art with code

2009-03-17

GLSL parsing

Yesterday's GLSL hole, I think I have a potential fix for it. Wrote a small parser that greps the shader source for problematic GLSL keywords and marks the shader as secure/insecure based on that. And implemented a prototype of the security model, so that a write-only canvas only allows secure shaders to run on it.

The basic axiom of the security model is "If the canvas is write-only, the bound program is secure."

And the rest of the axioms are:
  • A new shader is secure
  • A new program is secure
  • A shader is insecure iff its source has problematic keywords
  • A program is insecure iff an insecure shader is attached to it

So the statements we need to hook to are: "the canvas is write-only", "the bound program is secure", "an insecure shader is attached", "source has problematic keywords", "new shader" and "new program".

"New shader" and "new program" are handled by making CreateShader and CreateProgram set the created object as secure.

"Source has problematic keywords" is handled by ShaderSource setting the secure status of the given shader.

"An insecure shader is attached" is handled by LinkProgram, setting the program insecure if any of the attached shaders is insecure (programSec &= shaderSec.) If the program is the bound program and it becomes insecure, bind the null program.

"The canvas is write-only" is handled by TexImage2DHTML and TexSubImage2DHTML. After the call, if the canvas is write-only and the bound program is insecure, bind the null program.

"The bound program is secure" needs to be asserted in the above functions (sans CreateProgram/Shader), and in UseProgram. If the program that we're trying to bind is insecure, throw a security error.

Update: AttachShader -> LinkProgram, attach just adds the shader object to the linked objects (so you can edit it after attaching and before linking. Edits after linking don't affect the program, however.)

No comments:

Blog Archive