1 / 11

WebGL - A New Dimension for Browser Exploitation

WebGL - A New Dimension for Browser Exploitation. 報告 者:劉旭哲. History of the Web : Scripting Plugin and ActiveX HTML5 functionality More and more complexity has been provided in the browser by default . WebGL. What is WebGL ? a new web standard for browsers

nolcha
Download Presentation

WebGL - A New Dimension for Browser Exploitation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. WebGL - A New Dimension for Browser Exploitation 報告者:劉旭哲

  2. History of the Web: • Scripting • Plugin and ActiveX • HTML5 functionality • More and more complexity has been provided in the browser by default. • WebGL

  3. What is WebGL? • a new web standard for browsers • bring 3D graphics to any page on the internet. • default in Firefox 4 and Google Chrome • can be turned on in the latest builds of Safari

  4. 1.Share access to the GPU between individual programs 2.Traditional environment only one application (a windowing manager) need direct access to the GPU at any one time 3. 3D scenario the requirement to directly access

  5. Traditional browser content would not normally have direct access to the hardware in any form. • WebGLprovides access to the graphics hardware . • Shadercode are compiled, uploaded then executed on the graphics hardware. • the fact that the current hardware and graphics pipeline implementations are not designed to maintain security boundaries.

  6. Once a display list has been placed on the GPU by the scheduler it can be difficult to stop it. • The difficultly in verifying all content and maintain security boundaries also have potential impact on the integrity of the system and user data. • Up to now:no an un-trusted use case

  7. For users: • First, Performance • Second, Security • Therefore, A malicious actor easily convince someone to install their bad code. • For manufacturers: • Against Microsoft’s DirectX. • Security issues: • driver black list

  8. Denial of service is one of the most well known security issues facing WebGL. • API access graphics hardware to create shader programs or a set of complex 3D geometry • Cause the hardware to spend a significant proportion of its time rendering. • Windows 7 and Vista, if the GPU locks up for around 2 seconds the OS will force it to be reset. • https://cvs.khronos.org/svn/repos/registry/trunk/public/webgl/sdk/tests/extra/lots-of-polys-example.html

  9. Cross-Domain Image Theft: • XMLHttpRequestobject to pull content from outside your domainis generally not permitted. • HTML5 canvas element has a origin-cleanflag • WebGL need “False” • The WebGL API is built on top of the ‘Canvas’ element and so extends the concept of the flag to also encompass the use of cross-domain textures

  10. Conclusion • Conclusion: • 多數製造商支持WebGL • 將大規模使用 • 但是,WebGL遭受基礎建設安全性的質疑 • 僅用黑名單是否足夠? • 現階段只能建議用戶避免開啟或禁用WebGL • 最新消息: • Sony and Anonymous

More Related