Webgl a new dimension for browser exploitation
This presentation is the property of its rightful owner.
Sponsored Links
1 / 11

WebGL - A New Dimension for Browser Exploitation PowerPoint PPT Presentation


  • 58 Views
  • Uploaded on
  • Presentation posted in: General

WebGL - A New Dimension for Browser Exploitation. 報告 者:劉旭哲. History of the Web : Scripting Plugin and ActiveX HTML5 functionality More and more complexity has been provided in the browser by default . WebGL. What is WebGL ? a new web standard for browsers

Download Presentation

WebGL - A New Dimension for Browser Exploitation

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Webgl a new dimension for browser exploitation

WebGL - A New Dimension for Browser Exploitation

報告者:劉旭哲


Webgl a new dimension for browser exploitation

  • History of the Web:

    • Scripting

    • Plugin and ActiveX

    • HTML5 functionality

  • More and more complexity has been provided in the browser by default.

    • WebGL


Webgl a new dimension for browser exploitation

  • What is WebGL?

    • a new web standard for browsers

    • bring 3D graphics to any page on the internet.

    • default in Firefox 4 and Google Chrome

    • can be turned on in the latest builds of Safari


Webgl a new dimension for browser exploitation

1.Share access to the GPU

between individual programs

2.Traditional environment only

one application (a windowing

manager) need direct access to

the GPU at any one time

3. 3D scenario the requirement

to directly access


Webgl a new dimension for browser exploitation

  • Traditional browser content would not normally have direct access to the hardware in any form.

  • WebGLprovides access to the graphics hardware .

    • Shadercode are compiled, uploaded then executed on the graphics hardware.

    • the fact that the current hardware and graphics pipeline implementations are not designed to maintain security boundaries.


Webgl a new dimension for browser exploitation

  • Once a display list has been placed on the GPU by the scheduler it can be difficult to stop it.

  • The difficultly in verifying all content and maintain security boundaries also have potential impact on the integrity of the system and user data.

    • Up to now:no an un-trusted use case


Webgl a new dimension for browser exploitation

  • For users:

    • First, Performance

    • Second, Security

    • Therefore, A malicious actor easily convince someone to install their bad code.

  • For manufacturers:

    • Against Microsoft’s DirectX.

  • Security issues:

    • driver black list


Webgl a new dimension for browser exploitation

  • Denial of service is one of the most well known security issues facing WebGL.

    • API access graphics hardware to create shader programs or a set of complex 3D geometry

    • Cause the hardware to spend a significant proportion of its time rendering.

    • Windows 7 and Vista, if the GPU locks up for around 2 seconds the OS will force it to be reset.

    • https://cvs.khronos.org/svn/repos/registry/trunk/public/webgl/sdk/tests/extra/lots-of-polys-example.html


Webgl a new dimension for browser exploitation

  • Cross-Domain Image Theft:

    • XMLHttpRequestobject to pull content from outside your domainis generally not permitted.

    • HTML5 canvas element has a origin-cleanflag

      • WebGL need “False”

    • The WebGL API is built on top of the ‘Canvas’ element and so extends the concept of the flag to also encompass the use of cross-domain textures


Conclusion

Conclusion

  • Conclusion:

    • 多數製造商支持WebGL

      • 將大規模使用

      • 但是,WebGL遭受基礎建設安全性的質疑

        • 僅用黑名單是否足夠?

      • 現階段只能建議用戶避免開啟或禁用WebGL

  • 最新消息:

    • Sony and Anonymous


  • Login