Jump to content

  • Log In with Google      Sign In   
  • Create Account


Member Since 03 Jun 2003
Offline Last Active Today, 01:18 PM

#5207191 how to protect mysql strings?

Posted by hplus0603 on Today, 10:02 AM

how can i protect the strings that connect to the database from being comprimised by memory reading etc

I can read this question two ways:

1) You are trying to connect to the database from the client software, and don't want the user to be able to extract your database credentials.

2) You are connecting to the database from the application server software, but you want to protect the database credentials in the case of some security exploit that allows the attacker to read memory from the application server process.

In the case of 1), antosdaniel is entirely right: You never expose the database directly to clients. You always put an application server in between (call this the "game server.") The role of the game server is to provide authentication, authorization, and game rule enforcement.

In the case of 2), you can store the credentials in initialized mutable variables, and once connected, overwrite these variables with junk. Like so:
char mysqlname[] = "example";
char mysqlpasswd[] = "swordfish";
char mysqlhost[] = "db.example.com";

db_connection *db_connect() {
  db_connection *ret = whatever_connect_to_database_call(mysqlhost, mysqlname, mysqlpassword);
  if (ret) {
    memset(mysqlname, 0, sizeof(mysqlname));
    memset(mysqlpasswd, 0, sizeof(mysqlpasswd));
    memset(mysqlhost, 0, sizeof(mysqlhost));
  return ret;
This works in C/C++, where the compiler will optimize the string constant into the initialized data section of the global variables.
If however you use std::string in C++, or use Java, C#, or a similar language, the string constants will not be elided and will still be available somewhere in RAM.

Secure credential storage in a production environment is actually a fascinating subject. There are many kinds of key escrow, key server, dedicated-hardware, and other esoteric approaches to mitigate this threat, all dependent on how determined you think the attacker might be and what the cost of failure would be.

#5205568 c++ port of lidgren?

Posted by hplus0603 on 20 January 2015 - 10:40 AM

Mono and .NET are both open source at this point, and available on all platforms that matter. Thus, it should be possible to create a wrapper that goes C++ -> C# (which is, admittedly, the "wrong" direction compared to most other uses :-) You would have to include the Mono runtime with your wrapper/C-level code.

An alternative is to use a C level library, such as RakNet, instead of Lidgren, and write a C# -> C wrapper to import RakNet into your C# code. This would probably be more straightforward, and more palatable to developers used to doing "only C" and not including large support libraries.

#5205323 best data connection structure for a mmo game

Posted by hplus0603 on 19 January 2015 - 10:45 AM

All servers should really talk to a highly redundant sql cluster on some really fast local boxes for data storage.

The option that most MMOs take is to design storage so that it doesn't need a high degree of throghput. For example, keep "game" state (hitpoint amount, affects, etc) in RAM, and only checkpoint back to a central store once in a while. Only things that need central authority and can't be lost (player trade, etc) needs to go directly through an app server and database.

Also, it's typically the case that there's a central "players" database, and then there's a separate "characters" database per world shard/instance. Almost all MMOs do it that way. The "player" database is only hit on login (to generate a ticket) and on subscription events (renew/cancel, etc.) The "character" server is the one that's hit for in-play characters, but as each shard is limited to the number of current players (because of area and gameplay,) there's an upper limit to what that server needs to be able to do.

#5205319 Max Player Update

Posted by hplus0603 on 19 January 2015 - 10:41 AM

should I also limit the amount of updates to a fixed number

There are three options here:

1) Limit the number of entities you send updates about -- more entities, means shorter visible range.
2) Limit the number of updates per second -- more entities, means longer time between updates.
3) Use a fixed number of updates per entity per second -- more entities means more bandwidth used, and more players will get loss/lag.

There is no "best" option here -- it depends on the needs of your game.

#5205095 Serving large files over TCP

Posted by hplus0603 on 18 January 2015 - 11:58 AM

he doesn't have the ability to change them

Maybe. But he said this:

Even through the TCP, it cannot handle large packets. I have to split them up, put some metadata to identify the chunks

Maybe that's a description of an existing protocol, or maybe that's a description of what he plans to do for the devices. We don't know!
If he has to re-implement an existing protocol, then providing some reference to that protocol specification (if available) would be helpful :-)
And, all of the additional advice still applies. Why can't the files just live on the server hosts, for example? Disk space is very cheap.

#5205093 Best 'thing' to use for a XNA with C# for multi-player?

Posted by hplus0603 on 18 January 2015 - 11:55 AM

Whether you need to configure port forwarding (or use an external NAT punch-through service) depends entirely on the network configuration where your server computer is located, and depends not at all on what language/library you use for networking.

#5204735 Server Frames Per Second

Posted by hplus0603 on 16 January 2015 - 10:58 AM

If the engine owns the main loop, then "waiting" turns into "do more work on the next 'tick' callback."

#5204734 Security for beginners

Posted by hplus0603 on 16 January 2015 - 10:57 AM

if for any reason, my site gets interesting for attackers, they can throw amazon EC2 on me. Me on the other hand starts with the free quotas on GAE. This is Goliath against David

I understand how you feel!

The good news is that, the main reason a dedicated attacker would want to get to you, would be financial. And if you are a target that's rich enough to warrant attacks by dedicated hackers, hopefully you're actually making enough money that you can pay for better hosting and management!

There are some cases where this may not be enough. For example, if you are a "free speech" site of some sort, that hosts political or religious dissident speech, you may be targeted by states that disagree with you, even though you may not be making any money off of the speech. Doing the best you can with what you have is even more important there...

Also, using bcrypt() with 16000 iterations (14 "rounds") is likely good enough for the next 5years, at least -- there are so many sites that use less strong mechanisms, that you likely won't be the target of choice. And even then, brute forcing 16000 iterations of bcrypt has a real, financial cost.

Finally, the idea of mailing a strong password to the user (ideally in a link they can click) is not bad. It moves the cost of protecting user data away from your system, and into the user's email. And if the user's email is compromised, the user is compromised in many, many, ways! There are still some problems, such as URL history in browsers being available to other users on the same machine, that you have to consider as far as attack vectors go -- it all depends on what particular problem you're trying to defend against!

#5204732 30k concurrent players on a (private) MMO server...is this possible ?

Posted by hplus0603 on 16 January 2015 - 10:46 AM

increase the number of players

As long as the server bucketizes the players so they only see approximately the closest X players, you will scale roughly linearly in the number of players. The limitation to your scale then becomes how expensive/complicated your server-side simulation is. If all players want to be in the same town square, you will end up with n-squared in the number of players -- this is the worst case for any online game.

why IMVU doesn't increase cap for a room if you don't mind?

There is no "hard" limit, only a "soft" limit -- when you search for a chat room, rooms with 10+ users are shown as "full."
However, if someone invites you to the room, and you accept, you can still join.

The reason we consider rooms "full" at 10 is two-fold:
1) When chatting, more than 10 users is very hard to keep track of! (There are use cases, like virtual theater plays, where this is not a problem)
2) The typical end-user machine can't reasonably show more than 10 user-generated avatars with good frame rate

Thus, this is a client-driven limitation, not a server-driven limitation, and one of the problems is that our avatars are made of user-generated content, and our users are not trained 3D artists who spend days squeezing every last pixel out of a texture sheet or every last vertex out of a morphed mesh, like you'd typically see for high-end games production.

Intel Integrated -- the world's most popular graphics chip -- is not going away. In fact, ALL the MacBooks (except for the very biggest and highest-end model) now ship with Intel Integrated, rather than a discrete graphics chip.

#5204559 how to know most hack possiblities and find best way to handle them

Posted by hplus0603 on 15 January 2015 - 03:33 PM

forget about even trying to write safe code, someone else has probably made a misstake anyway" is a very poor philosophy.

I agree with this. I want to extend it to say that "even with the best platform choice and most careful developers, there will be problems, and the only sane security posture is to be ever vigilant, be on the look-out for issues, and fix them as soon as you find them."

#5204514 how to know most hack possiblities and find best way to handle them

Posted by hplus0603 on 15 January 2015 - 11:00 AM

It is impossible to cause a classic buffer overflow directly in an interpreted language

...unless there are bugs in the language interpreter, or the libraries it uses. In which case you can exploit (or accidentally run into) those bugs and find yourself with a buffer overflow anyway.

That's not a theoretical concern. We use a lot of PHP at work, and we run into bugs in the language, runtime, and libraries, with some frequency.

#5204513 Security for beginners

Posted by hplus0603 on 15 January 2015 - 10:58 AM

You can run local HTML on a phone without security problems. This is what Titanium/PhoneGap/Cordova does. We have shipped one such app at work: http://m.imvu.com/ is also available "packeged" in the app stores.

The security comes from enforcing business rules on the server. For example, if you build the server such that anyone can upload "a completely new schedule" then your security exposure might be that an intern presses a button that uploads a blank schedule. Or it may be that someone sniffs an authentication cookie in a public WiFi spot, and makes subtle changes.

Thus, a secure app is split into at least two parts:
1) The "business rules" (and, usually, persistence) that check "who is making this request, and are they allowed to?"
2) The "user interface," which presents system state, and lets the user formulate requests to change system state.

Note that anything that runs on a client-hosted device can and will be hacked if there is incentive to do so. Thus, any business rule you actually care about, must be enforced in part 1).

Whether we're talking scheduling software, empire building games, or bank transactions doesn't really matter -- the approach is generally the same. Only the cost of failure may differ in the different cases :-)

#5204510 Best 'thing' to use for a XNA with C# for multi-player?

Posted by hplus0603 on 15 January 2015 - 10:53 AM

Modules that you add to your program are almost always called "libraries," no matter what the programming language.
The most commonly recommended C# networking library for games is Lidgren networking.

#5204083 how to know most hack possiblities and find best way to handle them

Posted by hplus0603 on 13 January 2015 - 06:08 PM

Had the software (the platform itself) been written in something less error-prone (I don't know, Ada maybe?) then perhaps it wouldn't have been possible to make said mistake.

I'm not sure such a platform exists. All the widely used platforms are written in C/C++ (and perhaps some amount of assembly.)
C#/CLR, Java, Python, Rails, PHP, Node -- they're all in turn implemented in C. In fact, most of them, in turn, generate assembly code from the parsed scripted code, to run faster, and that assembly code generation may also have bugs.

Although there is some research into minimal and provable systems bootstrapping -- typically, some minimal LISP, where you can prove that the system doesn't escape outside of its bounds, and then all the libraries are written in LISP. And run very slowly.

Security is best done by, first, using restrictive whitelisting (and rejecting anything not on a whitelist,) and second, being active, aware, and on the ball with mitigation for any problems as they come up.

#5204046 how to know most hack possiblities and find best way to handle them

Posted by hplus0603 on 13 January 2015 - 03:56 PM

I suppose it depends in your view.

What depends on the view? The fact that scripting languages may also have vulnerabilities?
I'm aware of no legit viewpoint that claims that you will be immune from pointer/buffer problems just because you're using a scripting language.

My view is that if you have no pointers, you cannot accidentally dereference them or point them straight to hell.

You cannot. But can you trust the people who built the platform you're using to also have no bugs? (Spoiler alert: No, you cannot!)

The Java error you linked is a typical C/C++ problem which couldn't have happend in code written in say C#/Java

I think you misunderstood the bug. The bug is in the Java implementation. The bug allows a malicious user to inject "legitimate" data into an application written in Java, and by doing so, start executing arbitrary machine instructions, thus being able to "own" the machine.
Your software is written in Java, so your software doesn't have pointer/buffer problems -- but Java itself does, so the interface you expose to the world DOES have those problems.

Some of the most damaging vulnerabilities in the last few years have been systemic vulnerabilities -- bugs in TCP/IP stack implementations, SSL libraries, graphics drivers, command shells, and the like, which may allow anyone to execute code on your machine. However, this is a slightly different kind of problem than insecure games -- these bugs allow an arbitrary attacker to use your machine resources. The game-specific hacks allows a hacker to fool your game/servers in some what that leads to advantage or value in the game, so the list of potential attackers is somewhat limited compared to the list of attackers that care about owning arbitrary machine resources. (That doesn't mean it's zero.)

Anyway -- first make sure that your game is fun, and that you have a way to explain to the world that the game is fun so that you actually get plsyers. Make sure the game design is reasonably well architectured (all vital game state verified on the server.) Then improve as needed, if needed, as your resources allow. A fun, successful game that loses 20% to hacking is a whole lot better than a boring game with no users that loses 0% to hacking.