WebGL stands for Web-based Graphics Library. It provides an (OpenGL-based) API for 3D graphics within web browsers, filling part of an increasing demand for a much richer web experience for end users. Mozilla, Google and Apple have backed the technology with their browser packages, but Microsoft is not yet ready to endorse it.
Microsoft engineers analyzed WebGL and found that they cannot endorse the technology from a security perspective, finding that Microsoft products supporting WebGL would have a difficult time passing Microsoft's Security Development Lifecycle requirements.
The engineers split the problem into three main concerns with widespread use of WebGL.
- #1 - Microsoft: "Browser support for WebGL directly exposes hardware functionality to the web in a way that we consider to be overly permissive"
The engineers find that WebGL security heavily relies on low level components of the system, such as manufacturer drivers provided for video hardware. The problem is, when the drivers were written by manufacturers, they were written with the assumption that they would only be used by trusted/safe local code. That is, applications installed on a system by the user locally. As it is, developers that code for graphics hardware have to go to lengths just to ensure that their code won't cause any major problems. We have all, at least once, experienced a system that required a display driver update to solve a problem with a game or other software.
The concern of the engineers is WebGL will expose video drivers to exploitation attempts on malicious websites in much the same way as browser vulnerabilities are targeted now. The display drivers and software distributed by manufacturers have never had to deal with this kind of threat before. The engineers do suggest that there might be ways to prevent against such attacks (like how a web browser is hardened by sandboxing and DEP systems), but still, "the large attack surface exposed by WebGL remains a concern."
- #2 - Microsoft: "Browser support for WebGL security servicing responsibility relies too heavily on third parties to secure the web experience"
This point builds on the first point, highlighting that the on-going security of WebGL would depend on third-parties, as opposed to depending on updates to WebGL technology or updates from browser manufacturers. If a bug is found in Google Chrome, then Google will push out an updated build with the bug fixed and can close that attack target completely. However, in the case of an attack that targets a vulnerability with a certain display driver, this might not be possible for Google to prevent and the browser may still be used as delivery means.
Some suggestions have included identifying and blacklisting certain drivers or hardware configurations, but this brings up questions of disruption of consumer experience. The Microsoft engineers point out that most PC users are not accustomed to updating their system drivers regularly, and even if they are, there are other factors to take into account such as whether a vendor is even providing updates for certain hardware anymore. In some cases where OEM graphics products are included with PCs, retail drivers are blocked from installing. OEMs often also only update display drivers about once per year.
The Microsoft engineers find that this inconsistency makes an efficient security servicing model (like Windows Update) targeting WebGL security impossible.
- #3 - Microsoft: "Problematic system DoS scenarios"
The engineering team concludes that modern operating systems and graphics infrastructure were never designed to fully defend against attacker-supplied shaders and geometry. Client-side DoS is not considered a high severity threat, but the engineering team says the problem needs to be addressed holistically to prevent possible scenarios such as malicious web sites freezing a system or causing it to crash and reboot.
Microsoft's engineers predicted that WebGL will turn out to be an on-going source of hard-to-fix vulnerabilities, and said it is not a technology that the company can endorse now from a security perspective.
"We recognize the need to provide solutions in this space however it is our goal that all such solutions are secure by design, secure by default, and secure in deployment."