[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Public WebGL] GL_RENDERER string needed for performant apps



On Wednesday, January 15, 2014, Patrick Baggett <baggett.patrick@gmail.com> wrote:
A long time ago, I thought the main argument for this was the following use-case:

1) Vendor XYZ has buggy drivers that can be exploited via GL
2) Malicious site uses GL_RENDERER string to guess that the person has the buggy drivers installed.
3) Malicious site uses WebGL to trigger this.
4) System compromised / crashed.

Now, 2) isn't a sure better since renderer <-> driver version isn't guaranteed, but if someone sees NVIDIA or AMD in it, they can at least ballpark it. This is probably the worst case scenario. (On the other hand, there is nothing stopping them from just doing 3) without using the GL_RENDERER string, so honestly, I'm not sure how much of a protection this really is - buggy drivers are buggy drivers, no way to get around that really.)

I'm not saying I buy this series of steps, but I don't think anyone has mentioned it yet (and if they have, I apologize o.o ).

Patrick

This was touched on in the document, but to clarify: A driver bug exists wether or not you know the device name. If an exploitable problem is discovered it makes more sense for an attacker to simply try it and hope it works rather than filter their attack surface based on the RENDERER string. There's no scenario I can conceive of where hiding this information actually makes users safer from attack. That responsibility lies, as always, with the browsers WebGL implementations and blacklists.

--Brandon