Thursday, June 16, 2011

WebGL considered harmful?

Today Microsoft posted an article titled "WebGL considered harmful". It seems like a lot of their arguments against WebGL also apply to Silverlight 5's XNA 3D graphics support. It, like WebGL, allows authors to write shaders using HLSL. I wonder, if you reframe their article by replacing WebGL with Silverlight 5, is anything untrue? If so, how does Microsoft solve these problems?

Silverlight XNA 3D considered harmful

Microsoft's Silverlight 5 XNA 3D technology is a low-level 3D graphics API for the web.

One of the functions of MSRC Engineering is to analyze various technologies in order to understand how they can potentially affect Microsoft products and customers. As part of this charter, we recently took a look at XNA 3D. Our analysis has led us to conclude that Microsoft products supporting XNA 3D would have difficulty passing Microsoft’s Security Development Lifecycle requirements. Some key concerns include:
  • Browser support for Silverlight 5 directly exposes hardware functionality to the web in a way that we consider to be overly permissive
    The security of Silverlight 5 as a whole depends on lower levels of the system, including OEM drivers, upholding security guarantees they never really need to worry about before. Attacks that may have previously resulted only in local elevation of privilege may now result in remote compromise. While it may be possible to mitigate these risks to some extent, the large attack surface exposed by Silverlight 5 remains a concern. We expect to see bugs that exist only on certain platforms or with certain video cards, potentially facilitating targeted attacks.

  • Browser support for Silverlight 5 security servicing responsibility relies too heavily on third parties to secure the web experience
    As Silverlight 5 vulnerabilities are uncovered, they will not always manifest in the Silverlight 5 API itself. The problems may exist in the various OEM and system components delivered by IHV’s. While it has been suggested that Silverlight 5 implementations may block the use of affected hardware configurations, this strategy does not seem to have been successfully put into use to address existing vulnerabilities.
It is our belief that as configurations are blocked, increasing levels of customer disruption may occur. Without an efficient security servicing model for video card drivers (eg: Windows Update), users may either choose to override the protection in order to use Silverlight 5 on their hardware, or remain insecure if a vulnerable configuration is not properly disabled. Users are not accustomed to ensuring they are up-to-date on the latest graphics card drivers, as would be required for them to have a secure web experience. In some cases where OEM graphics products are included with PCs, retail drivers are blocked from installing. OEMs often only update their drivers once per year, a reality that is just not compatible with the needs of a security update process.

  • Problematic system DoS scenarios
    Modern operating systems and graphics infrastructure were never designed to fully defend against attacker-supplied shaders and geometry. Although mitigations such as Direct3D 10 may help, they have not proven themselves capable of comprehensively addressing the DoS threat. While traditionally client-side DoS is not a high severity threat, if this problem is not addressed holistically it will be possible for any web site to freeze or reboot systems at will. This is an issue for some important usage scenarios such as in critical infrastructure.

We believe that Silverlight 5 will likely become an ongoing source of hard-to-fix vulnerabilities. In its current form, XNA 3D in Silverlight 5 is not a technology Microsoft can endorse from a security perspective.

We recognize the need to provide solutions in this space however it is our goal that all such solutions are secure by design, secure by default, and secure in deployment.

The problems Microsoft is worried about are real, and they don't have any easy solutions. At the same, I don't think we need to wait for perfect answers before trying. With Silverlight 5's 3D support, it looks like Microsoft feels the same way.


Ed said...

Touché! :-D

duality said...

Can you also discuss concerns with Unity3D or have they somehow mitigated these concerns?

IDoProperAnalysisBeforePressingSend said...

Have you even analysed the 3DApi stack within Silverlight before you did your analysis (cut-paste words)

The Silverlight team work very closely with the windows security team to ensure that Silverlight is meets rigourous security benchmarks.

The following MSDN article explains just some of the security measures taken in Silverlight 5 Beta 3DApi.. And it is only a beta, more measures are being put in place!

Benoit Jacob said...

@ IDoProperAnalysisBeforePressingSend:

That doesn't set Silverlight apart from WebGL. The WebGL WG includes the major GPU vendors (regarding OS vendors, Apple and Google are on board), and together with browser vendors they spec and implement robustness improvements in graphics drivers, which are the part of an OS that matters the most here.

Jeff Muizelaar said...

Can you point out what security measures are being taken beyond what WebGL takes? The only thing that I noticed was that it is opt-in on XP. However, it's not obvious that this helps much. How is a user going to make the decision about whether to opt in or not? It seems likely that they'll just click the show me the fancy thing that I want to see button, especially if they are used to clicking that button on other websites that they trust.

Jeff Muizelaar said...

@duality: it looks like Unity3D allows authors to write arbitrary shaders so it seems to have the same problems.

JonManatee said...

I believe custom shaders are a part of Adobe's Molehill API for Flash as well. At least according to this blog post:

So I guess all of the big players for 3D on the web are doing it! Shame on them for letting graphics programmers write shaders for web games!

Anonymous said...


'The Silverlight team work very closely with the windows security team'

Awesome job /s! When do they get around to doing the same work on all the platforms the Web comes to?

Anonymous said...

Apparently blogger doesn't do the OpenID callback if you have JS off, I'm the snarky Anon above

Przemysław Lib said...

You did not linked to any security related efforts on behalf of sl/sec MS teams.