standard. WebGL was architected with security in mind from the ground up.
- All WebGL implementations already necessarily contain safeguards which prevent out-of-range memory accesses during rendering operations and access of uninitialized memory; please see here and here. These safeguards are tested by the WebGL conformance suite.
- Defense against denial of service attacks is still evolving in WebGL implementations. Khronos has specified an extension to OpenGL and OpenGL ES, GL_ARB_robustness, designed to prevent denial of service and out-of-range memory access attacks from WebGL content, preventing any possibility of using WebGL to execute malware on a user's machine.
- GL_ARB_robustness has already been deployed by some GPU vendors and Khronos expects it to be deployed rapidly by others. Browsers can check for the presence of this extension before enabling WebGL content. This is likely to become the deployment mode for WebGL in the near future.
- The ability to incorporate cross-domain images into WebGL scenes provides great utility to developers, but the WebGL working group is considering requiring Cross Origin Resource Sharing (CORS) opt-in or other mechanisms to prevent possible future abuse of this capability.
- The WebGL working group has been working closely with the GPU vendors in the Khronos group to make accelerated WebGL implementations secure and WebGL is influencing GPUs to provide even more flexible security options in the future.
- There are no known WebGL exploits and Khronos will continue to place close attention to technical and ecosystem opportunities to ensure WebGL is a secure technology that can be used with confidence.
Additional information can be found here.
Updated May 16 2011
Avi Bar-Zeev, a Principal Architect at Microsoft, was disappointed by recent Microsoft headlines parroted from a recent security scare report. He writes "Is WebGL actually harming your computer in any way? I doubt that’s a serious or credible claim. And, frankly, if Microsoft has taken a formal position against WebGL, no one I know got the memo." Avi goes on to express his thoughts on the pro's and cons of Microsoft supporting WebGL vs running away from it. If you have only 5 minutes to read something today, make it this well thought out article on the future of WebGL and your 3D user experience. Avi's article ends with "There is clearly only one direction forward for Microsoft and 3D on the web. WebGL is the way."
Dr. Jon Peddie from Jon Peddie Research has tried to make sense of the recent WebGL security issues raised by various companies. He writes "If we can never expose any graphics drivers to the web - we can never have ANY GPU graphics in the browser - and that’s not going to happen." Jon Peddie was recently named one of the most influential industry analysts, who is frequently quoted in trade and business publications, and contributes articles to numerous publications as well as appearing on CNN and TechTV.
Firefox 7 has just been released. Mozilla has identified and patched several vulnerabilities with regards to WebGL including a critical security vulnerabilities.
AMD announced that MotionDSP has optimized the industry-leading Ikena ISR real-time video reconstruction software for OpenCL and AMD technology. Ikena ISR is a ground-breaking tool for real-time video processing and image enhancement, significantly improving video from Intelligence, Surveillance and Reconnaissance (ISR) sensors to help intelligence and defense analysts make accurate, immediate decisions in dynamic situations.
Firefox 8 adds support for a WebGL security feature: cross-origin resource sharing (CORS), which provides a secure method for loading textures from other domains.
Did you miss the WebGL Meetup we held along side GDC last week? No worries, we recorded the entire meetup, and have posted it in four parts on YouTube (part one, two, three) and as podcasts. With Tony Parisi as moderator, the WebGL meetup covered lots of ground, including a spec update, lots of demo's and a security corner with Ken Russell from Google. The slide presentation in PDF format from the meetup is also online.
ARES Security Corporation has announced AVERT 7, which improves the software's modeling capability with the use of the COLLADA model format. This format greatly enhances the re-usability of existing models in both open source and propriety data sources as well as use 2D & 3D geometry from existing data stores such as computer-aided design (CAD) and geographic information systems (GIS). AVERT visually depicts, analyzes and optimizes physical security.