Jump to content

  • Log In with Google      Sign In   
  • Create Account

- - - - -

Security


Old topic!
Guest, the last post of this topic is over 60 days old and at this point you may not reply in this topic. If you wish to continue this conversation start a new topic.

  • You cannot reply to this topic
29 replies to this topic

#1 Dentoid   Members   -  Reputation: 122

Like
0Likes
Like

Posted 13 September 2004 - 07:38 AM

Just a little question about the bytecodes. How "close to the system" is the bytecode really? All pointers etc is generated at linking, right? The reason I'm asking is that I'm thinking about a system in my game engine where the server could send scripts to the client. If this is sent as source I'm pretty sure I could prevent malicious code (simply by not registering potentially dangerous stuff for access by the scripts). I'm a bit worried about sending bytecode though (which would be nicer in many ways). If the bytecode can be constructed in such a way it'd start accessing stuff it shouldn't, it might be a pretty big problem. So, basically the question is... Uhm... All of the above, formulated as a question somehow. :) /Anders Stenberg

Sponsor:

#2 Andreas Jonsson   Moderators   -  Reputation: 3444

Like
0Likes
Like

Posted 13 September 2004 - 09:09 AM

In a short answer: Loading precompiled bytecode is not safe.

It is for example possible to insert the following bytecode:

SET4 0 // value
SET4 0 // address
WRT4 // *address = value

The virtual machine would gladly execute this code.

The bytecode generated by the compiler shouldn't contain any hardcoded addresses though. So if you can somehow guarantee that nobody tampers with the bytecode you should be able to pass the bytecode from the server to the client (assuming the engines have been configured with the exact same functions, in the exact same order).

I don't think I will be able to make the VM somehow validate the bytecode so that it doesn't do anything it shouldn't. If you have any suggestions on that I would be very interested in hearing them.

AngelCode.com - game development and more - Reference DB - game developer references
AngelScript - free scripting library - BMFont - free bitmap font generator - Tower - free puzzle game

#3 Dentoid   Members   -  Reputation: 122

Like
0Likes
Like

Posted 13 September 2004 - 09:29 AM

Quote:
Original post by WitchLord
SET4 0 // value
SET4 0 // address
WRT4 // *address = value

The virtual machine would gladly execute this code.

But would the bytecode deserializer (I haven't checked out the saving/loading of bytecode really) allow for such a construct to be generated? I thought you had some metadata when saving about what all pointers should point to, and relink them pointers that make sense in the current environment when loading? (I have to admit I haven't looked much at the bytecode stuff at all, so I might not make sense at all. :)

#4 Andreas Jonsson   Moderators   -  Reputation: 3444

Like
0Likes
Like

Posted 13 September 2004 - 09:50 AM

Actually, when the bytecode is saved it's just a direct copy of the in memory bytecode, with some extras so that the module can be rebuilt after loading (function declarations etc).

The only thing that guarantees that the bytecode doesn't do any bad stuff is the compiler. The VM verifies that an object pointer isn't null when accessing methods or properties, it also verifies that no division by null is made. That's about all the verification that is done after compilation. Any more and the performance would get really bad.

It would be easy to verify that

SET4 0 // value
SET4 0 // address
WRT4 // *address = value

isn't executed. But it would also be very easy to hide this code with a few more instructions:

SET4 0 -- Store 0 in a variable
PSF 1
WRT4
POP 1

SET4 0 -- Write 0 to an adress stored in a variable
PSF 1
RD4
WRT4
POP 1

Both of these sequences are perfectly normal, and could be found in correct code. Though if they are run together as is, they will result in the same as the previous example.

The only way to make the bytecode safe is to have the application register the memory ranges that the VM should allow access to and then have the VM verify each instruction that accesses memory. As you can imagine this would be extremely inefficient.
AngelCode.com - game development and more - Reference DB - game developer references
AngelScript - free scripting library - BMFont - free bitmap font generator - Tower - free puzzle game

#5 Dentoid   Members   -  Reputation: 122

Like
0Likes
Like

Posted 13 September 2004 - 10:11 AM

I still don't really understand how the bytecode could be just saved and loaded right off. Mustn't _all_ pointers _always_ be resolved when loaded? I mean, how could possibly a stored pointer make sense between two runs of a program?

#6 Deyja   Members   -  Reputation: 920

Like
0Likes
Like

Posted 13 September 2004 - 02:20 PM

I would assume the 'pointers' in the bytecode are relative the AngelScript stack, not the system. So as long as the stack is the same size, it's all there.

You said you're sending code from the Server to the Client - if some client messes with it and runs it, they are screwing themselves. If someone writes a malicious server, that's altogether different. And, of course, it would be rather easy for the client to cheat.

#7 Andreas Jonsson   Moderators   -  Reputation: 3444

Like
0Likes
Like

Posted 13 September 2004 - 02:32 PM

It's really only global variables that would be accessed through memory pointers, the rest use offsets from the function stack frame or stack pointer. I solved the access to global variables by indexing the list of variable declarations, it's slightly slower than direct memory access but it simplifies other things. The VM doesn't verify out-of-bounds access to these lists though as it relies on the compiler for that.




AngelCode.com - game development and more - Reference DB - game developer references
AngelScript - free scripting library - BMFont - free bitmap font generator - Tower - free puzzle game

#8 Dentoid   Members   -  Reputation: 122

Like
0Likes
Like

Posted 14 September 2004 - 07:20 AM

Couldn't the loader do a sanity check if it's in range when loading?

#9 Andreas Jonsson   Moderators   -  Reputation: 3444

Like
0Likes
Like

Posted 14 September 2004 - 08:12 AM

It could and it's probably a good idea, but it would only protect against uncompatible engine configurations. It still wouldn't solve the other issue above with malicious code.
AngelCode.com - game development and more - Reference DB - game developer references
AngelScript - free scripting library - BMFont - free bitmap font generator - Tower - free puzzle game

#10 Dentoid   Members   -  Reputation: 122

Like
0Likes
Like

Posted 14 September 2004 - 10:03 AM

I guess I don't know enough about this to actually say anything about it, but I don't see why not. :)
If the loader/linker/whatever knows what indices make sense, it should be able to bolt out if the indices in the bytecode are way off? Or maybe the bytecodes are too low level to easily know what's legal and not?

#11 Andreas Jonsson   Moderators   -  Reputation: 3444

Like
0Likes
Like

Posted 14 September 2004 - 01:53 PM

Quote:

Or maybe the bytecodes are too low level to easily know what's legal and not?


That's exactly it. The byte codes are too low level. The instructions that use indices can be checked, but other instructions like write, read, etc work with address pointers directly. A malicious code sequence can put an address on the stack with SET4 and at any time in the future call WRT4 on it.

If I can think of some way to make the bytecode secure (without loosing too much performance) I will do it.
AngelCode.com - game development and more - Reference DB - game developer references
AngelScript - free scripting library - BMFont - free bitmap font generator - Tower - free puzzle game

#12 EddHead   Members   -  Reputation: 140

Like
0Likes
Like

Posted 14 September 2004 - 06:02 PM

how does Lua manage security?

[Edited by - EddHead on September 15, 2004 12:02:16 AM]
Jayanth.KRaptor Entertainment Pvt. Ltd.http://www.raptorentertainment.com---------------------------------------------------------Why Mr. Anderson? Why? ...Why keep fighting? Do you think you're fighting for something - for more than your survival? Can you tell me what it is? Do you even know? Is it freedom, or truth, perhaps peace, could it be for love? Illusions Mr. Anderson, vagaries of perception. Temporary constructs of a feeble human intellect trying desperately to justify an existence without meaning or purpose.

#13 Andreas Jonsson   Moderators   -  Reputation: 3444

Like
0Likes
Like

Posted 15 September 2004 - 02:55 AM

I read the reference manual for Lua, and from what I can see Lua doesn't allow saving/loading of compiled byte code, which effectively eliminates the security problem we are discussing here.

Note, the security risk is most notable when sending the compiled byte code between machines. If the compiled byte code is installed on the client machine together with the rest of the program then the bytecode poses no greater security risk than the application itself. A hacker with malicious intent could manipulate the application directly if he has access to it. So if you do not intend to pass byte code between machines I don't think you have to worry too much about the security.

If you do intend to pass compiled byte code between machines, you need to set up a protocol that protects hackers from tampering with the data stream. SSL has been proven to be a good way to do this.

In either case, if I can think of some way to make the bytecode safer I will implement it.


AngelCode.com - game development and more - Reference DB - game developer references
AngelScript - free scripting library - BMFont - free bitmap font generator - Tower - free puzzle game

#14 Mad Dugan   Members   -  Reputation: 122

Like
0Likes
Like

Posted 15 September 2004 - 08:39 AM

Security is really just narrowing down who can successfully circumvent any safety measures that are put in place.

* AngelScript as source - Anyone with notepad and some basic programming knowledge may be dangerous.

* AngelScript as byte code - Someone with a binary file editor and knowledgeable with AngelScript's byte code may be dangerous

* AngelScript as byte code in compressed and/or encrypted file - Someone with a memory debugger and knowledgeable with AngelScript's byte code may be dangerous.

The last should be handled by the application as the time for compression/encryption is a trade off with speed.

Mad

#15 Dentoid   Members   -  Reputation: 122

Like
0Likes
Like

Posted 15 September 2004 - 08:53 AM

Well, my ideas would involve the serving sending bytecode to the client. What I'd want to avoid is someone setting up a server sending stuff that screws up the clients computer. (I guess a lockup or so would be okay, but if it can create code that destroys data on the client or something like that, it'd be a lot worse.)

I could send just source, but bytecode would be so much neater since it's more compact and at least a bit obfuscated.

#16 Kurioes   Members   -  Reputation: 250

Like
0Likes
Like

Posted 15 September 2004 - 09:04 AM

If someone really wants to alter the "script" it'll happen anyhow so I think serving the source files is better. It would allow for conditional compilation, and problems (they are huge AFAIK) of invalid pointers would be avoided.

After the script/binary has been loaded it's in memory and can be read back and/or altered. No point in trying to prevent it.

#17 Andreas Jonsson   Moderators   -  Reputation: 3444

Like
0Likes
Like

Posted 15 September 2004 - 09:36 AM

I agree with Kurioes. You really ought to send the source files, not the bytecode. That way the compiler can do it's job and prevent access to memory the script shouldn't mess with.

You can use compression to decrease the size of the files. I suggest you take a look at zlib for this, as it is a free library (same license as AngelScript).

Never rely on obfuscation to hide code, use encryption instead. TEA is a really simple algorithm that can be implemented with only a few lines of code (I have an example on my site). The algorithm is very secure (at least as secure as private key encryption can be) and uses 128bit keys. The algorithm is also quite fast, and shouldn't slow down the download very much.





AngelCode.com - game development and more - Reference DB - game developer references
AngelScript - free scripting library - BMFont - free bitmap font generator - Tower - free puzzle game

#18 Andreas Jonsson   Moderators   -  Reputation: 3444

Like
0Likes
Like

Posted 15 September 2004 - 09:44 AM

Quote:
Original post by Mad Dugan
Security is really just narrowing down who can successfully circumvent any safety measures that are put in place.

* AngelScript as source - Anyone with notepad and some basic programming knowledge may be dangerous.

* AngelScript as byte code - Someone with a binary file editor and knowledgeable with AngelScript's byte code may be dangerous

* AngelScript as byte code in compressed and/or encrypted file - Someone with a memory debugger and knowledgeable with AngelScript's byte code may be dangerous.

The last should be handled by the application as the time for compression/encryption is a trade off with speed.

Mad


I only agree with the last two points.

The scripts can only do what the application allows them to do. If the application don't register any functions for accessing memory, then the script can't do that (of course that would make for a pretty useless script [wink]). If the script's interface to the application is secure then the script is also secure.

#19 Dentoid   Members   -  Reputation: 122

Like
0Likes
Like

Posted 15 September 2004 - 10:01 AM

Quote:
Original post by WitchLord
You can use compression to decrease the size of the files. I suggest you take a look at zlib for this, as it is a free library (same license as AngelScript).

Yeah, well it's not really a problem anyway. It's not like a script will be sent every frame or something. :)


Quote:

Never rely on obfuscation to hide code, use encryption instead. TEA is a really simple algorithm that can be implemented with only a few lines of code (I have an example on my site). The algorithm is very secure (at least as secure as private key encryption can be) and uses 128bit keys. The algorithm is also quite fast, and shouldn't slow down the download very much.


Well, in this case encryption is just another form of obfuscation. If the client can read it, no matter how tough the encryption is, so can the guy using the client one way or another. It wasn't thought as some bulletproof protection, just a way not to just swing the door wide open.

This isn't about cheating protection or anything like that. The idea was just a system somewhat like the mutators in Unreal Tournament. That the server can have modifications that are automatically downloaded and used. I've got no idea how extensive or secure the mutator-system is. I think they probably just send script code. (I haven't looked into it.)

Uhm. Okay. Now I actually have looked into it, and yes, it just sends script code as far as I can see.

Anyway, my point was that my ideas doesn't fall if bytecode can't be sent. I'm just exploring the possibilities. :)

#20 Andreas Jonsson   Moderators   -  Reputation: 3444

Like
0Likes
Like

Posted 15 September 2004 - 10:18 AM

You brought up an important issue with your question. I hadn't thought about this before.

I'll update the manual with a warning about the security risks of loading/saving bytecode.

As another solution to the problem you could digitally sign the compiled bytecode. That way the client can verify if anyone has altered the code and not run it. This would only be a viable solution if you can keep the private key secure. If you plan on having public servers then the private key isn't secure so the digital signature cannot be trusted.
AngelCode.com - game development and more - Reference DB - game developer references
AngelScript - free scripting library - BMFont - free bitmap font generator - Tower - free puzzle game




Old topic!
Guest, the last post of this topic is over 60 days old and at this point you may not reply in this topic. If you wish to continue this conversation start a new topic.



PARTNERS