[Public WebGL] EXT_disjoint_timer_query disabled

Ken Russell [email protected]
Sat May 19 09:35:41 PDT 2018


On Sat, May 19, 2018 at 12:29 AM Florian Bösch <[email protected]> wrote:

> On Sat, May 19, 2018 at 3:08 AM, Ken Russell <[email protected]> wrote:
>
>> EXT_disjoint_timer_query could not only be used to launch the GLitch
>> attack, but act as a high-precision timer to carry out Spectre-like attacks
>>
>
> This isn't only true of a browser. How is this not a problem for all
> applications?
>

Spectre allows reading of all memory in a process's address space. In an
app it's assumed that you already have access to the full address space,
but this is not true in the browser, where usually a single process will
contain data from multiple web domains.


>
>> Reducing the timers' precision was sufficient to mitigate the GLitch
>> attack, and as it turns out, Chrome's implementation of
>> EXT_disjoint_timer_query already returned sufficiently lower-precision
>> results.
>>
>
> How much precision was reduced?
>

Chrome has always been returning microsecond resolution for these queries
rather than nanosecond resolution. In discussion with the GLitch
researchers, it seems likely that this reduction in precision is sufficient
– and since no WebGL developer ever complained about low resolution of
Chrome's timer queries, there's no need to make any changes to the
precision.


However, Site Isolation is the long-term defense against Spectre, and it's
>> close to being turned on in Chrome by default. At that point, the
>> EXT_disjoint_timer_query WebGL extension will be turned back on in Chrome.
>>
>
> This is gonna happen when?
>

I don't know exactly. Site Isolation is being rolled out now in Chrome.
It's a large enough feature that if you watch the Chromium and Chrome blogs
you'll definitely see the updates.


>
>
>> Other browsers have mitigations in progress for Spectre, and once those
>> land, useful features like EXT_disjoint_timer_query and SharedArrayBuffer
>> will be re-enabled in those browsers, too.
>>
>
> And this is gonna happen when?
>

I don't know, but all browsers have a vested interest in turning
SharedArrayBuffer back on, in particular.

-Ken
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://khronos.org/pipermail/public_webgl_khronos.org/attachments/20180519/f57e0245/attachment.html>


More information about the public_webgl mailing list