WebGL gets rough welcome from British security firm
Kathleen Maher
May 27, 2011

WebGL gets rough welcome from British security firm

WebGL has made its grand debut, and now the Web community is getting a chance to fiddle with the knobs. Amid the positive response, there has come a warning. A security firm based in England, Context, has released a security bulletin that warns about vulnerabilities for computers that are running WebGL in browsers such as Firefox 4 and Chrome. At the heart of Context’s concerns is the accessibility of cross-domain content. In addition to the potential of theft, Context maintains that such access increases the vulnerability to dangerous or badly written code.
WebGL is a 3D graphics API that enables graphics processors to accelerate 3D models and applications within supporting browsers. It’s available for HTML 5 generation browsers, including Firefox 4 and the latest Chrome and Safari browsers. (See “Universal Appeal” in the April 2011 issue of CGW for an in-depth story on the WebGL specification.)

The Khronos Group, which develops and maintains WebGL, has always been aware of these issues, and they warned early on about the potential for badly written or malicious code to cause problems. It’s being compared to the effect of a denial-of-service (DoS) attack except that Context claims the problem goes straight to the heart of your machine, rather than servers on the Web, the usual victims of DoS attacks.

There have been several responses coming from the Khronos side, and they have come immediately. The standards group says that security has always been a top concern for the organization, and WebGL was created with safeguards to prevent “out-of-range memory accesses during rendering operations and access of uninitialized memory. Khronos created an extension called GL_ARB_robustness that prevents denial of service and out-of-range memory access attacks from WebGL content, and this extension has been available since the release of WebGL. JP Rosevear of Mozilla has blogged about the issue. He adds that the forthcoming extension, GL_ARB_robustness_2, will add even more protection.

The robustness extensions, however, must be supported by the graphics vendors. Khronos says support for ARB_robustness_2 has already been deployed by some GPU vendors, and they expect it will be deployed rapidly by others now that this issue has hit the fan. There is also a feature that enables browsers to check for the GL_ARB_robustness extension before enabling WebGL content. Again, given the concern, it’s expected that this will become the deployment mode for WebGL really really soon now.

In addition, Rosevear says that the CORS (cross-origin resource sharing) mechanism was developed as an approach to enable safe transactions and to prevent content theft. According to Rosevear, at the moment, it’s not obvious how the current state of WebGL could be exploited in a real attack. However, he says, “Experience in security shows that this is not a matter of when, not if,” and Mozilla is working with others in the HTML 5 community to create additional fixes.

In its original blog post, Context took the position that the problem is “inherent to the WebGL specification and would require significant architectural changes.”

On this point, Khronos strenuously disagrees. Khronos President Neil Trevett says, “Since the beginning, WebGL shaders in general run in a very limited environment where it is simply not possible to access and write over arbitrary regions of memory, so there is no known way to run malware through WebGL. We believe WebGL strikes the correct and well-considered balance between functionality and security.”


A call to AMD and Nvidia did not yield official responses about the vulnerability of GPUs via WebGL, but unofficially, people did get back to us right away. Their answer was similar to that given by Khronos. A person at AMD who is familiar with the issue said the problem is understood and recognized but that it had been over-stated. The existence of the issue is not a surprise. Trevett believes that the safeguards developed by the WebGL group and the HTML community will encourage more web sites to use existing mechanisms, such as CORS, to prevent to make the Web a more secure place. These are issues surrounding HTML 5 technology and not just WebGL.  For a FAQ from the Context side go to www.contextis.com/resources/blog/webgl/.

Kathleen Maher is a contributing editor to CGW, a senior analyst at Jon Peddie Research, a Tiburon, California-based consultancy specializing in graphics and multimedia, and editor in chief of JPR’s “TechWatch.” She can be reached at Kathleen@jonpeddie.com.