tainting in CSS custom filters: texture indirection as a timing attack?

Hi FX-gurus,

As a followup to Method H "Tainting shader code branches" of the CSS
Shaders Security document (

I don't know if this has been discussed previously, but another possible
timing attack would be to use texture indirection:  using a source texture
as a texture coordinate offset for another (large) texture might reveal
performance differences:  "nearby" texel fetches in the second texture
would be in texture cache, while "far" texels would be slower to retrieve.
 I have not tested a proof-of-concept of this attack, but it should be
possible to mitigate it simply by disallowing texture indirection via
values retrieved from tainted textures.  This is really just a variant of
the "No value dependent on the symbol u_texture may be an operand in an
operation whose execution time can depend on the value of the operands"
restriction:  texture2D() should probably be one of those operations.

Something like this:

vec4 color1 = texture2D(u_texture, v_texCoord);            // color1 is
vec4 color2 = texture2D(u_bigImageTexture, color1.rg * vec2(500, 500)); //
Error: cannot call texture2D() on expression using a tainted value


Received on Tuesday, 19 June 2012 18:20:43 UTC