[Public WebGL] EXT_disjoint_timer_query disabled

Ken Russell [email protected]
Sat May 19 09:35:41 PDT 2018

On Sat, May 19, 2018 at 12:29 AM Florian Bösch <[email protected]> wrote:

> On Sat, May 19, 2018 at 3:08 AM, Ken Russell <[email protected]> wrote:
>> EXT_disjoint_timer_query could not only be used to launch the GLitch
>> attack, but act as a high-precision timer to carry out Spectre-like attacks
> This isn't only true of a browser. How is this not a problem for all
> applications?

Spectre allows reading of all memory in a process's address space. In an
app it's assumed that you already have access to the full address space,
but this is not true in the browser, where usually a single process will
contain data from multiple web domains.

>> Reducing the timers' precision was sufficient to mitigate the GLitch
>> attack, and as it turns out, Chrome's implementation of
>> EXT_disjoint_timer_query already returned sufficiently lower-precision
>> results.
> How much precision was reduced?

Chrome has always been returning microsecond resolution for these queries
rather than nanosecond resolution. In discussion with the GLitch
researchers, it seems likely that this reduction in precision is sufficient
– and since no WebGL developer ever complained about low resolution of
Chrome's timer queries, there's no need to make any changes to the

However, Site Isolation is the long-term defense against Spectre, and it's
>> close to being turned on in Chrome by default. At that point, the
>> EXT_disjoint_timer_query WebGL extension will be turned back on in Chrome.
> This is gonna happen when?

I don't know exactly. Site Isolation is being rolled out now in Chrome.
It's a large enough feature that if you watch the Chromium and Chrome blogs
you'll definitely see the updates.

>> Other browsers have mitigations in progress for Spectre, and once those
>> land, useful features like EXT_disjoint_timer_query and SharedArrayBuffer
>> will be re-enabled in those browsers, too.
> And this is gonna happen when?

I don't know, but all browsers have a vested interest in turning
SharedArrayBuffer back on, in particular.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://khronos.org/pipermail/public_webgl_khronos.org/attachments/20180519/f57e0245/attachment.html>

More information about the public_webgl mailing list