table.pack and LOVE

Questions about the LÖVE API, installing LÖVE and other support related questions go here.
Forum rules
Before you make a thread asking for help, read this.
User avatar
ArchAngel075
Party member
Posts: 319
Joined: Mon Jun 24, 2013 5:16 am

Re: table.pack and LOVE

Post by ArchAngel075 »

I actually tried sendign a function using Tserial and it seems to error when it tries to serialize a function. Also i can still prevent any malicious code by seraching the string for "function" before doing anything further with it as my code doesnt unpack every message, the only way to push malicious code through is if the server sent a message with a append that the client will recognise, and the nthe client will execute certain functions based on the message.

I simply make sure to allways use appends, so "&updatePing&" will allert the receiver to update, so a malicious client(modified client) will be useless unless the server is setup to recieve that append, and then again trying to unpack a function causes a crash if it passes the string search...)

Anyhow, its working as intended and i dont see any methods for malicious injection of code atm, but we will see in future.
User avatar
Ensayia
Party member
Posts: 399
Joined: Sat Jun 12, 2010 7:57 pm

Re: table.pack and LOVE

Post by Ensayia »

There's no reason a potential hacker couldn't look at your source, and duplicate the 'verification' methods that you are using.

There is no safe way to use loadstring() with network code. What you need is a custom serializer that does not unserialize in a way that executes code. It's probably more trouble than it's worth, and the JSON way of sending data seems extremely popular.

P.S. There is no good way to have a closed source LOVE program, so keeping you code from prying eyes isn't really an option.
User avatar
slime
Solid Snayke
Posts: 3172
Joined: Mon Aug 23, 2010 6:45 am
Location: Nova Scotia, Canada
Contact:

Re: table.pack and LOVE

Post by slime »

Ensayia wrote:P.S. There is no good way to have a closed source LOVE program, so keeping you code from prying eyes isn't really an option.
You probably mean 'readable source' or something similar - LÖVE's license absolutely allows for games which have a closed source license.

http://en.wikipedia.org/wiki/Proprietar ... ource_code

It's also possible to use tools to obfuscate your game's source code enough that it'll be practically unreadable to anyone else, although I really don't recommend doing that because you will have a much more difficult time fixing bugs in your game that your users report, since Lua's error messages and tracebacks will probably be nearly incomprehensible.
User avatar
kikito
Inner party member
Posts: 3153
Joined: Sat Oct 03, 2009 5:22 pm
Location: Madrid, Spain
Contact:

Re: table.pack and LOVE

Post by kikito »

Ensayia wrote:There is no safe way to use loadstring() with network code.
Except sandboxing. :neko:
When I write def I mean function.
User avatar
slime
Solid Snayke
Posts: 3172
Joined: Mon Aug 23, 2010 6:45 am
Location: Nova Scotia, Canada
Contact:

Re: table.pack and LOVE

Post by slime »

kikito wrote:
Ensayia wrote:There is no safe way to use loadstring() with network code.
Except sandboxing. :neko:
Sandboxing doesn't prevent things like this though, as long as it's executing code:

Code: Select all

while true do end
You only really need to worry about preventing that sort of thing in specific circumstances though.
User avatar
ArchAngel075
Party member
Posts: 319
Joined: Mon Jun 24, 2013 5:16 am

Re: table.pack and LOVE

Post by ArchAngel075 »

Im unsure how sanboxing works or what it is even.

Also if someone modifies my code and tries to damage other players then it is 50% up to the players to make sure they trust the server/client and 50% me and my attempts at preventing malicious code.

If someone does make a function that passes through my protection methods then it is breaking any licensing that states that my code may not be altered in any way possible. (but i will be using a liscence that allows access but not modifying and redistribution of source or modified code)
If you join a server it is up to you to ensure that the server is safe.

My next importance is that the server itself checks for malicious keywords, it will automatically discard any msgs sent from the client should the msg contain malicious keywords. The reason for this is clients can still send msgs using a known append that makes use of unpack. Because this is done server side the other clients are all protected.

BUT should the server itself be the malicious sender the clients themselves also use the check, this means that only when a malicious client and server are used will the malicious attempt actually succeed.

With malicious keywords implemented I prevent the msg from going anywhere close to the unpack function.

Im sure that this is the most effective method beside sanboxing and JSON (both of which im new to)
User avatar
kikito
Inner party member
Posts: 3153
Joined: Sat Oct 03, 2009 5:22 pm
Location: Madrid, Spain
Contact:

Re: table.pack and LOVE

Post by kikito »

slime wrote:

Code: Select all

while true do end
You only really need to worry about preventing that sort of thing in specific circumstances though.
These tests pass just fine: https://github.com/kikito/sandbox.lua/b ... ec.lua#L72 .

It's possible to detect infinite loops in Lua if the debug lib is available.
When I write def I mean function.
User avatar
Robin
The Omniscient
Posts: 6506
Joined: Fri Feb 20, 2009 4:29 pm
Location: The Netherlands
Contact:

Re: table.pack and LOVE

Post by Robin »

ArchAngel075 wrote:Also if someone modifies my code and tries to damage other players then it is 50% up to the players to make sure they trust the server/client and 50% me and my attempts at preventing malicious code.
If only works that way if you advertise your game has no security whatsoever. When people run your game, they assume you know your shit, and it's clear you don't.
ArchAngel075 wrote:If someone does make a function that passes through my protection methods then it is breaking any licensing that states that my code may not be altered in any way possible. (but i will be using a liscence that allows access but not modifying and redistribution of source or modified code)
That's like saying "I leave my door unlocked, but burglaries are not a problem, because I have a note on the door saying it is illegal to enter my house and steal my stuff".
ArchAngel075 wrote:If you join a server it is up to you to ensure that the server is safe.
And how is a player supposed to do that? The only safe thing to do for a player is to never run your game.
ArchAngel075 wrote:My next importance is that the server itself checks for malicious keywords,
THIS NEVER WORKS. People will find ways around that in no time. Don't ever assume you are smarter than your attackers, because that never ends well for you.
ArchAngel075 wrote:Im sure that this is the most effective method beside sanboxing and JSON (both of which im new to)
If by "most effective" you mean "not effective at all" then yes.

If you use this method you're currently going for, the attacker OWNS your computer. If you use sandboxing, they can make the game crash but not much else. If you use JSON or something like it, they can't do anything but cheat a little.
Help us help you: attach a .love.
User avatar
ArchAngel075
Party member
Posts: 319
Joined: Mon Jun 24, 2013 5:16 am

Re: table.pack and LOVE

Post by ArchAngel075 »

Hmm, ill look into JSON, as preventing hacking is important yes, and i 90% dont know much about security in network based games so i apologize for being noobish and not researching properly :)
User avatar
Xgoff
Party member
Posts: 211
Joined: Fri Nov 19, 2010 4:20 am

Re: table.pack and LOVE

Post by Xgoff »

kikito wrote:It's possible to detect infinite loops in Lua if the debug lib is available.
of course, that depends on what you mean by "in Lua". C functions called through lua can't be monitored by the debug hook. notably, this makes the pattern matcher a potential DoS target
Post Reply

Who is online

Users browsing this forum: Ahrefs [Bot], Bing [Bot] and 7 guests