- From: Stephen White <senorblanco@chromium.org>
- Date: Tue, 19 Jun 2012 14:20:02 -0400
- To: public-fx@w3.org
- Message-ID: <CAPeKFThkPUKPKyVKfXrdfrnVXqVaHbc4a9CvghgBtNTaiXXnjA@mail.gmail.com>
Hi FX-gurus, As a followup to Method H "Tainting shader code branches" of the CSS Shaders Security document ( http://www.w3.org/Graphics/fx/wiki/CSS_Shaders_Security): I don't know if this has been discussed previously, but another possible timing attack would be to use texture indirection: using a source texture as a texture coordinate offset for another (large) texture might reveal performance differences: "nearby" texel fetches in the second texture would be in texture cache, while "far" texels would be slower to retrieve. I have not tested a proof-of-concept of this attack, but it should be possible to mitigate it simply by disallowing texture indirection via values retrieved from tainted textures. This is really just a variant of the "No value dependent on the symbol u_texture may be an operand in an operation whose execution time can depend on the value of the operands" restriction: texture2D() should probably be one of those operations. Something like this: vec4 color1 = texture2D(u_texture, v_texCoord); // color1 is tainted vec4 color2 = texture2D(u_bigImageTexture, color1.rg * vec2(500, 500)); // Error: cannot call texture2D() on expression using a tainted value Stephen
Received on Tuesday, 19 June 2012 18:20:43 UTC