W3C home > Mailing lists > Public > public-fx@w3.org > April to June 2012

tainting in CSS custom filters: texture indirection as a timing attack?

From: Stephen White <senorblanco@chromium.org>
Date: Tue, 19 Jun 2012 14:20:02 -0400
Message-ID: <CAPeKFThkPUKPKyVKfXrdfrnVXqVaHbc4a9CvghgBtNTaiXXnjA@mail.gmail.com>
To: public-fx@w3.org
Hi FX-gurus,

As a followup to Method H "Tainting shader code branches" of the CSS
Shaders Security document (
http://www.w3.org/Graphics/fx/wiki/CSS_Shaders_Security):

I don't know if this has been discussed previously, but another possible
timing attack would be to use texture indirection:  using a source texture
as a texture coordinate offset for another (large) texture might reveal
performance differences:  "nearby" texel fetches in the second texture
would be in texture cache, while "far" texels would be slower to retrieve.
 I have not tested a proof-of-concept of this attack, but it should be
possible to mitigate it simply by disallowing texture indirection via
values retrieved from tainted textures.  This is really just a variant of
the "No value dependent on the symbol u_texture may be an operand in an
operation whose execution time can depend on the value of the operands"
restriction:  texture2D() should probably be one of those operations.

Something like this:

vec4 color1 = texture2D(u_texture, v_texCoord);            // color1 is
tainted
vec4 color2 = texture2D(u_bigImageTexture, color1.rg * vec2(500, 500)); //
Error: cannot call texture2D() on expression using a tainted value

Stephen
Received on Tuesday, 19 June 2012 18:20:43 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 19 June 2012 18:20:45 GMT