Skip to content

Latest commit

 

History

History
148 lines (115 loc) · 10.3 KB

mitigations.md

File metadata and controls

148 lines (115 loc) · 10.3 KB

Mitigation Strategies Analysis for google/filament

Mitigation Strategy: Resource Limits and Quotas

1. Resource Limits and Quotas

  • Mitigation Strategy: Implement strict limits on the complexity of loaded assets and rendering operations within Filament.

  • Description:

    1. Define Limits: Establish concrete, numerical limits for Filament-specific resources:
      • Maximum vertex count per mesh (using Filament's mesh representation).
      • Maximum texture dimensions (width, height) and file size (using Filament's texture loading).
      • Maximum number of materials (Filament Material instances).
      • Maximum number of lights (Filament Light instances).
      • Maximum number of draw calls per frame (within Filament's rendering loop).
      • Maximum number of instances of a single mesh (within Filament's scene management).
      • Maximum shader complexity (if using custom materials, limit instruction count, texture samples within the Filament material system).
    2. Pre-Loading Validation: Before passing asset data to Filament API calls (e.g., createVertexBuffer, createTexture, createMaterialInstance), perform validation checks against these limits.
    3. Rejection Mechanism: If an asset exceeds any limit, reject it before calling Filament's creation functions. Provide a clear error.
    4. Configuration: Make these limits configurable, potentially through a Filament Engine configuration or a separate configuration file read during Filament initialization.
    5. Progressive Loading (Filament's LOD): Utilize Filament's built-in Level of Detail (LOD) features. Load lower-resolution versions of assets first, then progressively load higher-resolution versions if resources permit, using Filament's API for LOD management.

  • Threats Mitigated:

    • Resource Exhaustion DoS (High Severity): Prevents attackers from crashing the application or making it unresponsive by providing overly complex assets that Filament attempts to process.
    • Performance Degradation (Medium Severity): Ensures consistent performance by preventing Filament from rendering excessively complex scenes.

  • Impact:

    • Resource Exhaustion DoS: Significantly reduces the risk. The application will reject malicious assets before Filament can be affected.
    • Performance Degradation: Reduces the risk of unexpected performance drops.

  • Currently Implemented:

    • Example: Vertex count limits are enforced before calling Engine::createVertexBuffer in AssetLoader::validateMesh().
    • Example: Texture size limits are checked before calling Texture::Builder::build() in TextureManager::validateTexture().

  • Missing Implementation:

    • Example: Limits on the number of draw calls per frame are not currently enforced within Filament's rendering loop.
    • Example: Shader complexity limits are not enforced within the Filament material system.
    • Example: Limits on the number of Filament Light instances are not enforced.

Mitigation Strategy: Timeout Mechanisms (Filament API Calls)

2. Timeout Mechanisms (Filament API Calls)

  • Mitigation Strategy: Implement timeouts for Filament API calls.

  • Description:

    1. Identify Long-Running Filament Calls: Identify Filament API calls that could potentially take a long time:
      • Engine::create()
      • AssetLoader::createAsset() (and related functions)
      • Texture::Builder::build()
      • Material::Builder::build()
      • Shader compilation (often implicit in Material creation)
      • Renderer::render() (for very complex scenes, interacting directly with the Filament Renderer).
    2. Set Timeouts: For each identified Filament API call, set a reasonable timeout.
    3. Implement Timeout Logic: Wrap the Filament API calls in code that enforces the timeout. This might involve asynchronous operations or threading, but the key is to monitor and potentially interrupt the Filament function call itself.
    4. Handle Timeout Events: If a timeout occurs while waiting for a Filament API call to complete, gracefully handle the situation (terminate, fallback, error message, log).

  • Threats Mitigated:

    • Resource Exhaustion DoS (High Severity): Prevents attackers from hanging the application indefinitely by causing Filament operations to take an extremely long time.
    • Application Unresponsiveness (Medium Severity): Ensures that the application remains responsive even if some Filament operations are slow.

  • Impact:

    • Resource Exhaustion DoS: Significantly reduces the risk of indefinite hangs caused by Filament.
    • Application Unresponsiveness: Improves responsiveness by preventing long waits on Filament calls.

  • Currently Implemented:

    • Example: Timeouts are implemented for asset loading around calls to AssetLoader::createAsset().

  • Missing Implementation:

    • Example: Timeouts are not implemented for shader compilation within Filament's material system.
    • Example: Timeouts are not implemented for the Renderer::render() call itself.

Mitigation Strategy: Shader Validation and Sanitization (Filament Materials)

3. Shader Validation and Sanitization (Filament Materials)

  • Mitigation Strategy: Validate and sanitize any custom shader code used within Filament materials.

  • Description:

    1. Avoid Custom Shaders (Ideal): If possible, use only Filament's pre-built materials and shaders.
    2. Whitelist (Filament Material System): If custom materials are necessary, use a whitelist approach within the Filament material definition. Restrict:
      • Allowed shader functions.
      • Allowed inputs and outputs.
      • Allowed control flow (no unbounded loops).
      • Specifically limit features exposed by the Filament material system.
    3. Shader Parser/Validator (Pre-Filament): Implement a parser and validator that analyzes the shader code before it is used to create a Filament Material. This validator should:
      • Enforce the whitelist.
      • Check for syntax errors.
      • Check for dangerous constructs.
      • Reject any shader code that does not conform.
    4. Static Analysis: Consider static analysis tools, but focus on the interaction with Filament's material system.
    5. Runtime Checks (Filament Material Parameters): While most validation is static, some runtime checks on material parameters passed to Filament might be needed (e.g., checking for division by zero in parameter values).

  • Threats Mitigated:

    • Resource Exhaustion DoS (High Severity): Prevents malicious shaders from consuming excessive GPU resources through Filament.
    • Arbitrary Code Execution (Critical Severity): (If custom shaders are allowed) Prevents code injection into the Filament rendering pipeline.
    • Information Disclosure (Medium Severity): Reduces the risk of shaders leaking information via Filament.

  • Impact:

    • Resource Exhaustion DoS: Significantly reduces the risk.
    • Arbitrary Code Execution: Essential for prevention.
    • Information Disclosure: Reduces the risk.

  • Currently Implemented:

    • Example: The application only uses Filament's pre-built materials. No custom shader support is provided.

  • Missing Implementation:

    • Example: If custom material support were added, a full shader validator and sanitizer, specifically targeting the Filament material system, would be required.

Mitigation Strategy: Input Validation (Direct Filament API Parameters)

4. Input Validation (Direct Filament API Parameters)

  • Mitigation Strategy: Validate all data passed directly to Filament API functions.

  • Description:

    1. Identify Input Points: Identify all points where data is passed to Filament API calls, including:
      • Engine::createVertexBuffer (vertex data).
      • Engine::createIndexBuffer (index data).
      • Texture::Builder::build() (pixel data, dimensions, format).
      • MaterialInstance::setParameter (material parameters).
      • Camera::setProjection, Camera::lookAt (camera parameters).
      • LightManager::Builder::build() (light parameters).
      • Functions that modify the Filament scene graph (adding/removing entities, components).
    2. Data Type Validation: Ensure data types match Filament's expected types.
    3. Range Validation: Check numerical values are within reasonable ranges expected by Filament.
    4. Sanity Checks: Perform checks specific to Filament's requirements (e.g., index bounds, texture dimensions, valid enum values for Filament enums).
    5. Reject Invalid Data: If validation fails, reject the data before calling the Filament API.

  • Threats Mitigated:

    • Buffer Overflows (High Severity): Prevents exploitation of buffer overflows within Filament due to bad input.
    • Integer Overflows (High Severity): Prevents integer overflows within Filament.
    • Logic Errors (Medium Severity): Prevents unexpected Filament behavior.
    • Resource Exhaustion (Medium Severity): Helps prevent some resource exhaustion by rejecting invalid data early.

  • Impact:

    • Buffer/Integer Overflows: Essential for preventing these vulnerabilities within Filament.
    • Logic Errors: Reduces unexpected Filament behavior.
    • Resource Exhaustion: Provides some protection.

  • Currently Implemented:

    • Example: Vertex data is validated before calling Engine::createVertexBuffer.
    • Example: Texture data is validated before calling Texture::Builder::build().

  • Missing Implementation:

    • Example: More comprehensive range validation for camera parameters passed to Filament's Camera component.
    • Example: Validation of scene graph modifications made through Filament's API.