[Public WebGL] EXT_disjoint_timer_query disabled

Ken Russell [email protected]
Fri May 18 18:08:11 PDT 2018

EXT_disjoint_timer_query could not only be used to launch the GLitch
attack, but act as a high-precision timer to carry out Spectre-like
attacks. Reducing the timers' precision was sufficient to mitigate the
GLitch attack, and as it turns out, Chrome's implementation of
EXT_disjoint_timer_query already returned sufficiently lower-precision
results. However, Site Isolation is the long-term defense against Spectre,
and it's close to being turned on in Chrome by default. At that point, the
EXT_disjoint_timer_query WebGL extension will be turned back on in Chrome.

Other browsers have mitigations in progress for Spectre, and once those
land, useful features like EXT_disjoint_timer_query and SharedArrayBuffer
will be re-enabled in those browsers, too.


On Fri, May 18, 2018 at 2:53 AM Florian Bösch <[email protected]> wrote:

> The glitch paper suggests that:
> To protect the system against both GPU and CPU sidechannel attacks,
>> currently the only practical solution in the browser is disabling all
>> possible timing sources.
> You see the issue with this is that it breaks our ability to measure time.
> That's a big deal.
> This is one of the early marine chronometers. It's the device that enabled
> precise naval navigation because now not only could you determine latitude
> (from the stars) but you could also pinpoint longitude fairly precisely.
> As the name suggests "real-time" rendering has a time component (that's
> the time, in "real-time"). You might infer from that fact that "time" is a
> rather important quantity in "real-time", and you'd be absolutely correct.
> Breaking time alone wouldn't be a problem if everybody had the same
> hardware. But that's in fact, surprisingly, not the case. Developers need
> to write software for hardware whose real-time performance can differ up to
> a factor 1000x at the extremes, up to 100x between major device categories
> and up to around 10x within a device category.
> Measuring time is therefore rather important if you want to keep it
> "real". Not just your time, and not just the time of individual samples of
> hardware you luckily happen to have access to, but time as broadly as
> possible. We can't do that now can we anymore? No we can't.
>> With Site Isolation enabled, the amount of data exposed to side-channel
>> attacks is reduced as Chrome renders content for each website in a separate
>> process
>  The glitch paper does not suggest that "putting stuff into a process" is
> a mitigation strategy.
> Accordingly, they will remain disabled in Chrome until Site Isolation is
>> on by default
> When is site isolation going to be on by default? When do other UAs have
> this?
> at which point they will be re-enabled with sufficiently reduced precision
>> to mitigate GLitch attacks
> What does that mean exactly? So imprecise we can't practically use them
> anymore to measure any performance or what?
> -----------
> This whole episode is so unacceptable at so many levels. You're breaking
> the tools we need to build applications. Native applications don't have
> this problem (they just ignore it, any natively installed game can now
> steal your whatevers). You're breaking the empirical method. Now there's
> nothing left but blindly stabbing in the dark. Well done you, well done.
> On Tue, May 15, 2018 at 2:54 PM, Nicolas Capens <[email protected]> wrote:
>> As mentioned here <https://www.chromium.org/Home/chromium-security/ssca>,
>> the WebGL timer extensions "will remain disabled in Chrome until Site
>> Isolation is on by default, at which point they will be re-enabled with
>> sufficiently reduced precision to mitigate GLitch attacks".
>> On Sun, May 13, 2018 at 1:51 PM Florian Bösch <[email protected]> wrote:
>>> 20 years on writing hardware accelerated code we have no way to measure
>>> the performance of the programs we write, on the machines our users use to
>>> run these programs. You've got to be fucking kidding me man.
>>> On Sun, May 13, 2018 at 6:48 PM, Aleksandar Rodic <
>>> [email protected]> wrote:
>>>> My guess is the extension has been disabled due to recently discovered "
>>>> GLitch <https://www.vusec.net/wp-content/uploads/2018/05/glitch.pdf>"
>>>> rowhammer attack vector.
>>>> > EXT_DISJOINT_TIMER_QUERY is an OpenGL extension developed to provide
>>>> developers with more detailed information about the performance of their
>>>> applications [46]. This extension, if made available to the system by the
>>>> GPU driver, is accessible from both WebGL and WebGL2, and provides the
>>>> JavaScript runtime with two timing sources: (1) TIME_ELAPSED_EXT and (2)
>>>> TIMESTAMP_EXT. Such timers allow an attacker to measure the timing of
>>>> secret operations (e.g., memory accesses) performed either by the CPU or
>>>> the GPU.
>>>> On Sun, May 13, 2018 at 4:32 PM Florian Bösch <[email protected]> wrote:
>>>>> On Fri, Apr 6, 2018 at 12:50 AM, Ken Russell <[email protected]> wrote:
>>>>>> We can not currently discuss why the extension has been disabled. We
>>>>>> should be able to do so in about a month.
>>>>> It's now been a month and a week since this statement.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://khronos.org/pipermail/public_webgl_khronos.org/attachments/20180518/c653036b/attachment.html>

More information about the public_webgl mailing list