Announcement

Collapse
No announcement yet.

The Disturbing Results With Automated Fuzzing Of OpenGL Shaders

Collapse
X
Collapse
 
  • Page of 4
  • Filter
  • Time
  • Show
Clear All
new posts
Previous 1 2 3 4 template Next
  • #1

    The Disturbing Results With Automated Fuzzing Of OpenGL Shaders

    Phoronix: The Disturbing Results With Automated Fuzzing Of OpenGL Shaders

    Last winter we covered work being done out of the Imperial College in London on the wild results when fuzzing OpenGL shaders in uncovering issues in multiple OpenGL drivers, including the Mesa drivers. The scholarly results were recently published of this testing within Automated Testing of Graphics Shader Compilers...

    The Disturbing Results With Automated Fuzzing Of OpenGL Shaders - Phoronix
    http://www.phoronix.com/scan.php?page=news_item&px=Shader-Fuzzing-Paper
    Phoronix, Linux Hardware Reviews, Linux hardware benchmarks, Linux server benchmarks, Linux benchmarking, Desktop Linux, Linux performance, Open Source graphics, Linux How To, Ubuntu benchmarks, Ubuntu hardware, Phoronix Test Suite
    Tags: None
  • #2
    Well, it seems one can buy the tool . They say that
    The tool is closed source specifically because hackers would be able to exploit it, if made public.
    - i.e. the usual nonsense that obscurity somehow implies more security.
    • Likes 18

    Comment

    • #3
      Originally posted by gerddie View Post
      Well, it seems one can buy the tool . They say that - i.e. the usual nonsense that obscurity somehow implies more security.
      It's common practice to not publish exploits until a fix is broadly distributed.
      • Likes 14

      Comment

      • #4
        Originally posted by wagaf View Post
        It's common practice to not publish exploits until a fix is broadly distributed.
        In this case it's just a poor excuse to get someone to buy their test tool instead.
        • Likes 16

        Comment

        • #5
          Well, 64 bugs over 17 vendors is not that bad, though the severity of some seems to be.

          On the other hand, I'd like to see this kind of testing becoming as ubiquitous as JUnit.

          Comment

          • #6
            How many of this bugs are valid OpenGL shader? I remember following the bug report for the mesa driver, It turns out that the shader was invalid, it was using a inout parameter when it shouldn't or something like that.

            So I wonder how many of them should be a turn to compilation error instead of silently fail and misrender
            • Likes 6

            Comment

            • #7
              Originally posted by starshipeleven View Post
              In this case it's just a poor excuse to get someone to buy their test tool instead.
              When we're talking about a tool that has been used to find several 0-days and can probably be used to find more that this tool really does have a valid reason to stay closed until those 0-days are fixed and the 0-day finding potential of the tool has been exhausted.

              As the person you're replying to said, there's a reason why 0-days have a 60 day window from when they're disclosed to affected vendors to when they're disclosed to the public. The only difference here is that it's not just 0-days, it's also a tool that can (probably) be used to find more 0-days.

              Some people may take issue with this comparison, but the way I see it this thing should, for now at least, be kept out of public circulation for similar reasons why the instructions to produce things like nerve gas should be kept out of public circulation.
              Last edited by L_A_G; 04 October 2017, 06:45 AM.
              • Likes 1

              Comment

              • #8
                Originally posted by starshipeleven View Post
                In this case it's just a poor excuse to get someone to buy their test tool instead.
                Well. I expect, that it took a lot of time to make such a tool. The tool can show problems very visibly, instead of few broken pixels of the complete frame.

                Creators are probably programmers, which would like to get paid for their work. This is kind of work, which should have been done by GPU manufacturers, which make money on this. And, creators are probably far distant to marketing. So, we should excuse their poor excuse.

                I'm still glad, that they made a tool, which makes GPU manufacturers think about quality of their products/drivers.
                • Likes 4

                Comment

                • #9
                  Originally posted by L_A_G View Post
                  When we're talking about a tool that has been used to find several 0-days and can probably be used to find more that this tool really does have a valid reason to stay closed until those 0-days are fixed and the 0-day finding potential of the tool has been exhausted.
                  The problem here is that being closed and/or being behind a paywall are NOT really an issue for a hacker that might be interested to these kinds of vulns.

                  People still think hackers are bored broke kids, but they are not. We are talking of people that make malware SDKs that are sold for 2k dollars apiece (on the black market anyway) so they ain't broke, and people that almost always work with pre-compiled binaries so they have experience with decompiling or getting info out of binaries.
                  • Likes 5

                  Comment

                  • #10
                    Originally posted by kravemir View Post
                    Well. I expect, that it took a lot of time to make such a tool.
                    My point is that the justification for it being closed (because they allegedly want to keep it from falling into hacker hands) is bullshit, not that they should not be paid for their work.
                    • Likes 6

                    Comment

                    Previous 1 2 3 4 template Next
                    Working...
                    X