Saturday, December 3, 2011

Timing Attacks on CSS Shaders

CSS Shaders is a new feature folks from Adobe, Apple, and Opera have proposed to the W3C CSS-SVG Effects Task Force.  Rather than being limited to pre-canned effects, such as gradients and drop shadows, CSS Shaders would let web developers apply arbitrary OpenGL shaders to their content.  That makes for some really impressive demos.  Unfortunately, CSS Shaders has a security problem.

To understand the security problem with CSS Shaders, it's helpful to recall a recent security issue with WebGL.  Similar to CSS Shaders, WebGL lets developers use OpenGL shaders in their web applications.  Originally, WebGL let these shaders operate on arbitrary textures, including textures fetched from other origins.  Unfortunately, this design was vulnerable to a timing attack because the runtime of OpenGL shaders can depend on their inputs.

Using the shader code below, James Forshaw built a compelling proof-of-concept attack that extracted pixel values from a cross-origin image using WebGL:
for (int i = 0; i <= 1024; i += 1) {
  // Exit loop early depending on pixel brightness
  currCol.r -= 1.0;
  if (currCol.r <= 0.0) {
    currCol.r = 0.0;
    break;
  }
}
Timing attacks are difficult to mitigate because once the sensitive data is present in the timing channel it's very difficult to remove.  Using techniques like bucketing, we can limit the number of bits an attacker can extract per second, but, given enough time, the attacker can still steal the sensitive data.  The best solution is the one WebGL adopted: prevent sensitive data from entering the timing channel.  WebGL accomplished this by requiring cross-origin textures to be authorized via Cross-Origin Resource Sharing.

There's a direct application of this attack to CSS Shaders.  Because web sites are allowed to display content that they are not allowed to read, an attacker can use a Forshaw-style CSS shader read confidential information via the timing channel.  For example, a web site could use CSS shaders to extract your identity from an embedded Facebook Like button.  More subtly, a web site could extract your browsing history bypassing David Baron's defense against history sniffing.

The authors of the CSS Shaders proposal are aware of these issues.  In the Security Considerations section of their proposal, they write:
However, it seems difficult to mount such an attack with CSS shaders because the means to measure the time taken by a cross-domain shader are limited.
Now, I don't have a proof-of-concept attack, but this claim is fairly dubious.  The history of timing attacks, including other web timing attacks, teaches us that even subtle leaks in the timing channel can lead to practical attacks.  Given that we've seen practical applications of the WebGL version of this attack, it seems quite likely CSS Shaders are vulnerable to timing attacks.

Specifically, there are a number of mechanisms for timing rendering.  For example, MozBeforePaint and MozAfterPaint provide a mechanism for measuring paint times directly.  Also, the behavior of requestAnimationFrame contains information about rendering times.

Without a proof-of-concept attack we cannot be completely certain that these attacks on CSS Shaders are practical, but waiting for proof-of-concept attacks before addressing security concerns isn't a path that leads to security.

77 comments:

  1. I've also been wondering whether SVG filters could be used for a similar attack. SVG filters aren't programmable like shaders are, so you couldn't directly affect the timing. However it might be possible to make a filter that is quicker for a certain pixel values due to various optimisations in the filter algorithms (e.g. a black pixel might be very quick to process because the output would always be zero for a particular filter). Or you could find a combination of filters that hits some edge case that takes particularly long to process for some pixel values (maybe involving alpha or something)

    ReplyDelete
  2. Yeah, Dean Jackson has suggested that something like that might be possible. It definitely sounds worth experimenting with.

    ReplyDelete
  3. Parallel to this you can plan for the layout's response when the window expands. "Abu Dhabi Website Design" It will then include one or two sidebars and several other elements.

    ReplyDelete
  4. a essay editor will transform ones essay coming from for ordinary custom essay writing services uk in to a refined AS WELL AS concise essay. you have quite possibly spent the considerable amount connected with day a lot more than your own academic assignment. your own next step can be in order to polish It to help perfection. This can be possible pertaining to you, like a writer, to be able to overlook the errors that you can have committed.

    ReplyDelete
  5. Frequent people demand special discounts and also other cheap business arrivals. It is because that they vacation on a day-to-day basis. Few air arrivals corporations consider these kind of people while many will not.discount travel

    ReplyDelete
  6. world-wide-web design deals from the location regarding designing a site AS WELL AS on the lengthy operate updating AS WELL AS maintaining. from the world wide web boom, every firm wants to have an on the internet footprint AND the website is The best way to showcase one's skills IN ADDITION TO business IN ADDITION TO kindle the curiosity regarding potential customers.CMS for web designers

    ReplyDelete
  7. The HTML reports can be shown utilizing diverse yield styles. HTML labels were initially intended to characterize the substance of a report. Falling web-designing Styles sheets characterize how HTML components are to be shown.

    ReplyDelete
  8. Primeau Productions is your current full-service online video media production company, throughout company intended for over 30 years. Primeau Productions owes its success immediately towards the results The idea achieves due to the clients. i are a results-oriented company, As established via MY PERSONAL published listing of long-term, repeat customers.keynote-speaker-demo-video-production

    ReplyDelete
  9. Great information about the css and it related create digital tickets . Now this time we need this type of info to get success. Once again thanks for the Css information.

    ReplyDelete
  10. Thanks for sharing such a great article and it's helpful for everyone. Great Post! Hyderabad Online Florist

    ReplyDelete
  11. The best solution is the one WebGL adopted: prevent sensitive data from entering the timing channel. hvac repair denver

    ReplyDelete
  12. Thank you for your post.Really looking forward to read more. Cool.
    Diwali wishes 2015

    ReplyDelete
  13. Thanks for sharing, this is a fantastic blog.Thanks Again. Much obliged.
    diwali sms images 2015

    ReplyDelete
  14. I am so grateful for your blog.Really thank you! Cool
    Prem ratan dhan payo torrent

    ReplyDelete
  15. It's a fact that your blog posts are so unique and interesting and I enjoys a lot while reading your posts because you explained your post very deeply in a very easy and clear language. Thanks for your support and Happy Blogging :D

    hostgator black friday 2015

    happy new year 2016
    new year 2016

    ReplyDelete
  16. Really impressive post. I read it whole and going to share it with my social circules. I enjoyed your article and planning to rewrite it on my own blog.
    mahjong |geometry dash | kizi | hulk|agario | minecraft|halloween | pacman| | sniper games | games

    ReplyDelete
  17. This is a great post ! it was very informative. I look forward in reading more of your work. Also, I made sure to bookmark your website so I can come back later. I enjoyed every moment of reading it.
    baju batik modern baju batik baju batik wanita batik pekalongan batik couple batik online batik modern gamis batik

    ReplyDelete
  18. I really like and appreciate your blog.Thanks Again. Really Cool.
    New year wishes 2016
    New year wishes

    ReplyDelete
  19. I appreciate you sharing this article.Thanks Again. Much obliged.
    New year images 2016
    New year pictures 2016

    ReplyDelete
  20. Really appreciate you sharing this blog.Really looking forward to read more. Much obliged.
    New year wishes 2016

    Happy new year wishes 2016

    ReplyDelete
  21. Thanks for the blog post.Really looking forward to read more. Will read on…
    Happy new year quotes

    New year quotes 2016

    ReplyDelete
  22. This is really great work. Thank you for sharing such a useful information here in the blog.
    Voodoo Spells

    ReplyDelete
  23. A great possibility for me and it was a superb knowledge to view this site. Very difficult to uncover these beneficial web page or web site. I have many devices and achieving proper picture of these worked well and energy continues to be seeing about this weblog. Often my own intend to make my personal site as well as my
    agario
    pacman
    plants vs zombies
    solitaire
    happy wheels
    car games

    ReplyDelete
  24. Crazy Bulk Australia 100% Safe and Legal Steroids

    Click Here To Avail Buy 2 Get 1 Free Discount Offer

    ReplyDelete
  25. Thanks for sharing the information. It is very useful for my future. keep sharing
    A good blog.
    Signature:
    i like play happy wheels games online and play games happy wheels demo full and game zombie tsunami , retrica apk , retrica download , happy wheels demo , agario

    ReplyDelete
  26. It's a fact that your blog posts are so unique and interesting and I enjoys a lot while reading your posts because you explained your post very deeply in a very easy and clear language. Thanks for your support and Happy Blogging :D
    HostGatorCouponCodesFactory

    ReplyDelete
  27. http://republicdayquotes2016.com
    http://republicdayquotes2016.com/happy-26th-january-republic-day-pictures/
    http://republicdayquotes2016.com/indian-flag-pictures-images-for-republic-day-2016/
    http://republicdayquotes2016.com/happy-republic-day-2016-sms-wishes/
    http://republicdayquotes2016.com/happy-republic-day-quotes-in-hindi/
    http://republicdayquotes2016.com/why-is-republic-day-celebrated-in-india-on-26th-january/
    http://republicdayquotes2016.com/happy-republic-day-2016-quotes-in-english/
    http://republicdayquotes2016.com/happy-republic-day-2016-speech-essay-paragraph-for-school-students/
    http://republicdayquotes2016.com/republic-day-2016-slogan-poster-sayings/
    http://republicdayquotes2016.com/happy-republic-day-2016-whatsapp-status-whatsapp-dp/
    http://republicdayquotes2016.com/famous-republic-day-images-quotes-26th-january-2016/
    Republic Day 2016 Slogan | Poster | Sayings

    Happy Republic Day 2016 Whatsapp Status & Whatsapp DP

    Famous Republic Day Images with Quotes on 26th January 2016

    Happy Republic Day 2016 Speech | Essay | Paragraph for School Students

    Happy Republic Day 2016 Quotes in English

    Happy 26th January Republic Day Pictures

    Indian Flag Pictures – Images for Republic Day 2016 (गणतंत्र दिवस)

    Happy Republic Day 2016 Sms Wishes

    Happy Republic Day 2016 Quotes in Hindi

    Why is Republic Day Celebrated in India on 26th January


    ReplyDelete
  28. i THINK THERE IS SOME grammatical mistakes mothers day 2016 quotes and some spelling mistakes too Fathers day 2016 quotes and check iphone 7 too Apple iPhone 7 and soon cbse result is going to live on the website CBSE RESULT 2016

    ReplyDelete
  29. i THINK THERE IS SOME grammatical mistakes mothers day 2016 quotes and some spelling mistakes too Fathers day 2016 quotes and check iphone 7 too Apple iPhone 7 and soon cbse result is going to live on the website CBSE RESULT 2016

    ReplyDelete
  30. i THINK THERE IS SOME grammatical mistakes mothers day 2016 quotes and some spelling mistakes too Fathers day 2016 quotes and check iphone 7 too Apple iPhone 7 and soon cbse result is going to live on the website CBSE RESULT 2016

    ReplyDelete
  31. Kasse neuesten und Bilder Tag 2016 der frisch Valentine, Zitate, Tapeten und alles über diese valentinstagsgeschenk für männer 2016

    ReplyDelete