[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Public WebGL] EXT_disjoint_timer_query disabled



On Sat, May 19, 2018 at 12:29 AM Florian Bösch <pyalot@gmail.com> wrote:
On Sat, May 19, 2018 at 3:08 AM, Ken Russell <kbr@google.com> wrote:
EXT_disjoint_timer_query could not only be used to launch the GLitch attack, but act as a high-precision timer to carry out Spectre-like attacks

This isn't only true of a browser. How is this not a problem for all applications?

Spectre allows reading of all memory in a process's address space. In an app it's assumed that you already have access to the full address space, but this is not true in the browser, where usually a single process will contain data from multiple web domains.

 
Reducing the timers' precision was sufficient to mitigate the GLitch attack, and as it turns out, Chrome's implementation of EXT_disjoint_timer_query already returned sufficiently lower-precision results.

How much precision was reduced?

Chrome has always been returning microsecond resolution for these queries rather than nanosecond resolution. In discussion with the GLitch researchers, it seems likely that this reduction in precision is sufficient – and since no WebGL developer ever complained about low resolution of Chrome's timer queries, there's no need to make any changes to the precision.


However, Site Isolation is the long-term defense against Spectre, and it's close to being turned on in Chrome by default. At that point, the EXT_disjoint_timer_query WebGL extension will be turned back on in Chrome.

This is gonna happen when?

I don't know exactly. Site Isolation is being rolled out now in Chrome. It's a large enough feature that if you watch the Chromium and Chrome blogs you'll definitely see the updates.
 
 
Other browsers have mitigations in progress for Spectre, and once those land, useful features like EXT_disjoint_timer_query and SharedArrayBuffer will be re-enabled in those browsers, too.

And this is gonna happen when? 

I don't know, but all browsers have a vested interest in turning SharedArrayBuffer back on, in particular.

-Ken