W3C home > Mailing lists > Public > public-fx@w3.org > October to December 2011

Re: Documenting Timing Attacks in Rendering Engines

From: Adam Barth <w3c@adambarth.com>
Date: Sat, 10 Dec 2011 00:37:56 -0800
Message-ID: <CAJE5ia_XY=qOavNra0F0+-xfsDhix=jbJyxB6NiJ9RL6y-Fp3Q@mail.gmail.com>
To: Vincent Hardy <vhardy@adobe.com>
Cc: "Tab Atkins Jr." <jackalmage@gmail.com>, Charles Pritchard <chuck@jumis.com>, "public-fx@w3.org" <public-fx@w3.org>
On Fri, Dec 9, 2011 at 4:04 PM, Vincent Hardy <vhardy@adobe.com> wrote:
>
> On Dec 9, 2011, at 3:57 PM, Tab Atkins Jr. wrote:
>
>> On Fri, Dec 9, 2011 at 3:44 PM, Vincent Hardy <vhardy@adobe.com> wrote:
>>> For the record, here are the points we presented the FX group during the
>>> last face to face:
>>>
>>> - Timing attackes rely on inferring rendered content from the time it takes
>>> to render it
>>> - Timing attacks were demonstrated attack in WebGL
>>> - There are differences between CSS shaders and WebGL (different timing
>>> mechanisms)
>>> - Possible solution:
>>>      - CORS
>>>      - Mandate that UAs do not give out information on rendered content from
>>> timing (obfuscate the requestAnimationFrame method)
>>> ========
>>>
>>> We decided to explore CORS at this time,
>>
>> This doesn't make sense.  cross-origin content is *one* information
>> leak from shaders.  There are many more that Adam Barth has pointed
>> out, such as :visited status, the user's spellchecking dictionary, the
>> user's filesystem structure through the display of <input type=file>
>> in some browsers, etc.  These latter have nothing to do with CORS.
>
> Tab,
>
> What my mail says is relating what the discussion at the F2F was and what the outcome was. It is not saying that this is the answer to everything. It does not say that CORS is the answer to the issues you point out.
>
> I think it makes sense to share that type of information so that everybody knows what was already discussed and what may not have been discussed.

Thanks for sharing the information from the F2F.  Unfortunately, at
this time, I'm not aware of any solutions to this problem.  CORS is
insufficient and mandating "that UAs do not give out information on
rendered content from timing", while a laudable goal, isn't possible
to implement.

Adam
Received on Saturday, 10 December 2011 08:39:06 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 10 December 2011 08:39:08 GMT