W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2013

Re: [webappsec] ISSUE-53: UISecurity input-protection heuristic for composited rendering

From: Brad Hill <hillbrad@gmail.com>
Date: Mon, 14 Oct 2013 15:38:37 -0700
Message-ID: <CAEeYn8gR4+P0tj+MxBiAJxVxmSatpbvXE0J8T1Ugn+8az7H1FQ@mail.gmail.com>
To: David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
So, there is no way to get the final rendering, even for the compositor
thread managing the outermost document?  :/   You can't read the pixels
back from the GPU when you know you have a hit to a protected region?

Also:  thoughts on whether we should keep the clipping rectangle around the
hit, or just allow element selectors only?


On Thu, Oct 10, 2013 at 6:54 PM, David Lin-Shung Huang <
linshung.huang@sv.cmu.edu> wrote:

> Thanks, Brad! For what it's worth, here's my attempt to clarify which
> parts of the original description in Section 6.2 are affected by
> compositing:
>
> - For "timing attacks countermeasure" (the "Display Change List"),
> compositing should have no impact. Essentially, we're keeping track of the
> "damage rects" that already exists in the main thread of WebKit (presumably
> the browser we're concerned of here).
>
> - For "cursor sanity check", compositing has no impact. (Cursors are
> independent of screenshots.)
>
> - For "obstruction check", there are two distinct cases:
>   (1) When the "user image" is taken using OS-native APIs, compositing
> should have no impact. (OS can grab the final rendering.)
>   (2) When the "user image" is taken by the browser, obstruction checks
> will fail (as Adam pointed out) since each browsing context has no
> knowledge of the final rendering. [FIXME!]
>
> As a side benefit, I suspect that compositing might actually make
> obstruction checks faster, because the "control image" could be available
> as a cached layer (or tile), thus eliminating the need to render an
> off-screen HTML5 canvas element.
>
>
> Thanks,
> David
>
>
> On Thu, Oct 10, 2013 at 12:48 PM, Brad Hill <hillbrad@gmail.com> wrote:
>
>> <hat = editor>
>>
>> One of the open issues on UISecurity raised by Adam Barth is that the
>> input-protection heuristic is not well-suited to browsers that use
>> compositing to accelerate page rendering with GPUs.  While this heuristic
>> is non-normative, Adam suggested that we should supply a heuristic for this
>> model.
>>
>> I've attempted to grok these browser internals this week, at least for
>> Blink and WebKit, and below is a first attempt at such a heuristic.  I
>> would definitely appreciate review from anyone who feels qualified, or is
>> willing to forward it to someone who is.  I'm confident that despite my
>> best efforts I have somwhere confused what happens in layout vs. draw vs.
>> paint vs. composite vs. render.
>>
>> thanks,
>>
>> Brad
>>
>> *Alternate Input Protection Heuristic for Multi-Layer Compositing*
>>
>> Some user agents, in order to improve performance by taking advantage of
>> specialized graphics hardware, use a strategy for hit testing and
>> delivering UI events to hardware-composited layers that the basic heuristic
>> does not apply well to.  This alternative *non-normative* heuristic
>> describes one possible implementation strategy for the input-protection
>> directive in this architecture.
>>
>> GPU optimized user agents typically separate the browser UI process from
>> the process that handles building and displaying the visual representation
>> of the resource.  (In this context the term "process" refers to any
>> encapsulated subunit of user-agent functionality that communicates to other
>> similar subunits through message passing, without implying any particular
>> implementation details such as locality to a thread, OS-level "processe" or
>> the like.)  It is typical for the browser UI process to receive user events
>> such as mouse clicks and then marshal these to the render process, where
>> the event is hit tested through the page's DOM, checking for event handlers
>> along the way.  As an optimization the render process may communicate hit
>> test rectangles back to the UI process in advance so that the UI process
>> can, e.g. immediately respond to a Touch event by scrolling if the event
>> target falls within coordinates for which there are no other registered
>> handlers in the DOM.   A similar strategy can be used to create an
>> implementation of the input protection heuristic in a manner that is
>> consistent with this multi-process, compositing architecture.
>>
>> If a resource is being loaded in a frame, iframe, object, embed or applet
>> context and specifies an input-protection directive, apply the following
>> steps:
>>
>> 1.       *Tracking hit test rects: * Hook the creation of event handlers
>> for protected events and elements and add the DOM nodes with any such
>> handler to a collection. After a layout occurs, or when an event handler is
>> added or removed,iterate across all DOM nodes to generate a vector of
>> rectangles where such events need to be marshaled to.  If the
>> input-protection applies to the DOMWindow or Document node, avoid this
>> expensive process of walking the renderers and simply use the view's
>> bounds, as they're guaranteed to be inclusive.
>>
>> 2.       *(Optionally) Put the protected areas into a backing store /
>> composited layer: *To avoid the expense of having to re-layout and
>> re-paint protected regions during the *obstruction check*, it may make
>> sense to designate and place protected regions into their own backing store
>> or composited layer which can serve as a cached *control image*. Such a
>> backing store should paint the entire content of the protected region for
>> this purpose, even if it is clipped by the viewport.
>>
>> 3.       *Hit testing in the compositor: *When an event is received,
>> check whether it is on any layer and then walk the layer hierarchy checking
>> the protected regions on every layer.  If there is a hit, continue the
>> heuristic.  Otherwise, exit this heuristic and event processing proceeds as
>> normal.
>>
>> 4.       *Cursor sanity check:* By querying computed-style with the
>> ":hover" pseudo-class on the element (if the target is plugin content) or
>> on the host frame element and its ancestors (if the target is a nested
>> document), check whether the cursor has been hidden or changed to a
>> possibly attacker-provided bitmap: if it has, proceed to *Violation
>> management*. This provides protection against "Phantom cursor" attacks,
>> also known as "Cursorjacking".
>>
>> 5.       *Timing check: [ I need some help here ] *Conceptually, we
>> would like to track whenever a protected region must be *redrawn
>> (--show-property-changed-rects,I think, is the Blink concept) *AND when
>> the cause of that redraw originated from a different document context.  We
>> want to trigger the heuristic if an enclosing frame overlapped the
>> protected region within the specified time interval, but we don't want to
>> trigger if redraws originate from within the same document context as the
>> protected area. (e.g. if the button itself has a mouseover animation)  I'm
>> really not sure how this part works or how to describe it in generic terms
>> here.  Can we propagate the source and timing of redraw triggers to the
>> protected hit test rects or our collection of DOM nodes?
>>
>> 6.       *Obstruction check: *Compare two sets of pixels: the *control
>> image *is the protected area as if it was rendered alone, unobstructed
>> by pixels originating from any other document context.  (If step 2
>> optimizations were performed, this should be readily available in its own
>> composited layer.)  The *user image *represents the same area as the *control
>> image* in the outermost document's coordinate system and contains the
>> final set of common pixels for the fully rendered page. These images are
>> compared, and if the differences are below the *tolerance* threshold
>> associated with the input-protection directive, proceed to deliver the
>> event normally, otherwise proceed to *Violation management*. If portions
>> of the *control image *are clipped by the root view port in the
>> outermost document's coordinate system, all such pixels must be considered
>> not to match.  [*I don't know enough to say whether the comparison can
>> be done on the GPU without marshaling the pixels of the control image
>> backing store back to software, or if this is even worth mentioning here…]
>> *
>>
>>
>>
>> Notes: applying protections to the entire document (if it itself would
>> consist of multiple composited layers) or using the input-protection-clip
>> property may make many of these optimizations impossible, and may imposes
>> performance penalties on the page, perhaps forcing it to fallback to
>> all-software rendering.  We should have text warning authors of this, or
>> should we simply remove those options from the spec and require
>> input-protection-selectors only, to better match the internal strategies of
>> modern browser rendering?
>>
>>
>>
>
>
Received on Monday, 14 October 2013 22:39:05 UTC

This archive was generated by hypermail 2.3.1 : Monday, 14 October 2013 22:39:06 UTC