Recently Context Information Security Limited gathered a lot of attention for a blog post on the state of WebGL security. For Mozilla, WebGL was first released in Firefox 4, and there are implementations in Chrome, Safari and Opera as well. The blog post outlines an abstract concern that WebGL is inherently insecure because it allows fairly direct access to the hardware, along with two specific attacks, a Denial of Service and a Cross-Domain Image Theft.
The Cross-Domain Image Theft issue is indeed a viable attack. It had been previously theorized, but no known proof of concept giving meaningful results existed until now. While it is not immediately obvious that it can be exploited in a practical attack right now,
experience in security shows that this is a matter of when, not if. Mozilla is engaged with browser, OS and hardware vendors in the WebGL mailing list to solve this as quickly as possible. One solution is simply to disallow the use of cross-domain images that do not have CORS approval in the WebGL context, which currently is Mozilla’s preferred solution. Mozilla is committed to rolling out a solution that secures against real threats while keeping WebGL a viable platform.
The abstract concern around hardware access is something we (and other browser vendors) have thought about a lot during design and implementation. For Firefox we first addressed this by employing both a whitelist and a blacklist for drivers. The blacklist can be deployed daily without a full software update so we can respond rapidly to any issues. We’ve also been working with driver vendors, both before and after the release, through the Khronos WebGL working group to report and solve specific issues. Vendors must be active in order to be whitelisted. Longer term, again through Khronos, we continuously work to raise overall vendor awareness and develop more advanced counter measures such as the openGL GL_ARB_robustness_2 extension to mitigate various types of attacks.
WebGL is a powerful technology and we certainly recognize that significant attacks against it may be possible. Nevertheless, claims of kernel level hardware access via WebGL are speculative at best since WebGL shaders run on the GPU and shader compilers run in user mode. We’re keen to work with Context, or any other group, on identifying and
closing specific, concrete attacks as they emerge.