[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Public WebGL] EXT_disjoint_timer_query disabled

EXT_disjoint_timer_query could not only be used to launch the GLitch attack, but act as a high-precision timer to carry out Spectre-like attacks. Reducing the timers' precision was sufficient to mitigate the GLitch attack, and as it turns out, Chrome's implementation of EXT_disjoint_timer_query already returned sufficiently lower-precision results. However, Site Isolation is the long-term defense against Spectre, and it's close to being turned on in Chrome by default. At that point, the EXT_disjoint_timer_query WebGL extension will be turned back on in Chrome.

Other browsers have mitigations in progress for Spectre, and once those land, useful features like EXT_disjoint_timer_query and SharedArrayBuffer will be re-enabled in those browsers, too.


On Fri, May 18, 2018 at 2:53 AM Florian Bösch <pyalot@gmail.com> wrote:
The glitch paper suggests that:

To protect the system against both GPU and CPU sidechannel attacks, currently the only practical solution in the browser is disabling all possible timing sources.

You see the issue with this is that it breaks our ability to measure time. That's a big deal.

This is one of the early marine chronometers. It's the device that enabled precise naval navigation because now not only could you determine latitude (from the stars) but you could also pinpoint longitude fairly precisely.

As the name suggests "real-time" rendering has a time component (that's the time, in "real-time"). You might infer from that fact that "time" is a rather important quantity in "real-time", and you'd be absolutely correct. Breaking time alone wouldn't be a problem if everybody had the same hardware. But that's in fact, surprisingly, not the case. Developers need to write software for hardware whose real-time performance can differ up to a factor 1000x at the extremes, up to 100x between major device categories and up to around 10x within a device category.

Measuring time is therefore rather important if you want to keep it "real". Not just your time, and not just the time of individual samples of hardware you luckily happen to have access to, but time as broadly as possible. We can't do that now can we anymore? No we can't.
With Site Isolation enabled, the amount of data exposed to side-channel attacks is reduced as Chrome renders content for each website in a separate process

 The glitch paper does not suggest that "putting stuff into a process" is a mitigation strategy.

Accordingly, they will remain disabled in Chrome until Site Isolation is on by default

When is site isolation going to be on by default? When do other UAs have this?

at which point they will be re-enabled with sufficiently reduced precision to mitigate GLitch attacks

What does that mean exactly? So imprecise we can't practically use them anymore to measure any performance or what?


This whole episode is so unacceptable at so many levels. You're breaking the tools we need to build applications. Native applications don't have this problem (they just ignore it, any natively installed game can now steal your whatevers). You're breaking the empirical method. Now there's nothing left but blindly stabbing in the dark. Well done you, well done.

On Tue, May 15, 2018 at 2:54 PM, Nicolas Capens <capn@google.com> wrote:
As mentioned here, the WebGL timer extensions "will remain disabled in Chrome until Site Isolation is on by default, at which point they will be re-enabled with sufficiently reduced precision to mitigate GLitch attacks".

On Sun, May 13, 2018 at 1:51 PM Florian Bösch <pyalot@gmail.com> wrote:
20 years on writing hardware accelerated code we have no way to measure the performance of the programs we write, on the machines our users use to run these programs. You've got to be fucking kidding me man.

On Sun, May 13, 2018 at 6:48 PM, Aleksandar Rodic <aleksandar.xyz@gmail.com> wrote:
My guess is the extension has been disabled due to recently discovered "GLitch" rowhammer attack vector.

> EXT_DISJOINT_TIMER_QUERY is an OpenGL extension developed to provide developers with more detailed information about the performance of their applications [46]. This extension, if made available to the system by the GPU driver, is accessible from both WebGL and WebGL2, and provides the _javascript_ runtime with two timing sources: (1) TIME_ELAPSED_EXT and (2) TIMESTAMP_EXT. Such timers allow an attacker to measure the timing of secret operations (e.g., memory accesses) performed either by the CPU or the GPU.

On Sun, May 13, 2018 at 4:32 PM Florian Bösch <pyalot@gmail.com> wrote:
On Fri, Apr 6, 2018 at 12:50 AM, Ken Russell <kbr@google.com> wrote:
We can not currently discuss why the extension has been disabled. We should be able to do so in about a month.

It's now been a month and a week since this statement.