Unknown
-
- Posts: 386
- Joined: Sun May 11, 2014 12:13 am
Unknown
Hello!
I tried removing this post but wasn't able to. Carry on!
I tried removing this post but wasn't able to. Carry on!
Last edited by LunaRebirth on Thu Jan 04, 2018 4:59 am, edited 6 times in total.
-
- Posts: 386
- Joined: Sun May 11, 2014 12:13 am
Unknown
Here's a pic from early development when I had friends helping me test for bugs
Last edited by LunaRebirth on Tue Jul 11, 2017 4:56 pm, edited 2 times in total.
Re: Graal3D
So... you just wrote your own Second-Life? Wow :-)
IRC: #irrlicht on irc.libera.chat
Code snippet repository: https://github.com/mzeilfelder/irr-playground-micha
Free racer made with Irrlicht: http://www.irrgheist.com/hcraftsource.htm
Code snippet repository: https://github.com/mzeilfelder/irr-playground-micha
Free racer made with Irrlicht: http://www.irrgheist.com/hcraftsource.htm
-
- Posts: 386
- Joined: Sun May 11, 2014 12:13 am
Re: Graal3D
I suppose so, but this one will be on mobile devices tooCuteAlien wrote:So... you just wrote your own Second-Life? Wow
-
- Posts: 386
- Joined: Sun May 11, 2014 12:13 am
Re: Graal3D
Another link from early development -- the world editor
Last edited by LunaRebirth on Tue Jul 11, 2017 4:56 pm, edited 1 time in total.
Re: Graal3D
How are you dealing with the security issues that come from allowing third party code to run on basicly any players device?LunaRebirth wrote: Players are able to create their own "worlds" where they can upload 3D objects, 2D images, sounds, and other files to their world to use with LUA scripting and create their own MMO with any storyline theyd like to create.
We're programmers. Programmers are, in their hearts, architects, and the first thing they want to do when they get to a site is to bulldoze the place flat and build something grand. We're not excited by renovation:tinkering,improving,planting flower beds.
-
- Posts: 386
- Joined: Sun May 11, 2014 12:13 am
Re: Graal3D
I could be wrong in thinking that there isn't much a player can do with Lua to compromise security?Sudi wrote:How are you dealing with the security issues that come from allowing third party code to run on basicly any players device?LunaRebirth wrote: Players are able to create their own "worlds" where they can upload 3D objects, 2D images, sounds, and other files to their world to use with LUA scripting and create their own MMO with any storyline theyd like to create.
The server deals with everything login-wise, and no scripts will run on the login/register screen.
The most I can see someone doing with the Lua code is to get account names (which is a feature I added if you want to find a specific client with a specific account name)
-
- Posts: 386
- Joined: Sun May 11, 2014 12:13 am
Re: Graal3D
If you want to help me achieve my goals to get the game started and running, that would be AMAZING!
Last edited by LunaRebirth on Tue Jul 11, 2017 4:57 pm, edited 1 time in total.
-
- Posts: 1010
- Joined: Mon Oct 24, 2011 10:03 pm
- Location: 0x45 61 72 74 68 2c 20 69 6e 20 74 68 65 20 73 6f 6c 20 73 79 73 74 65 6d
Re: Graal3D
Pretty much anything if the coder is clever enough, LUA is turing complete and even the strongest sandbox can be escaped - it's a neat idea but a security nightmare, I wouldn't want to figure out how to solve itLunaRebirth wrote:I could be wrong in thinking that there isn't much a player can do with Lua to compromise security?Sudi wrote:How are you dealing with the security issues that come from allowing third party code to run on basicly any players device?LunaRebirth wrote: Players are able to create their own "worlds" where they can upload 3D objects, 2D images, sounds, and other files to their world to use with LUA scripting and create their own MMO with any storyline theyd like to create.
The server deals with everything login-wise, and no scripts will run on the login/register screen.
The most I can see someone doing with the Lua code is to get account names (which is a feature I added if you want to find a specific client with a specific account name)
"this is not the bottleneck you are looking for"
-
- Posts: 386
- Joined: Sun May 11, 2014 12:13 am
Re: World of Hello
Well, although that may be true, I'm making all of the C++ Lua functions myself. Not using irrlua or anything. So I should be able to easily see where vulnerabilities can come into playaaammmsterdddam wrote:Pretty much anything if the coder is clever enough, LUA is turing complete and even the strongest sandbox can be escaped - it's a neat idea but a security nightmare, I wouldn't want to figure out how to solve it
Re: World of Hello
If the lua VM has a vulnerability, users can write malicious code to overflow the C++ app and run any code with the same permissions of the APP. Lua continuosly fix those vulnerabilities at each major update but it is likely there are still some (un)known of them around. It all depends on lua VM and functions you do expose. Your best bet is to use a old lua release with all possible security Patches already applied. Newer versions are more likely to be exploited.
Basically:
- If users know VM vulnerability => they can do anything that is allowed to do to your application (internet access, file deletion/reading to particular folders etc.)
- If users know also a Operative System vulnerability to => once they gained application control they could scale up to get root privileges
- If you do not carefully expose C++ function => apart from incurring the risk to expose application, it is likely users can cause nasty side effects (like crashing application to other users)
I'm not saying that's easy to hack, just it is possible.
The only way to work around it is to create "trusted maps" that you carefully check, but you could miss anyway to see important malicious code, also if those maps have no direct malicious code but rather vulnerabilities in their code, it is hard to see it.
You can however be very social. If users can invite only friends, if they get hacked the will know the hacker is their friend, and you can Always let your team create maps so that one can Always have maps in addition to map of their friends (note that there is a lot of scum in social networks, those scums would work anyway with your game)..
Well come in turing-complete wolrd!), maybe you create just 100 maps and then selectively show only of them based on a hash of usernames and gradually show more maps over time to give impression of evolution. Also if network communication happens only through your C++ layer, you could even be able to record that traffic in order to create a sandbox (a user creating a map just see more players playing but those in reality are just recorded instances), not saying that will be ethical, but users will be happy to see playing more players (and believe me, most MMOs already do that, but maybe in your case since maps are custom it is hard to create bots)
Basically:
- If users know VM vulnerability => they can do anything that is allowed to do to your application (internet access, file deletion/reading to particular folders etc.)
- If users know also a Operative System vulnerability to => once they gained application control they could scale up to get root privileges
- If you do not carefully expose C++ function => apart from incurring the risk to expose application, it is likely users can cause nasty side effects (like crashing application to other users)
I'm not saying that's easy to hack, just it is possible.
The only way to work around it is to create "trusted maps" that you carefully check, but you could miss anyway to see important malicious code, also if those maps have no direct malicious code but rather vulnerabilities in their code, it is hard to see it.
You can however be very social. If users can invite only friends, if they get hacked the will know the hacker is their friend, and you can Always let your team create maps so that one can Always have maps in addition to map of their friends (note that there is a lot of scum in social networks, those scums would work anyway with your game)..
Well come in turing-complete wolrd!), maybe you create just 100 maps and then selectively show only of them based on a hash of usernames and gradually show more maps over time to give impression of evolution. Also if network communication happens only through your C++ layer, you could even be able to record that traffic in order to create a sandbox (a user creating a map just see more players playing but those in reality are just recorded instances), not saying that will be ethical, but users will be happy to see playing more players (and believe me, most MMOs already do that, but maybe in your case since maps are custom it is hard to create bots)
Junior Irrlicht Developer.
Real value in social networks is not about "increasing" number of followers, but about getting in touch with Amazing people.
- by Me
Real value in social networks is not about "increasing" number of followers, but about getting in touch with Amazing people.
- by Me
Re: World of Hello
However, if you be carefull to not have a turing complete scripting language (in example, on each event you can only play a list of actions, so no loops and no dynamic allocation), or if turing completeness is emergent (redstone in minecraft), then there are good chances that you can prevent most (not all) exploits.
Junior Irrlicht Developer.
Real value in social networks is not about "increasing" number of followers, but about getting in touch with Amazing people.
- by Me
Real value in social networks is not about "increasing" number of followers, but about getting in touch with Amazing people.
- by Me