Webgl a new dimension for browser exploitation
Sponsored Links
This presentation is the property of its rightful owner.
1 / 11

WebGL - A New Dimension for Browser Exploitation PowerPoint PPT Presentation

  • Uploaded on
  • Presentation posted in: General

WebGL - A New Dimension for Browser Exploitation. 報告 者:劉旭哲. History of the Web : Scripting Plugin and ActiveX HTML5 functionality More and more complexity has been provided in the browser by default . WebGL. What is WebGL ? a new web standard for browsers

Download Presentation

WebGL - A New Dimension for Browser Exploitation

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

WebGL - A New Dimension for Browser Exploitation


  • History of the Web:

    • Scripting

    • Plugin and ActiveX

    • HTML5 functionality

  • More and more complexity has been provided in the browser by default.

    • WebGL

  • What is WebGL?

    • a new web standard for browsers

    • bring 3D graphics to any page on the internet.

    • default in Firefox 4 and Google Chrome

    • can be turned on in the latest builds of Safari

1.Share access to the GPU

between individual programs

2.Traditional environment only

one application (a windowing

manager) need direct access to

the GPU at any one time

3. 3D scenario the requirement

to directly access

  • Traditional browser content would not normally have direct access to the hardware in any form.

  • WebGLprovides access to the graphics hardware .

    • Shadercode are compiled, uploaded then executed on the graphics hardware.

    • the fact that the current hardware and graphics pipeline implementations are not designed to maintain security boundaries.

  • Once a display list has been placed on the GPU by the scheduler it can be difficult to stop it.

  • The difficultly in verifying all content and maintain security boundaries also have potential impact on the integrity of the system and user data.

    • Up to now:no an un-trusted use case

  • For users:

    • First, Performance

    • Second, Security

    • Therefore, A malicious actor easily convince someone to install their bad code.

  • For manufacturers:

    • Against Microsoft’s DirectX.

  • Security issues:

    • driver black list

  • Denial of service is one of the most well known security issues facing WebGL.

    • API access graphics hardware to create shader programs or a set of complex 3D geometry

    • Cause the hardware to spend a significant proportion of its time rendering.

    • Windows 7 and Vista, if the GPU locks up for around 2 seconds the OS will force it to be reset.

    • https://cvs.khronos.org/svn/repos/registry/trunk/public/webgl/sdk/tests/extra/lots-of-polys-example.html

  • Cross-Domain Image Theft:

    • XMLHttpRequestobject to pull content from outside your domainis generally not permitted.

    • HTML5 canvas element has a origin-cleanflag

      • WebGL need “False”

    • The WebGL API is built on top of the ‘Canvas’ element and so extends the concept of the flag to also encompass the use of cross-domain textures


  • Conclusion:

    • 多數製造商支持WebGL

      • 將大規模使用

      • 但是,WebGL遭受基礎建設安全性的質疑

        • 僅用黑名單是否足夠?

      • 現階段只能建議用戶避免開啟或禁用WebGL

  • 最新消息:

    • Sony and Anonymous

  • Login