New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
security model, focused on shaders #39
Comments
I think you've captured some things that we haven't touched for WebAssembly, and WebAssembly captures things you haven't. It might be useful to put our efforts together and have common definitions with WebAssembly's definition of security. As an aside, @erights volunteered to update the WebAssembly side regarding capabilities. |
Proposed clarification: following the same-origin policy is a proper subset of not accessing resources that A is not authorized to access. It's not an exhaustive definition thereof. To give a few more examples: an implementation of WebGPU should not enable A to mine visited link history; to read HTTPOnly cookies; to observe the contents of trusted UI; to observe uninitialized video memory that contains traces of drawing by other apps or websites; to read information that allows bypass of mitigations such as ASLR; etc. I think the first sentence of this bullet is complete, but the second should say "For example," or "Among other things,". Also should be clear that "access" includes both read and write access. |
I agree. I've updated the strawman to include your general feedback. Whitelist vs. blacklist: It's not clear to me if we should list the things the application is permitted to access vs. forbidden to access. If we can exhaustively list the permitted resources, that would be great. For the forbidden list, I think the best we can do is to list important examples as you have. |
@jfbastien : I want to separate out requirements from the design used to satsify those requirements. The WebAssembly security.md doc is a mixture of both. The bits that look like requirements are:
The discussion on side-channel attacks did raise something I missed:
|
@dneta0 I'm convinced we'll be able to list all the resources a shader execution has access to once we have a better defined version of the API. Essentially it would be anything that is provided as part of the binding model (+ FBO and vertex / index buffers), and some builtins. Nothing else. Defining side-channel attacks will be hard because we can't prevent the application from measuring things such as GPU load, or remaining memory. How much measuring becomes a side-channel attack? We might want to rely on Web security folks for an accurate definition. |
Suggestions: Replace all phrases like "An ill-behaved application A running on X cannot..." with "Any application A running on X cannot...". The only way to prevent an ill behaved application from doing something is to prevent all applications from doing that something. "Access resources that A is not authorized to access. Follow the same-origin policy." Remove all references to the same origin policy. It is not relevant because it is too broad and coarse. Remove text of the form "not authorized" exactly because, in the absence of an agreed and clear security model, it is not clear what is authorized, and different people will interpret it differently. Instead, adapt the language at WebAssembly/design#1506 to state the restriction more explicitly: An application A running on X must not be able to cause or sense mutation of state outside of itself, or cause or sense I/O, other than by wielding explicitly granted access. As discussed at WebAssembly/design#1506 this purposely omits issues of resource use and non-determinism. As discussed at https://groups.google.com/forum/#!msg/e-lang/3A6zYWF6u5E/_41J3xYCAQAJ this is also narrower than the programming language notion of "effects" as it also omits non-termination and mutation of internal state. |
@erights : I really like these clarifications. A small thing: The phrasing of your statement seems to permit sensing static state from outside the applications. How about this instead:
(I've renamed A to App to avoid confusing app "A" with the indefinite article "A".) By my reading, this way of framing it means we don't have to explicitly say "May not cause other applications to misbehave" since other applications are "outside App". Instead the "may not cuase other applications to misbehave" statement can be noted as a consequence of the normative rule. Similarly, the second part, i.e. restatement in terms of graphics pipelines, could be demoted to the discussion section. It's an observation, rather than normative, and so it can retain the imprecise notion of an "ill-behaved application". |
My two cents, proposal regading synchronisation and relaxing for undefined behaviour. App running on X must not be able to access Host's and Device(s)'s memory ranges that have not been explicitly allocated/granted to it. TL;DR App running X should be free to make a royal mess of its own memory. P.S. This still requires you to track resource usage for the purpose of injecting synchronisation so that it is not possible to deallocate/free a resource before the end of the last use. |
That should be actually quite trivial to do:
|
@dneto0 the security model of shaders has been encoded in the WGSL spec AFAIK, ok to close this issue as fixed? |
Closing since this is in the WGSL spec now. Feel free to reopen if needed. |
Security is a key requirement for WebGPU.
However discussions so far have included assertions about the 'security' of a shading language. But we don't have a working definition of security, with respect to a shading language.
To me, it makes little sense to talk about the security of a language in isolation. Rather, I think we judge an implementation of WebGPU to be secure or not, and the implementation uses a shading language.
I believe an agreed-upon definition of security, focused on shaders, will clarify discussions on selecting a shader language. So, I'll start off with a strawman proposal:
Proposal
Definition: An "Access" of a resource is either a read or a write of that resource, in whole or in part.
Strawman definition of the security requirement:
Restatement, focusing on shaders executing in a pipeline:
Updated: Incorporated some feedback from #39 (comment)
Discussion
The text was updated successfully, but these errors were encountered: