I actually tried sendign a function using Tserial and it seems to error when it tries to serialize a function. Also i can still prevent any malicious code by seraching the string for "function" before doing anything further with it as my code doesnt unpack every message, the only way to push malicious code through is if the server sent a message with a append that the client will recognise, and the nthe client will execute certain functions based on the message.
I simply make sure to allways use appends, so "&updatePing&" will allert the receiver to update, so a malicious client(modified client) will be useless unless the server is setup to recieve that append, and then again trying to unpack a function causes a crash if it passes the string search...)
Anyhow, its working as intended and i dont see any methods for malicious injection of code atm, but we will see in future.
table.pack and LOVE
Forum rules
Before you make a thread asking for help, read this.
Before you make a thread asking for help, read this.
Re: table.pack and LOVE
There's no reason a potential hacker couldn't look at your source, and duplicate the 'verification' methods that you are using.
There is no safe way to use loadstring() with network code. What you need is a custom serializer that does not unserialize in a way that executes code. It's probably more trouble than it's worth, and the JSON way of sending data seems extremely popular.
P.S. There is no good way to have a closed source LOVE program, so keeping you code from prying eyes isn't really an option.
There is no safe way to use loadstring() with network code. What you need is a custom serializer that does not unserialize in a way that executes code. It's probably more trouble than it's worth, and the JSON way of sending data seems extremely popular.
P.S. There is no good way to have a closed source LOVE program, so keeping you code from prying eyes isn't really an option.
- slime
- Solid Snayke
- Posts: 3172
- Joined: Mon Aug 23, 2010 6:45 am
- Location: Nova Scotia, Canada
- Contact:
Re: table.pack and LOVE
You probably mean 'readable source' or something similar - LÖVE's license absolutely allows for games which have a closed source license.Ensayia wrote:P.S. There is no good way to have a closed source LOVE program, so keeping you code from prying eyes isn't really an option.
http://en.wikipedia.org/wiki/Proprietar ... ource_code
It's also possible to use tools to obfuscate your game's source code enough that it'll be practically unreadable to anyone else, although I really don't recommend doing that because you will have a much more difficult time fixing bugs in your game that your users report, since Lua's error messages and tracebacks will probably be nearly incomprehensible.
- kikito
- Inner party member
- Posts: 3153
- Joined: Sat Oct 03, 2009 5:22 pm
- Location: Madrid, Spain
- Contact:
Re: table.pack and LOVE
Except sandboxing.Ensayia wrote:There is no safe way to use loadstring() with network code.
When I write def I mean function.
- slime
- Solid Snayke
- Posts: 3172
- Joined: Mon Aug 23, 2010 6:45 am
- Location: Nova Scotia, Canada
- Contact:
Re: table.pack and LOVE
Sandboxing doesn't prevent things like this though, as long as it's executing code:kikito wrote:Except sandboxing.Ensayia wrote:There is no safe way to use loadstring() with network code.
Code: Select all
while true do end
- ArchAngel075
- Party member
- Posts: 319
- Joined: Mon Jun 24, 2013 5:16 am
Re: table.pack and LOVE
Im unsure how sanboxing works or what it is even.
Also if someone modifies my code and tries to damage other players then it is 50% up to the players to make sure they trust the server/client and 50% me and my attempts at preventing malicious code.
If someone does make a function that passes through my protection methods then it is breaking any licensing that states that my code may not be altered in any way possible. (but i will be using a liscence that allows access but not modifying and redistribution of source or modified code)
If you join a server it is up to you to ensure that the server is safe.
My next importance is that the server itself checks for malicious keywords, it will automatically discard any msgs sent from the client should the msg contain malicious keywords. The reason for this is clients can still send msgs using a known append that makes use of unpack. Because this is done server side the other clients are all protected.
BUT should the server itself be the malicious sender the clients themselves also use the check, this means that only when a malicious client and server are used will the malicious attempt actually succeed.
With malicious keywords implemented I prevent the msg from going anywhere close to the unpack function.
Im sure that this is the most effective method beside sanboxing and JSON (both of which im new to)
Also if someone modifies my code and tries to damage other players then it is 50% up to the players to make sure they trust the server/client and 50% me and my attempts at preventing malicious code.
If someone does make a function that passes through my protection methods then it is breaking any licensing that states that my code may not be altered in any way possible. (but i will be using a liscence that allows access but not modifying and redistribution of source or modified code)
If you join a server it is up to you to ensure that the server is safe.
My next importance is that the server itself checks for malicious keywords, it will automatically discard any msgs sent from the client should the msg contain malicious keywords. The reason for this is clients can still send msgs using a known append that makes use of unpack. Because this is done server side the other clients are all protected.
BUT should the server itself be the malicious sender the clients themselves also use the check, this means that only when a malicious client and server are used will the malicious attempt actually succeed.
With malicious keywords implemented I prevent the msg from going anywhere close to the unpack function.
Im sure that this is the most effective method beside sanboxing and JSON (both of which im new to)
- kikito
- Inner party member
- Posts: 3153
- Joined: Sat Oct 03, 2009 5:22 pm
- Location: Madrid, Spain
- Contact:
Re: table.pack and LOVE
These tests pass just fine: https://github.com/kikito/sandbox.lua/b ... ec.lua#L72 .slime wrote:You only really need to worry about preventing that sort of thing in specific circumstances though.Code: Select all
while true do end
It's possible to detect infinite loops in Lua if the debug lib is available.
When I write def I mean function.
- Robin
- The Omniscient
- Posts: 6506
- Joined: Fri Feb 20, 2009 4:29 pm
- Location: The Netherlands
- Contact:
Re: table.pack and LOVE
If only works that way if you advertise your game has no security whatsoever. When people run your game, they assume you know your shit, and it's clear you don't.ArchAngel075 wrote:Also if someone modifies my code and tries to damage other players then it is 50% up to the players to make sure they trust the server/client and 50% me and my attempts at preventing malicious code.
That's like saying "I leave my door unlocked, but burglaries are not a problem, because I have a note on the door saying it is illegal to enter my house and steal my stuff".ArchAngel075 wrote:If someone does make a function that passes through my protection methods then it is breaking any licensing that states that my code may not be altered in any way possible. (but i will be using a liscence that allows access but not modifying and redistribution of source or modified code)
And how is a player supposed to do that? The only safe thing to do for a player is to never run your game.ArchAngel075 wrote:If you join a server it is up to you to ensure that the server is safe.
THIS NEVER WORKS. People will find ways around that in no time. Don't ever assume you are smarter than your attackers, because that never ends well for you.ArchAngel075 wrote:My next importance is that the server itself checks for malicious keywords,
If by "most effective" you mean "not effective at all" then yes.ArchAngel075 wrote:Im sure that this is the most effective method beside sanboxing and JSON (both of which im new to)
If you use this method you're currently going for, the attacker OWNS your computer. If you use sandboxing, they can make the game crash but not much else. If you use JSON or something like it, they can't do anything but cheat a little.
Help us help you: attach a .love.
- ArchAngel075
- Party member
- Posts: 319
- Joined: Mon Jun 24, 2013 5:16 am
Re: table.pack and LOVE
Hmm, ill look into JSON, as preventing hacking is important yes, and i 90% dont know much about security in network based games so i apologize for being noobish and not researching properly
Re: table.pack and LOVE
of course, that depends on what you mean by "in Lua". C functions called through lua can't be monitored by the debug hook. notably, this makes the pattern matcher a potential DoS targetkikito wrote:It's possible to detect infinite loops in Lua if the debug lib is available.
Who is online
Users browsing this forum: Ahrefs [Bot], Bing [Bot], Google [Bot] and 8 guests