0

I have been implementing server-sent shaders using OpenGL for a game (GLSL version 1.20.8).

Executing server-sent shaders on the client obviously is remote code execution, which tends to be a bad thing. But shaders are fairly constrained - they have well-defined outputs and inputs, which are both controlled by the client over which the server has limited control. The server should also not get any of the output, as that goes to the screen in the end and should not be read by the application or sent back to the server.

What is the range of known shader exploits (due to e.g. graphics card bugs), what would be the worst case? And how can I secure the application?

LMD
  • 101
  • 1
  • Could you elaborate more on where the shaders originate from and how the shaders are sent to the client? For example: Do users get to define shaders (i.e. "mods") and share them with other users? Does the client code just execute any shader it is sent, or is the integrity of the code proven before execution? – iraleigh May 24 '20 at 06:13
  • @iraleigh shaders are sent to the client using a custom media protocol, which uses SHA-1 hashes. AFAIK it is unencrypted. The client code compiles & executes any shader it is sent during rendering. You may assume that arbitrary shaders can be sent to & will be compiled and executed by the client. – LMD May 24 '20 at 13:37

0 Answers0