Did Microsoft Make WebGL Secure? How?

(Originally posted Friday, June 07, 2013)

​Microsoft has dropped strong clues, without saying it explicitly, that, Internet Explorer 11 in Windows 8.1 (Blue) will support WebGL, a DirectX-like standard for fast gaming on the web. The biggest clue was this video they posted on Vine.

Others have found direct evidence in leaked builds.

It’s not hard to see why they would want to support WebGL. Everyone else does. They spelled out the reasons they haven’t so far in a Security, Research and Defense blog post 2 years ago.

The blog post essentially calls WebGL unsecurable by design: “Our analysis has led us to conclude that Microsoft products supporting WebGL would have difficulty passing Microsoft’s Security Development Lifecycle requirements.

It goes on to list many problems with the design, but you really don’t have to go past the first one, which is that it puts a heavy security burden on the authors of graphics drivers, a group with a long, historical reputation for quick-and-dirty programming.

I formally asked Microsoft about this. They a) wouldn’t formally acknowledge that they were supporting WebGL in IE11 (although obviously they are doing so). This pre-empts the need for them to go on to b), explaining how they get around the significant security problems they previously identified.

I can’t believe the Microsoft of today would simply brush them aside. Therefore I will posit a theory: At the cost of some performance, they will create virtual driver layer with sufficient verification checks to satisfy the SDL, at least as an option and as set as the default. This may make no sense to someone with closer knowledge of WebGL, but clearly something here makes no sense.​

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: