Re: [css-shaders] security - timing attacks from Tab Atkins Jr. on 2011-10-18 (www-style@w3.org from October 2011)

From: Tab Atkins Jr. <jackalmage@gmail.com>
Date: Tue, 18 Oct 2011 16:02:54 -0700
To: "Gregg Tavares (wrk)" <gman@google.com>
Cc: www-style list <www-style@w3.org>
Message-ID: <CAAWBYDB4k2RRGhYFz=J=JKhirKdHCeSLvEvjB6yQGesUPcqB9w@mail.gmail.com>

On Tue, Oct 18, 2011 at 10:11 AM, Gregg Tavares (wrk) <gman@google.com> wrote:
> Don't CSS shaders end up exposing the same timing attacks for reading images
> that WebGL used to before CORS support was added?
> Basically, build a shader that takes more time depending on the pixels. Use
> requestAnimationFrame to time how long compositing took, adjust until you
> overflow a frame. You can now read pixels.

Specifically, if you use a shader that runs either at 60fps or 30fps
based on what it's run on, you can use rAF to extract, on average,
about 45 bits/second of data from any element on the page, potentially
including things like cross-origin iframes.

~TJ

Received on Tuesday, 18 October 2011 23:03:49 UTC