Khronos respond to WebGL security report
The Khronos Group, who maintain OpenGL and WebGL standards, have responded to claims of security issues in WebGL. It affirms that security is a "vitally important consideration for any web standard" and notes that the WebGL working group has been working with GPU vendors "from day one" on WebGL security.
On the claim that WebGL makes it easier to perform denial of service and memory access attacks, Khronos says that an extension to OpenGL, GL_ARB_robustness, is specifically designed to prevent those attacks. Approved in July 2010, GL_ARB_robustness was contributed to by developers from NVIDIA, Google, ARM, Apple and Mozilla. The GL_ARB_robustness extension has already been deployed by some GPU vendors and Khronos says it expects it to be "deployed rapidly by others". It suggests that browsers should check for the presence of the extension before enabling WebGL and that this would become the standard way of deploying WebGL "in the near future".
On the matter of cross domain images in WebGL scenes, Khronos notes that the functionality "provides great utility to developers". That said, the WebGL working group is considering requiring opt-in to Cross Origin Resource Sharing (CORS), or some other mechanism, to prevent the abuse of the capability.
Context Information Security's Michael Jordon told The H that the use of GL_ARB_robustness will "push more responsibility onto graphic card manufacturers to provide stability and security" but says he is concerned that web security issues are being handed on to graphic driver makers. Although Jordon believes that the fundamental problem is not fully mitigated by the use of lockup recovery because potentially malicious code will have already been run – he does believe that the use of GL_ARB_robustness will reduce the impact of the denial of service issue.
On the cross domain image problem, Jordon said it would prevent the issue occurring and pointed out that the original report on the issue did note that CORS would prevent the issue from occurring.
Meanwhile, the US-CERT has advised users to review the original report and disable WebGL to mitigate the risks.
(djwm)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
