a three-dimensional platform

Firefox now includes, on all desktop platforms, support for a technology known as WebGL. WebGL allows web developers to use accelerated 3D graphics, including textures and shaders; it exposes the same capabilities used by games like Doom 3 and (optionally) World of Warcraft, and virtually every game that runs on the iPhone, OS X, Android or Linux.

Security professionals, including Context IS, have discovered bugs in the specification (related to cross-domain image loading) and in Firefox’s specific implementation. Both are being addressed, as with security problems in any other technology we ship, but recently the conversation has turned to inherent security characteristics of WebGL and whether it should be supported at all by browsers, ever.

I think that there is no question that the web needs 3D capabilities. Pretty much every platform has or is building ways for developers to perform low-level 3D operations, giving them the capabilities they need to create advanced visualizations, games, or new user interfaces:

  • Adobe is building 3D for Flash in a project called “Molehill“, about which they say: “In terms of design, our approach is very similar to the WebGL design.”
  • Microsoft is doing something similar with Silverlight 5, where they’re bringing XNA Graphics to Silverlight 3D.

Adding new capabilities can expose parts of the application stack to potentially-hostile content for the first time. Graphics drivers are an example of that, as are font engines, video codecs, OS text-display facilities (!) and image libraries. Even improvements in existing capabilities can lead to new types of threats that need to be modelled, understood, and mitigated. We have a number of mitigations in place, including a driver whitelist that’s checked daily for updates; this seems similar to the driver-blocking model used in SL5, based on what information is available. Shaders are validated as legal GLSL before being sent to the driver (or to Direct3D’s HLSL compiler), to avoid problems with drivers mishandling invalid shader text. We’re also working with the ARB and driver vendors on extensions to OpenGL which will make the system even more robust against runaway shaders and the like.

Microsoft’s concern that a technology be able to pass their security review process is reasonable, and similar matters were the subject of a large proportion of the discussions leading to WebGL’s standardization; I also suspect that whatever hardening they applied to the low-level D3D API wrapped by Silverlight 3D can be applied to a Microsoft WebGL implementation as well. That Silverlight supports Mac as well, where these capabilities must be mapped to OpenGL, makes me even more confident. The Microsoft graphics team seems to have done a great job of making the D3D shader pipeline robust against invalid input, for example. (The Windows Display Driver Model in Vista and Windows 7 is a great asset here, because it dramatically reduces the “blast radius” of a problem at the driver level. This likely explains the difference between default-enable and default-disable for WDDM/non-WDDM drivers in SL5′s 3D support. It’s not yet clear to me what the model will be for SL5 on OS X.)

It may be that we’re more comfortable living on top of a stack we don’t control all the way to the metal than are OS vendors, but our conversations with the developers of the drivers in question make us confident that they’re as committed as us and Microsoft to a robust and secure experience for our shared users. Web developers, like all developers, need good 3D support, and — as with Flash and Silverlight — browser implementers will need to be careful and thoughtful about how to expose that functionality securely on all operating systems.

12 comments to “a three-dimensional platform”

  1. Bob
    entered 17 June 2011 @ 3:43 pm

    “It may be that we’re more comfortable living on top of a stack we don’t control all the way to the metal than are OS vendors…”

    I don’t understand. This isn’t about your comfort level, its about the attacks that you expose your unwitting users to. I’m a little unnerved by your cavalier attitude here.

  2. entered 17 June 2011 @ 6:25 pm

    Thanks for restoring sanity. Hopefully the press picks this up. By the way, this other blog post from a Microsoftie is also worth reading: http://www.realityprime.com/articles/why-microsoft-and-internet-explorer-need-webgl

  3. Richard Matthias
    entered 18 June 2011 @ 1:58 am

    Many have been quick to point out Microsoft’s apparent hypocrisy with this attack on WebGL and how it surely must also apply to their own 3D support in Silverlight 5. What people should realise is that IE is a product of the Windows division and Silverlight comes from Devdiv (the developer tools division) and that the Windows team are happy to attack Silverlight at any opportunity it seems.

    [Yes, Silverlight is used in Windows Phone 7, which is a product of the Windows division, but it's a fork. And besides, just because they're happy to use it on their phone OS (not happy enough to write the built-in apps using it I should note), that doesn't mean they're happy with it on the desktop.]

  4. entered 19 June 2011 @ 4:34 am

    [...] Planet Mozilla No Comments June 19, 2011 By Giovanni Panasiti in Planet Mozilla Tags: Mike, Platform, Shaver, threedimensional « Burning Edge – Firefox: 2011-06-18 Trunk builds [...]

  5. Jack
    entered 20 June 2011 @ 5:29 am

    Who said that Microsoft’s 3D for Silverlight would work on a Mac?

  6. entered 20 June 2011 @ 9:54 am

    Thanks for the comments.

    Bob: I apologize if my phrasing was confusing. I meant, of course, “comfortable that we can deliver a secure and robust system”, not “comfortable sitting here in my chair”.

    Richard: the post in question wasn’t from WinDiv or the IE team, it was from MSRC, which I beolieve has company-wide scope for security analysis and research.

    Jack: my understanding is that they made comments to that effect at MIX11, but I’ll look for a primary source.

  7. entered 20 June 2011 @ 2:23 pm

    [...] a three-dimensional platform [Noise from Signal] [...]

  8. entered 23 June 2011 @ 11:01 am

    [...] Read more [...]

  9. entered 23 June 2011 @ 12:58 pm

    [...] Read more [...]

  10. entered 23 June 2011 @ 1:10 pm

    [...] Read more [...]

  11. entered 24 June 2011 @ 4:18 pm

    [...] = 336; googleadheight = 280; Elsewhere, Mozilla VP of Engineering Mike Shaver wrote A Three-Dimensional Platform, in which he states:Microsoft’s concern that a technology be able to pass their security [...]

  12. entered 26 June 2011 @ 10:17 pm

    [...] Read more [...]