[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Public WebGL] Proposed change to WebGL spec section 4.2 (Security Origin Restrictions)



2010/10/7 Ilmari Heikkinen <ilmari.heikkinen@gmail.com>:
> 2010/10/7 Kenneth Waters <kwaters@google.com>:
>>> Alpha test happens after the fragment shader AFAIK, so I think it
>>>
>>> shouldn't have an effect on the execution time.
>>
>> There is no alpha test in WebGL, you use discard in the shader to achieve
>> the same effect.
>>
>>>
>>> Are there other possible leaks? Ways to use texture values to control the
>>> amount of fragments a fragment shader is called on.
>>
>> You can radically effect render time by controlling texture access patterns.
>>  If you have a bit of information you want to leak in "bit", draw a bunch of
>> full screen point sprites and draw with,
>> medp vec2 coord = gl_PointCoord;
>> coord = texture2D(random_tex, coord).xy * bit;
>> coord = texture2D(random_tex, coord).xy * bit;
>> coord = texture2D(random_tex, coord).xy * bit;
>> gl_FragColor = vec4(coord.rg, 0., 1.);
>> If bit is 1. the shader will be memory bandwidth limited (virtually every
>> texture hit will be a cache miss), if bit is 0. the shader will be compute
>> limited.
>
> Oh nice, that's very hard to defend against. Guess the non-SO textures
> should be banned.
>

Actually, I think that this texture access pattern attack could be
detected by tracking variable use. Only allow untainted texture coords
in texture2D, mark variable as tainted if it is the lvalue of an
expression with a tainted rvalue or a texture2D call.

-----------------------------------------------------------
You are currently subscribed to public_webgl@khronos.org.
To unsubscribe, send an email to majordomo@khronos.org with
the following command in the body of your email: