Security Sandboxing

[akima]

Hello, I've used Love a number of times and it seems to have a fantastic design philosophy, but it lacks a feature which I think would be very beneficial to its users; security sandboxing. Java has this feature and so does Adobe Flash.

I have heard arguments made against the idea on the basis that it would unnecessarily restrict game developers at no gain to the users. I disagree on both points. The wealth of enjoyable games that have been made in the Flash and Java restricted environments is outstanding. I think most games can be limited to only a specific subset of OS resources: keyboard, joystick, graphics, sound, mouse etc.

The argument that the OS and the user should take care of security are in-part true, but it doesn't fly with me as a complete justification for lack of ever including security sandboxing. For a user to know if they can trust a given .love game is a very complicated task:

1. It isn't sensible for the user to trust games from a given website. I imagine someone could even anonymously submit a .love game to the love2d.org site's Games section in the wiki and include some carefully concealed malicious code. A site that does do stringent checks for malicious code in games submitted by an unknown third party could be hacked via a security flaw in a piece of server side software like the HTTP server or an FTP server. A malicious cracker could then inject malicious code into the games stored on the server; perhaps bot-net code, which upon execution of the .love game installs a botnet client on the end-users machine, placing that machine under the control of an unknown third party.

• It isn't sensible for a user to trust a particular developer. It is likely that most often the user will never know exactly who the developer is. The developer is likely completely anonymous, whose only point of contact is an email address. If they performed all their game submitting, email and forum posting via a proxy server then they could affectively do all the damage they wanted (for personal gain or just the sociopathic challenge) and receive zero consequence.

If you didn't want to forcibly restrict all developers into a limited sandbox environment and potentially stifle innovation you could make a trade off. Create a simple API such that a developer can request to break out of the sandbox. The user would then be prompted by the Love Engine (using simple to understand language) whether they want to allow that or not. If the user denies it, the game could even be told of this via something like is_sandboxed() returning True. You could even allow the user to specify what level of permissions the game should have: tick a box for network access, or web browser access, or unrestricted access etc. If game developers are often found to be breaking out of the sandbox to use a specific unforeseen, but safe, feature of the OS (eg, access to an accelerometer on a MacBook), then you could incorporate that feature into the Love Engine API such that they don't have to break out of the sandbox.

A quick google for "lua security sandbox" reveals lots of information on how to sandbox untrusted code. One example. http://lua-users.org/wiki/SandBoxes.
The official lua home page has this statement in the documentation: "Because all functions that interface Lua with the operating system are provided in external libraries, it is easy to restrict the power of the interpreter in order to provide adequate security. " source: http://www.lua.org/spe.html

I really do think that you are creating a fantastic piece of software for game development, but it feels like a missed opportunity if security sandboxing isn't added to the engine. Adding security sandboxing to other similar projects (eg PyGame) would be a far more complicated endeavor; if not, completely unfeasible. It would be nice to offer peace-of-mind and protection to the computers of Love gamers without them having to be security experts.

When I explain basic security to my non-geek, friends and family I normally tell them. "Websites you visit are quite safe. They are caged within your web browser so they can't access your files and programs etc. If you run a program though, like a .exe, you are effectively giving the person who created that program access to your keyboard, mouse and all your files." It's not a perfect way of explaining it, but it conveys the major points. It would be nice to be able to tell people that .love games are like websites. You are safe. Just enjoy the games! ^_^

-Akima

[bartbes]

SELÖVE is probably what you are looking for. Unfortunately, sandboxing everything has yet to be done, as I demonstrated a few days ago, which is perhaps the primary reason security is not (yet) a focus for vanilla LÖVE: I don't want to give people a false sense of security.

I should note that I fully support SELÖVE, and whenever it gets to a usable (no offense, robin) point, I'll be glad to merge it into LÖVE.

[akima]

Oh; nice to see work is being done on it. I can totally understand security "not (yet) a focus for vanilla LÖVE". The software looks like it is still under heavy development and the API isn't fixed.

[kikito]

It is important however to note that there have been some arguments against sandboxing on this same forum.

[Robin]

It is important however to note that there have been some arguments against sandboxing on this same forum.

Yes there have. I still haven't found any of them very convincing.

I should note that most of the existing security holes are fixed. The problem with Threads remains, but I might be able to tackle it next week, when we're having a carnival break.

The sandbox in SELÖVE is a very simple "deny everything" sandbox, by the way. It would be difficult to allow secure outside access for particular games without disrupting gameplay. It might be a thing to look at in the future, though.

[BlackBulletIV]

Oh boy, we just had a discussion about this.

You're treating Love as if it's a gaming platform, not a framework for game development. There's a big difference between the two. Frameworks just provide services, like worrying about how to draw graphics, or use physics, but don't limit the developer from doing something outside of the scope of the framework. Imagine if SDL suddenly turned around and asked the user if the program could do a certain operation, or if Unity3D sandboxed the game developer from accessing the internet or files outside of a certain region without extra permission? I don't imagine a good response.

Java has this feature and so does Adobe Flash.

Indeed, Java does have sandboxing, but no where near the level proposed. Java doesn't go asking the user for network and file access! As far as I know the main thing it does is protect from operations that are most likely to be really dangerous, like raw memory manipulation.

Flash has a sandbox, because it's in the browser. The browser is a completely different field of play to the desktop, and requires much more security. If Love is able to get into the browser, a sandbox will be needed for that environment.

Have you heard of merged executables? (If not, see Game_Distribution) This shows again that Love is not a gaming platform. Imagine how out of place it would be if the game, fully enclosed in an executable (meaning the user has no idea it's being run by Love), suddenly popped up asking for permissions. This is totally unnatural for (at least seemingly) stand-alone games. The user will probably may get annoyed by the interruption, thinking "I've already given this thing permissions through the operating system!"

It isn't sensible for the user to trust games from a given website.

It isn't sensible for a user to trust a particular developer.

Indeed, it's not sensible for someone to run an executable from someone that has given little proof they're serious. It's almost always easy to tell when someone may have something malicious in their game, there might be little information, or it's a pirated game; those are the usual candidates for malicious code. But why do you trust the many game developers that have made their game in C++ which has no sandbox whatsoever? I know I would because of the amount information, and the reviews.

But those arguments would have weight if Love was a gaming platform, but it's not.

There's my opinion on it.

[crow]

I have to say if Löve main became sandboxed I would have to drop it, as I can see it been useful not just in games but in other media and locking it down
would be pointless might as well scrap the Lua scripting engine if that was the case.

Sure if you really want to add a sandbox then your free to do so but thats the hole point of a framework it include it in to your existing project or build a new
project around the new framework. You say you should not trust XYZ but people like MS, Google, Yahoo & others all over been taken to court for just what your stating and we all download things from them everyday and worse still there work is signed so at lest on a windows system it will be let thought to do what it
wants. You as the Dev take action on if its going to be good or bad to the user not the framework, the framework should be open and flexible and yes its made for games but if we look at it for more then a few mins it could be used for interactive systems like online gaming chats little like secondlife this needs access
to the internet and file access to download new mods and files.

So I have to agree with BlackBulletIV and many others that love should not be sandbox'ed but from reading it seems they offer a system that offers sandbox selove so its not life there not offering you something you want.

[bartbes]

Wow guys, if I ever get to the point of adding sandboxing, it'll be optional.

[crow]

Wow guys, if I ever get to the point of adding sandboxing, it'll be optional.

YAY I like the option of optional

[BlackBulletIV]

That's better. I think that's the best approach, if users want sandboxing they can have it.