Platform/GFX/WebGL-Security-2011-10-28: Difference between revisions
Jump to navigation
Jump to search
(Created page with "* Patterns of WebGL exploits so far (Benoit) ** More details have been sent to security-group on June 29 and October 28. ** Pattern A (Relying on a particular GL state, forgettin...") |
No edit summary |
||
| (One intermediate revision by the same user not shown) | |||
| Line 2: | Line 2: | ||
** More details have been sent to security-group on June 29 and October 28. | ** More details have been sent to security-group on June 29 and October 28. | ||
** Pattern A (Relying on a particular GL state, forgetting that scripts can change it) | ** Pattern A (Relying on a particular GL state, forgetting that scripts can change it) | ||
*** June 29 review: Bug 659349 | *** June 29 review: {{Bug|659349}} | ||
*** October 28 review: no new bugs in this category | *** October 28 review: no new bugs in this category | ||
** Pattern B (Mistake when keeping track of GL state) | ** Pattern B (Mistake when keeping track of GL state) | ||
*** June 29 review: Bug 656752, Bug 665070 | *** June 29 review: {{Bug|656752}}, {{Bug|665070}} | ||
*** October 28 review: Bug 665070 | *** October 28 review: {{Bug|665070}} | ||
** Pattern C (Timing attacks) | ** Pattern C (Timing attacks) | ||
*** June 29 review: Bug 656277 | *** June 29 review: {{Bug|656277}} | ||
*** October 28 review: no new bugs in this category | *** October 28 review: no new bugs in this category | ||
** Pattern D (Driver bugs) | ** Pattern D (Driver bugs) | ||
*** Type 1: Can be worked around. | *** Type 1: Can be worked around. | ||
**** June 29 review: Bug 631420, Bug 657201 | **** June 29 review: {{Bug|631420}}, {{Bug|657201}} | ||
**** October 28 review: Bug 665578, Bug 658826, Bug 684882, Bug 675625, Bug 674042 | **** October 28 review: {{Bug|665578}}, {{Bug|658826}}, {{Bug|684882}}, {{Bug 675625}}, {{Bug|674042}} | ||
*** Type 2: Can be blacklisted. [[Blocklisting/Blocked_Graphics_Drivers|Tons of examples]]. | *** Type 2: Can be blacklisted. [[Blocklisting/Blocked_Graphics_Drivers|Tons of examples]]. | ||
*** Type 3: Ones we ignore for now because extensive DOS mitigations not available | *** Type 3: Ones we ignore for now because extensive DOS mitigations not available | ||
** Pattern E (Implementation Bugs that are not at all GL-specific) | ** Pattern E (Implementation Bugs that are not at all GL-specific) | ||
*** June 29 review: Bug 648705 in our WebGL implementation; Bug 665934 in ANGLE. | *** June 29 review: {{Bug|648705}} in our WebGL implementation; {{Bug|665934}} in ANGLE. | ||
*** October 28 review: Bug 686398, Bug 685793, Bug 682335 in our WebGL implementation; Bug 680840, Bug 665936 in ANGLE. | *** October 28 review: {{Bug|686398}}, {{Bug|685793}}, {{Bug|682335}} in our WebGL implementation; {{Bug|680840}}, {{Bug|665936}} in ANGLE. | ||
== Securtiy Discussion == | |||
* go over action items from previous meeting and evaluate progress | |||
** conformance tests should be in a very good shape now: https://etherpad.mozilla.org/WebGL-Conf | |||
** ARB_robustness support finally landing (GLX already landed, WGL has patch) | |||
* go over security bugs we've had since previous meeting and see how they fit in the patterns we discussed. | |||
* regarding the DOS issue, discuss whether the pace of progress around ARB_robustness is enough or we want to do more. | |||
** things seem to be progressing positively at this point | |||
* discuss state of fuzzing | |||
** still need to make a push to integrate fuzzcases as tests. | |||
** If conformance tests revealed some bugs, does it make sense to mutate conformance tests? | |||
** Does it make sense to do this without a real driver (software rendering)? | |||
*** Recent versions of MESA (7.11) with the llvmpipe driver (or softpipe) but avoid the old 'swrast' driver | |||
* performance tests | |||
** https://etherpad.mozilla.org/WebGL-Conf | |||
Latest revision as of 17:52, 28 October 2011
- Patterns of WebGL exploits so far (Benoit)
- More details have been sent to security-group on June 29 and October 28.
- Pattern A (Relying on a particular GL state, forgetting that scripts can change it)
- June 29 review: bug 659349
- October 28 review: no new bugs in this category
- Pattern B (Mistake when keeping track of GL state)
- June 29 review: bug 656752, bug 665070
- October 28 review: bug 665070
- Pattern C (Timing attacks)
- June 29 review: bug 656277
- October 28 review: no new bugs in this category
- Pattern D (Driver bugs)
- Type 1: Can be worked around.
- June 29 review: bug 631420, bug 657201
- October 28 review: bug 665578, bug 658826, bug 684882, Template:Bug 675625, bug 674042
- Type 2: Can be blacklisted. Tons of examples.
- Type 3: Ones we ignore for now because extensive DOS mitigations not available
- Type 1: Can be worked around.
- Pattern E (Implementation Bugs that are not at all GL-specific)
- June 29 review: bug 648705 in our WebGL implementation; bug 665934 in ANGLE.
- October 28 review: bug 686398, bug 685793, bug 682335 in our WebGL implementation; bug 680840, bug 665936 in ANGLE.
Securtiy Discussion
- go over action items from previous meeting and evaluate progress
- conformance tests should be in a very good shape now: https://etherpad.mozilla.org/WebGL-Conf
- ARB_robustness support finally landing (GLX already landed, WGL has patch)
- go over security bugs we've had since previous meeting and see how they fit in the patterns we discussed.
- regarding the DOS issue, discuss whether the pace of progress around ARB_robustness is enough or we want to do more.
- things seem to be progressing positively at this point
- discuss state of fuzzing
- still need to make a push to integrate fuzzcases as tests.
- If conformance tests revealed some bugs, does it make sense to mutate conformance tests?
- Does it make sense to do this without a real driver (software rendering)?
- Recent versions of MESA (7.11) with the llvmpipe driver (or softpipe) but avoid the old 'swrast' driver
- performance tests