table.pack and LOVE

[ArchAngel075]

I actually tried sendign a function using Tserial and it seems to error when it tries to serialize a function. Also i can still prevent any malicious code by seraching the string for "function" before doing anything further with it as my code doesnt unpack every message, the only way to push malicious code through is if the server sent a message with a append that the client will recognise, and the nthe client will execute certain functions based on the message.

I simply make sure to allways use appends, so "&updatePing&" will allert the receiver to update, so a malicious client(modified client) will be useless unless the server is setup to recieve that append, and then again trying to unpack a function causes a crash if it passes the string search...)

Anyhow, its working as intended and i dont see any methods for malicious injection of code atm, but we will see in future.

[Ensayia]

There's no reason a potential hacker couldn't look at your source, and duplicate the 'verification' methods that you are using.

There is no safe way to use loadstring() with network code. What you need is a custom serializer that does not unserialize in a way that executes code. It's probably more trouble than it's worth, and the JSON way of sending data seems extremely popular.

P.S. There is no good way to have a closed source LOVE program, so keeping you code from prying eyes isn't really an option.

[slime]

P.S. There is no good way to have a closed source LOVE program, so keeping you code from prying eyes isn't really an option.

You probably mean 'readable source' or something similar - LÖVE's license absolutely allows for games which have a closed source license.

http://en.wikipedia.org/wiki/Proprietar ... ource_code

It's also possible to use tools to obfuscate your game's source code enough that it'll be practically unreadable to anyone else, although I really don't recommend doing that because you will have a much more difficult time fixing bugs in your game that your users report, since Lua's error messages and tracebacks will probably be nearly incomprehensible.

[kikito]

There is no safe way to use loadstring() with network code.

Except sandboxing.

[slime]

There is no safe way to use loadstring() with network code.

Except sandboxing.

Sandboxing doesn't prevent things like this though, as long as it's executing code:

Code: Select all

while true do end

You only really need to worry about preventing that sort of thing in specific circumstances though.

[ArchAngel075]

Im unsure how sanboxing works or what it is even.

Also if someone modifies my code and tries to damage other players then it is 50% up to the players to make sure they trust the server/client and 50% me and my attempts at preventing malicious code.

If someone does make a function that passes through my protection methods then it is breaking any licensing that states that my code may not be altered in any way possible. (but i will be using a liscence that allows access but not modifying and redistribution of source or modified code)
If you join a server it is up to you to ensure that the server is safe.

My next importance is that the server itself checks for malicious keywords, it will automatically discard any msgs sent from the client should the msg contain malicious keywords. The reason for this is clients can still send msgs using a known append that makes use of unpack. Because this is done server side the other clients are all protected.

BUT should the server itself be the malicious sender the clients themselves also use the check, this means that only when a malicious client and server are used will the malicious attempt actually succeed.

With malicious keywords implemented I prevent the msg from going anywhere close to the unpack function.

Im sure that this is the most effective method beside sanboxing and JSON (both of which im new to)

[kikito]

Code: Select all

while true do end

You only really need to worry about preventing that sort of thing in specific circumstances though.

These tests pass just fine: https://github.com/kikito/sandbox.lua/b ... ec.lua#L72 .

It's possible to detect infinite loops in Lua if the debug lib is available.

[Robin]

Also if someone modifies my code and tries to damage other players then it is 50% up to the players to make sure they trust the server/client and 50% me and my attempts at preventing malicious code.

If only works that way if you advertise your game has no security whatsoever. When people run your game, they assume you know your shit, and it's clear you don't.

If someone does make a function that passes through my protection methods then it is breaking any licensing that states that my code may not be altered in any way possible. (but i will be using a liscence that allows access but not modifying and redistribution of source or modified code)

That's like saying "I leave my door unlocked, but burglaries are not a problem, because I have a note on the door saying it is illegal to enter my house and steal my stuff".

If you join a server it is up to you to ensure that the server is safe.

And how is a player supposed to do that? The only safe thing to do for a player is to never run your game.

My next importance is that the server itself checks for malicious keywords,

THIS NEVER WORKS. People will find ways around that in no time. Don't ever assume you are smarter than your attackers, because that never ends well for you.

Im sure that this is the most effective method beside sanboxing and JSON (both of which im new to)

If by "most effective" you mean "not effective at all" then yes.

If you use this method you're currently going for, the attacker OWNS your computer. If you use sandboxing, they can make the game crash but not much else. If you use JSON or something like it, they can't do anything but cheat a little.

[ArchAngel075]

Hmm, ill look into JSON, as preventing hacking is important yes, and i 90% dont know much about security in network based games so i apologize for being noobish and not researching properly

[Xgoff]

It's possible to detect infinite loops in Lua if the debug lib is available.

of course, that depends on what you mean by "in Lua". C functions called through lua can't be monitored by the debug hook. notably, this makes the pattern matcher a potential DoS target