[filter-effects] shader security model

Hi,

During the conference call today issues were raised about security problems with shaders. I would like to summarize the security discussions that we had so far and explain how we addressed these issues. For the complete discussion take a look at [1].

Security experts like Adam Barth found possible timing attacks with the initial CSS Shaders proposal submitted to the CSS WG more than a year ago.

Initial proposal:
============
- Shaders had direct access to rendered web content. Therefore, the shader had information about visited links and similar secure data. Also, the rendered content possibly came from a different domain than the shader. 
- If shaders could communicate to attackers, this data could be leaked. This could be achieved by timing attacks with fragment shaders.
- Fragment shaders were allowed to access pixel data of rendered content. Fragment shaders could be written in a way to run slower or faster based on the color value of pixels. With functions like requestAnimationFrame, this difference could be measured.

How did the Filter Effects WD address these issues?
========================================
- Fragment shaders do not have direct access to pixel data of rendered web content. To still provide the basic functionality of fragment shaders, it is possible for the author to generate color values independent of the rendered web content and use blending functions to blend the generated color with the rendered web content.
- Shaders referenced in SVG Filters can use results of previous filter primitives as primary input. These results are treated as rendered web content and fall under the same restrictions as other rendered web content.
- Shaders referenced in SVG Filters can use results of previous filter primitives as secondary inputs (via texture parameters). If the results of the primitives are a direct or indirect result of rendered web content, the shader is not executed and acts as a pass through filter. This is because shaders are allowed to sample the colors of texture parameters, unlike the primary input[].

The current model is very restrictive and was proposed to the working groups and other security experts. There is no known attack pattern on the current model.

Greetings,
Dirk

[1] http://www.w3.org/Graphics/fx/wiki/CSS_Shaders_Security
[2] http://www.w3.org/TR/filter-effects/#feCustomElement

Received on Wednesday, 6 March 2013 18:22:56 UTC