[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Public WebGL] CORS and resource provider awareness

On Thu, Nov 1, 2012 at 8:12 AM, Mark Callow <callow.mark@artspark.co.jp> wrote:

I'm not trying to enforce specific sync'ing restrictions. I'm trying to find ways to introduce enough noise that a rogue app. can't reliably determine how long rendering is taking.
I think that attempt is futile because you can't control the driver and because actually waiting for rendering to be finished enables such things as fast large matrix transforms in JS on the GPU, screenshotting your 3d content with toDataURL etc.

In the end you're dealing with a machine you can't change and with usecases you wouldn't want to kill. So I think accepting that you will always be able to use timing attacks is essential, because the very same property that makes timing attacks possible makes useful usecases possible.

You could attempt to add "artificial fuzz" but that's just degrading everybodies performance because: blocking time of render+ random fuzz > blocking time of render