forked from chromium/chromium
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Create a place for security research notes, starting with the GPU
command buffer. Change-Id: Ia4b3147a1d9d9b89c6848edcb27c964310f0f914 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4401192 Commit-Queue: Chris Bookholt <[email protected]> Reviewed-by: Brendon Tiszka <[email protected]> Cr-Commit-Position: refs/heads/main@{#1134857}
- Loading branch information
Showing
7 changed files
with
343 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,10 @@ | ||
| # Security Research Notes | ||
|
|
||
| This directory contains security research notes about parts of Chromium of particular interest to attackers. | ||
|
|
||
| The notes represent our understanding of a particular area of functionality at time of publishing, which we know is often incomplete, can become stale as code evolves, and may accidentally contain inaccuracies. | ||
|
|
||
| We publish these notes to | ||
| 1. Preserve our understanding of areas of interest to security so we can refresh our memory of complex features after visiting other topics. | ||
| 2. Give new team members a learning resource. | ||
| 3. Boost productivity for external researchers making contributions to the [Chrome Vulnerability Rewards Program](https://www.chromium.org/Home/chromium-security/vulnerability-rewards-program/). |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| ## Why Graphics? | ||
|
|
||
| The GPU process is interesting from an attacker perspective for several reasons. | ||
|
|
||
| 1. Many of its features are reachable directly from web content by default, | ||
| which creates an opportunity for malicious websites to attack Chromium users. | ||
| 2. It processes complex data in (mostly) C++ native code, which is difficult to | ||
| do safely. | ||
| 3. It needs the privilege to interact with GPU drivers in the kernel, so our | ||
| ability to sandbox the process is limited. | ||
| 4. It loads third party native code into its address space to interact with | ||
| platform specific graphics features. | ||
|
|
||
| Collectively these properties make the GPU process particularly attractive for | ||
| both remote code execution and privilege escalation. |
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,22 @@ | ||
| # Chromium Graphics | ||
|
|
||
| Authors: [email protected]<br/> | ||
| Last updated: April 7, 2023<br/> | ||
|
|
||
| ## Overview | ||
|
|
||
| Chromium graphics features are among the most complex parts of the browser. This | ||
| document is a snapshot of our evolving understanding of graphics features from | ||
| an attacker perspective. Relevant and important pieces of the graphics stack are | ||
| omitted, but the intent is to give VRP contributors a boost when getting started | ||
| with unfamiliar graphics features. | ||
|
|
||
| ## In Pictures: WebGL and WebGPU | ||
|
|
||
| The diagram below is a simplified view of WebGL and WebGPU with a focus on | ||
| components of particular interest to attackers. | ||
|
|
||
|  | ||
|
|
||
| Note: Skia and Canvas APIs are omitted and may be incorporated in a future | ||
| iteration. |
1 change: 1 addition & 0 deletions
1
docs/security/research/graphics/resources/chrome_gfx_overview.svg
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
1 change: 1 addition & 0 deletions
1
docs/security/research/graphics/resources/cmdbuf_command_structure.svg
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| # Vulnerability Discovery: Chromium Graphics | ||
|
|
||
| This directory contains notes on vulnerabilities found during the study of | ||
| Chromium graphics subsystems. | ||
|
|
||
| Notes about vulnerabilities are kept separate from general descriptions of | ||
| features so we can publish general information without exposing sensitive | ||
| details about vulnerabilities that may not yet be fixed. | ||
|
|
||
| Aside from the issue of sensitivity, it's useful to talk about vulnerabilities | ||
| separately so we can go into detail about the *process* of vulnerability | ||
| discovery, including what worked and what didn't. |