W3C home > Mailing lists > Public > public-fx@w3.org > October to December 2011

Re: Timing attacks against CSS Shaders

From: Ralph Thomas <ralpht@gmail.com>
Date: Sun, 4 Dec 2011 10:51:34 -0800
Message-ID: <CAAYQYDTu1CfwOkwr16tS0cW0_KusF_90c1nyJp6dCOU4Wd0VSw@mail.gmail.com>
To: "Tab Atkins Jr." <jackalmage@gmail.com>
Cc: Rik Cabanier <cabanier@gmail.com>, Adam Barth <w3c@adambarth.com>, public-fx@w3.org, Dean Jackson <dino@apple.com>, Vincent Hardy <vhardy@adobe.com>, Thomas Roessler <tlr@w3.org>
Would it be possible to disable CSS shaders on a page which uses them
and takes too long to composite? The goal of CSS shaders is visually
rich _interactive_ experiences, so you could probably make the
threshold low enough (100ms?) that timing attacks would be much harder
-- especially if rAF is rounded to the vblank interval... Depending on
where rendering takes place, the attacker might still have one full
iteration of the slow shader to measure though.

You might also want this feature so that folks using low-end GPUs
don't get non-responsive pages where very complex shaders are employed
-- better to have a plain responsive page than a beautiful but
unresponsive one.

Ralph

On Sun, Dec 4, 2011 at 10:16 AM, Tab Atkins Jr. <jackalmage@gmail.com> wrote:
> On Sun, Dec 4, 2011 at 10:04 AM, Rik Cabanier <cabanier@gmail.com> wrote:
>> Hi Adam,
>>
>> I don't know much about timing attacks so I have a question.
>> Since the browser directs the GPU to run the shaders and composite their
>> output, the end result is invisible to the attacker since there is no
>> mechanism to get this bitmap data back.
>> The shaders also have no means to communicate through script  since they can
>> only manipulate pixels.
>>
>> In this scenario, how would information ever leak?
>> WebGL is different since you have access to the entire OpenGL stack which
>> allows you to do more complex operations such as reading back data.
>
> The information is read back through the "timing channel", thus the
> name.  This is done by making an operation take more or less time
> based on the information you want to extract, so you can read data out
> just by watching how long an operation took to complete, even if the
> language doesn't offer any way to get the data out normally.
> http://en.wikipedia.org/wiki/Timing_attack
>
> ~TJ
>
Received on Sunday, 4 December 2011 18:52:03 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 4 December 2011 18:52:03 GMT