Researcher: WebGL poses security threat
The technology for 3D graphics could let malicious programmers get access to some private information or simply render a computer unusable.
- Shankland covered the tech industry for more than 25 years and was a science writer for five years before that. He has deep expertise in microprocessors, digital photography, computer hardware and software, internet standards, web technology, and more.
A security firm says it's found a vulnerability in the WebGL technology for building accelerated 3D graphics into the Web, a problem that could enable attacks through code executed on a computer's graphics chip.
Attacks could take two basic forms, according to a blog post by Context Information Security. In one, a computer could be rendered useless by visiting a Web page that would execute WebGL software that simply brings the machine to its knees.
In the other, "dangers with WebGL...put users' data, privacy, and security at risk," Context said--specifically, graphics-related information. It posted a proof of concept it says demonstrates the problem.
WebGL, enabled in newer versions of Chrome and Firefox, lets a browser show 3D graphics good for applications such as games or online maps, and it's a high-profile example of efforts to endow Web applications with abilities formerly reserved for native software. It's also a prominent member of the suite of technologies Google likely will promote at its Google I/O conference this week, where it traditionally emphasizes the advancement of Web-application programming.
The Khronos Group, which oversees the WebGL specification, said in a statement that it's considering adopting one of Context's recommendations, and that makers of graphics processing units (GPUs) are adding support for a mechanism that would help deal with the problem, too, if browsers limit WebGL to graphics systems that include that mechanism:
The Khronos group has already specified one extension to OpenGL, GL_ARB_robustness, specifically designed to prevent denial of service and out-of-range memory access attacks from WebGL content, and is continuing to rapidly iterate on security-related functionality.
GL_ARB_robustness has already been deployed by some GPU vendors and Khronos expects it to be deployed rapidly by others. Browsers can check for the presence of this extension before enabling WebGL content. This is likely to become the deployment mode for WebGL in the near future.
The ability to incorporate cross-domain images into WebGL scenes provides great utility to developers, but the WebGL working group is considering requiring Cross Origin Resource Sharing (CORS) opt-in or other mechanisms to prevent abuse of this capability.
But inevitably, new problems will emerge as the power of the graphics chip becomes available to programmers.
"WebGL is already influential in raising the awareness of GPU vendors to security issues and will play a significant role in helping GPUs become a first class computing platform alongside CPUs," Khronos said
Google said it helps address such issues by blacklisting some graphics chips and by confining code to a protective "sandbox" of memory:
Many parts of the WebGL stack, including the GPU process, run in separate processes and are sandboxed in Chrome to help prevent various kinds of attacks. To help ward off lower level attacks, we work with hardware, OS, and driver vendors to proactively disable unsafe system configurations and help them improve the robustness of their stack.
Mozilla said it's in contact with Context and is looking into the matter.
Context said the problems it's found lie with the WebGL specification, not a particular browser's implementation.
"Based on this limited research Context does not believe WebGL is really ready for mass usage, therefore Context recommends that users and corporate IT managers consider disabling WebGL in their Web browsers," Context said.
Updated 6:26 a.m. PT May 10 with a detailed response from Google and the Khronos Group.