create a sample to demonstrate a timing attack
This sample attempts to re-create an image's alpha channel by drawing it
one pixel at a time and timing how long each pixel takes to draw.
The "abc" text should appear twice normally, and the third and fourth
versions are reconstructed from timing, one by timing 1:1 pixel draws,
the other by timing 1x1:1024x1024 upscale into an offscreen. It's not
meant to be an exact reconstruction, but you can easily see the shapes,
particularly at -O0, -O1, and -Os. Auto-vectorization from -O2/-O3 do
a good amount to cover up the problem.
The legacy CPU backend is the main place to look. I haven't been able
to reconstruct any images using SkRasterPipelineBlitter or SkVMBlitter,
and while on the GPU I do see non-random patterns in the timing, it
appears to be the same single pattern across devices, OSes, GPUs, GPU
APIs and content... I assume it's something like our resource caching
policy.
This can't really be a GM, given how it draws non-deterministically.
Bug: chromium:1088224
Change-Id: I2ec79c8dd407ecb104fd9bf0c8039cb6dd1fe436
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/313466
Commit-Queue: Mike Klein <mtklein@google.com>
Commit-Queue: Mike Reed <reed@google.com>
Reviewed-by: Mike Reed <reed@google.com>
2020-08-26 17:26:06 +00:00
|
|
|
/*
|
|
|
|
* Copyright 2020 Google Inc.
|
|
|
|
*
|
|
|
|
* Use of this source code is governed by a BSD-style license that can be
|
|
|
|
* found in the LICENSE file.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include "include/core/SkCanvas.h"
|
|
|
|
#include "include/core/SkFont.h"
|
|
|
|
#include "include/core/SkSurface.h"
|
|
|
|
#include "samplecode/Sample.h"
|
|
|
|
#include <chrono>
|
|
|
|
|
|
|
|
struct TimingSample : public Sample {
|
2021-10-08 22:48:26 +00:00
|
|
|
inline static constexpr int W = 24,
|
|
|
|
H = 16;
|
create a sample to demonstrate a timing attack
This sample attempts to re-create an image's alpha channel by drawing it
one pixel at a time and timing how long each pixel takes to draw.
The "abc" text should appear twice normally, and the third and fourth
versions are reconstructed from timing, one by timing 1:1 pixel draws,
the other by timing 1x1:1024x1024 upscale into an offscreen. It's not
meant to be an exact reconstruction, but you can easily see the shapes,
particularly at -O0, -O1, and -Os. Auto-vectorization from -O2/-O3 do
a good amount to cover up the problem.
The legacy CPU backend is the main place to look. I haven't been able
to reconstruct any images using SkRasterPipelineBlitter or SkVMBlitter,
and while on the GPU I do see non-random patterns in the timing, it
appears to be the same single pattern across devices, OSes, GPUs, GPU
APIs and content... I assume it's something like our resource caching
policy.
This can't really be a GM, given how it draws non-deterministically.
Bug: chromium:1088224
Change-Id: I2ec79c8dd407ecb104fd9bf0c8039cb6dd1fe436
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/313466
Commit-Queue: Mike Klein <mtklein@google.com>
Commit-Queue: Mike Reed <reed@google.com>
Reviewed-by: Mike Reed <reed@google.com>
2020-08-26 17:26:06 +00:00
|
|
|
sk_sp<SkImage> fImg;
|
|
|
|
|
|
|
|
SkString name() override { return SkString("Timing"); }
|
|
|
|
|
|
|
|
void onOnceBeforeDraw() override {
|
|
|
|
sk_sp<SkSurface> surf = SkSurface::MakeRasterN32Premul(W,H);
|
|
|
|
surf->getCanvas()->drawString("abc", 2,H-4, SkFont{}, SkPaint{});
|
|
|
|
fImg = surf->makeImageSnapshot();
|
|
|
|
}
|
|
|
|
|
|
|
|
void onDrawContent(SkCanvas* canvas) override {
|
|
|
|
canvas->scale(8,8);
|
|
|
|
|
|
|
|
// Draw normally.
|
|
|
|
canvas->drawImage(fImg, 0,0);
|
|
|
|
|
|
|
|
canvas->translate(0,H);
|
|
|
|
|
|
|
|
// Draw one pixel at a time with drawImageRect(),
|
|
|
|
// timing how long each drawImageRect() call takes.
|
|
|
|
double cost[H][W];
|
|
|
|
double min = +INFINITY,
|
|
|
|
max = -INFINITY;
|
|
|
|
for (int y = 0; y < H; y++)
|
|
|
|
for (int x = 0; x < W; x++) {
|
|
|
|
auto start = std::chrono::steady_clock::now();
|
2021-01-22 03:25:21 +00:00
|
|
|
canvas->drawImageRect(fImg.get(),
|
|
|
|
SkRect::MakeXYWH(x,y,1,1), SkRect::MakeXYWH(x,y,1,1),
|
|
|
|
SkSamplingOptions(), /*paint=*/nullptr,
|
|
|
|
SkCanvas::kStrict_SrcRectConstraint);
|
create a sample to demonstrate a timing attack
This sample attempts to re-create an image's alpha channel by drawing it
one pixel at a time and timing how long each pixel takes to draw.
The "abc" text should appear twice normally, and the third and fourth
versions are reconstructed from timing, one by timing 1:1 pixel draws,
the other by timing 1x1:1024x1024 upscale into an offscreen. It's not
meant to be an exact reconstruction, but you can easily see the shapes,
particularly at -O0, -O1, and -Os. Auto-vectorization from -O2/-O3 do
a good amount to cover up the problem.
The legacy CPU backend is the main place to look. I haven't been able
to reconstruct any images using SkRasterPipelineBlitter or SkVMBlitter,
and while on the GPU I do see non-random patterns in the timing, it
appears to be the same single pattern across devices, OSes, GPUs, GPU
APIs and content... I assume it's something like our resource caching
policy.
This can't really be a GM, given how it draws non-deterministically.
Bug: chromium:1088224
Change-Id: I2ec79c8dd407ecb104fd9bf0c8039cb6dd1fe436
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/313466
Commit-Queue: Mike Klein <mtklein@google.com>
Commit-Queue: Mike Reed <reed@google.com>
Reviewed-by: Mike Reed <reed@google.com>
2020-08-26 17:26:06 +00:00
|
|
|
auto elapsed = std::chrono::steady_clock::now() - start;
|
|
|
|
|
|
|
|
cost[y][x] = elapsed.count();
|
|
|
|
min = std::min(min, cost[y][x]);
|
|
|
|
max = std::max(max, cost[y][x]);
|
|
|
|
}
|
|
|
|
|
|
|
|
canvas->translate(0,H);
|
|
|
|
|
|
|
|
// Draw using those per-pixel timings,
|
|
|
|
// with the slowest pixel scaled to alpha=1, the fastest to alpha=0.
|
|
|
|
for (int y = 0; y < H; y++)
|
|
|
|
for (int x = 0; x < W; x++) {
|
|
|
|
SkPaint p;
|
|
|
|
p.setAlphaf( (cost[y][x] - min) / (max - min) );
|
|
|
|
canvas->drawRect(SkRect::MakeXYWH(x,y,1,1), p);
|
|
|
|
}
|
|
|
|
|
|
|
|
canvas->translate(0,H);
|
|
|
|
|
|
|
|
// Draw each pixel into offscreen, timing each draw.
|
|
|
|
SkImageInfo info = canvas->imageInfo().makeWH(1024,1024);
|
|
|
|
if (sk_sp<SkSurface> offscreen = canvas->makeSurface(info)) {
|
|
|
|
min = +INFINITY;
|
|
|
|
max = -INFINITY;
|
|
|
|
for (int y = 0; y < H; y++)
|
|
|
|
for (int x = 0; x < W; x++) {
|
|
|
|
auto start = std::chrono::steady_clock::now();
|
2021-01-22 20:26:41 +00:00
|
|
|
offscreen->getCanvas()->drawImageRect(fImg,
|
|
|
|
SkRect::MakeXYWH(x,y,1,1),
|
|
|
|
SkRect::MakeXYWH(0,0,1024,1024),
|
|
|
|
SkSamplingOptions(),
|
|
|
|
/*paint=*/nullptr,
|
|
|
|
SkCanvas::kStrict_SrcRectConstraint);
|
create a sample to demonstrate a timing attack
This sample attempts to re-create an image's alpha channel by drawing it
one pixel at a time and timing how long each pixel takes to draw.
The "abc" text should appear twice normally, and the third and fourth
versions are reconstructed from timing, one by timing 1:1 pixel draws,
the other by timing 1x1:1024x1024 upscale into an offscreen. It's not
meant to be an exact reconstruction, but you can easily see the shapes,
particularly at -O0, -O1, and -Os. Auto-vectorization from -O2/-O3 do
a good amount to cover up the problem.
The legacy CPU backend is the main place to look. I haven't been able
to reconstruct any images using SkRasterPipelineBlitter or SkVMBlitter,
and while on the GPU I do see non-random patterns in the timing, it
appears to be the same single pattern across devices, OSes, GPUs, GPU
APIs and content... I assume it's something like our resource caching
policy.
This can't really be a GM, given how it draws non-deterministically.
Bug: chromium:1088224
Change-Id: I2ec79c8dd407ecb104fd9bf0c8039cb6dd1fe436
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/313466
Commit-Queue: Mike Klein <mtklein@google.com>
Commit-Queue: Mike Reed <reed@google.com>
Reviewed-by: Mike Reed <reed@google.com>
2020-08-26 17:26:06 +00:00
|
|
|
auto elapsed = std::chrono::steady_clock::now() - start;
|
|
|
|
|
|
|
|
cost[y][x] = elapsed.count();
|
|
|
|
min = std::min(min, cost[y][x]);
|
|
|
|
max = std::max(max, cost[y][x]);
|
|
|
|
}
|
|
|
|
for (int y = 0; y < H; y++)
|
|
|
|
for (int x = 0; x < W; x++) {
|
|
|
|
SkPaint p;
|
|
|
|
p.setAlphaf( (cost[y][x] - min) / (max - min) );
|
|
|
|
canvas->drawRect(SkRect::MakeXYWH(x,y,1,1), p);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
};
|
|
|
|
DEF_SAMPLE( return new TimingSample; )
|