Unknown

Announce new projects or updates of Irrlicht Engine related tools, games, and applications.
Also check the Wiki
Post Reply
LunaRebirth
Posts: 386
Joined: Sun May 11, 2014 12:13 am

Unknown

Post by LunaRebirth »

Hello!

I tried removing this post but wasn't able to. Carry on!
Last edited by LunaRebirth on Thu Jan 04, 2018 4:59 am, edited 6 times in total.
LunaRebirth
Posts: 386
Joined: Sun May 11, 2014 12:13 am

Unknown

Post by LunaRebirth »

Here's a pic from early development when I had friends helping me test for bugs
Last edited by LunaRebirth on Tue Jul 11, 2017 4:56 pm, edited 2 times in total.
CuteAlien
Admin
Posts: 9628
Joined: Mon Mar 06, 2006 2:25 pm
Location: Tübingen, Germany
Contact:

Re: Graal3D

Post by CuteAlien »

So... you just wrote your own Second-Life? Wow :-)
IRC: #irrlicht on irc.libera.chat
Code snippet repository: https://github.com/mzeilfelder/irr-playground-micha
Free racer made with Irrlicht: http://www.irrgheist.com/hcraftsource.htm
LunaRebirth
Posts: 386
Joined: Sun May 11, 2014 12:13 am

Re: Graal3D

Post by LunaRebirth »

CuteAlien wrote:So... you just wrote your own Second-Life? Wow :-)
I suppose so, but this one will be on mobile devices too :-)
LunaRebirth
Posts: 386
Joined: Sun May 11, 2014 12:13 am

Re: Graal3D

Post by LunaRebirth »

Another link from early development -- the world editor
Last edited by LunaRebirth on Tue Jul 11, 2017 4:56 pm, edited 1 time in total.
sudi
Posts: 1686
Joined: Fri Aug 26, 2005 8:38 pm

Re: Graal3D

Post by sudi »

LunaRebirth wrote: Players are able to create their own "worlds" where they can upload 3D objects, 2D images, sounds, and other files to their world to use with LUA scripting and create their own MMO with any storyline theyd like to create.
How are you dealing with the security issues that come from allowing third party code to run on basicly any players device?
We're programmers. Programmers are, in their hearts, architects, and the first thing they want to do when they get to a site is to bulldoze the place flat and build something grand. We're not excited by renovation:tinkering,improving,planting flower beds.
Vectrotek
Competition winner
Posts: 1087
Joined: Sat May 02, 2015 5:05 pm

Re: Graal3D

Post by Vectrotek »

Looks cool! :D
LunaRebirth
Posts: 386
Joined: Sun May 11, 2014 12:13 am

Re: Graal3D

Post by LunaRebirth »

Sudi wrote:
LunaRebirth wrote: Players are able to create their own "worlds" where they can upload 3D objects, 2D images, sounds, and other files to their world to use with LUA scripting and create their own MMO with any storyline theyd like to create.
How are you dealing with the security issues that come from allowing third party code to run on basicly any players device?
I could be wrong in thinking that there isn't much a player can do with Lua to compromise security?
The server deals with everything login-wise, and no scripts will run on the login/register screen.
The most I can see someone doing with the Lua code is to get account names (which is a feature I added if you want to find a specific client with a specific account name)
LunaRebirth
Posts: 386
Joined: Sun May 11, 2014 12:13 am

Re: Graal3D

Post by LunaRebirth »

If you want to help me achieve my goals to get the game started and running, that would be AMAZING!
Last edited by LunaRebirth on Tue Jul 11, 2017 4:57 pm, edited 1 time in total.
Cube_
Posts: 1010
Joined: Mon Oct 24, 2011 10:03 pm
Location: 0x45 61 72 74 68 2c 20 69 6e 20 74 68 65 20 73 6f 6c 20 73 79 73 74 65 6d

Re: Graal3D

Post by Cube_ »

LunaRebirth wrote:
Sudi wrote:
LunaRebirth wrote: Players are able to create their own "worlds" where they can upload 3D objects, 2D images, sounds, and other files to their world to use with LUA scripting and create their own MMO with any storyline theyd like to create.
How are you dealing with the security issues that come from allowing third party code to run on basicly any players device?
I could be wrong in thinking that there isn't much a player can do with Lua to compromise security?
The server deals with everything login-wise, and no scripts will run on the login/register screen.
The most I can see someone doing with the Lua code is to get account names (which is a feature I added if you want to find a specific client with a specific account name)
Pretty much anything if the coder is clever enough, LUA is turing complete and even the strongest sandbox can be escaped - it's a neat idea but a security nightmare, I wouldn't want to figure out how to solve it :P
"this is not the bottleneck you are looking for"
LunaRebirth
Posts: 386
Joined: Sun May 11, 2014 12:13 am

Re: World of Hello

Post by LunaRebirth »

aaammmsterdddam wrote:Pretty much anything if the coder is clever enough, LUA is turing complete and even the strongest sandbox can be escaped - it's a neat idea but a security nightmare, I wouldn't want to figure out how to solve it :P
Well, although that may be true, I'm making all of the C++ Lua functions myself. Not using irrlua or anything. So I should be able to easily see where vulnerabilities can come into play
REDDemon
Developer
Posts: 1044
Joined: Tue Aug 31, 2010 8:06 pm
Location: Genova (Italy)

Re: World of Hello

Post by REDDemon »

If the lua VM has a vulnerability, users can write malicious code to overflow the C++ app and run any code with the same permissions of the APP. Lua continuosly fix those vulnerabilities at each major update but it is likely there are still some (un)known of them around. It all depends on lua VM and functions you do expose. Your best bet is to use a old lua release with all possible security Patches already applied. Newer versions are more likely to be exploited.

Basically:
- If users know VM vulnerability => they can do anything that is allowed to do to your application (internet access, file deletion/reading to particular folders etc.)
- If users know also a Operative System vulnerability to => once they gained application control they could scale up to get root privileges
- If you do not carefully expose C++ function => apart from incurring the risk to expose application, it is likely users can cause nasty side effects (like crashing application to other users)

I'm not saying that's easy to hack, just it is possible.

The only way to work around it is to create "trusted maps" that you carefully check, but you could miss anyway to see important malicious code, also if those maps have no direct malicious code but rather vulnerabilities in their code, it is hard to see it.

You can however be very social. If users can invite only friends, if they get hacked the will know the hacker is their friend, and you can Always let your team create maps so that one can Always have maps in addition to map of their friends (note that there is a lot of scum in social networks, those scums would work anyway with your game)..
Well come in turing-complete wolrd!), maybe you create just 100 maps and then selectively show only of them based on a hash of usernames and gradually show more maps over time to give impression of evolution. Also if network communication happens only through your C++ layer, you could even be able to record that traffic in order to create a sandbox (a user creating a map just see more players playing but those in reality are just recorded instances), not saying that will be ethical, but users will be happy to see playing more players (and believe me, most MMOs already do that, but maybe in your case since maps are custom it is hard to create bots)
Junior Irrlicht Developer.
Real value in social networks is not about "increasing" number of followers, but about getting in touch with Amazing people.
- by Me
REDDemon
Developer
Posts: 1044
Joined: Tue Aug 31, 2010 8:06 pm
Location: Genova (Italy)

Re: World of Hello

Post by REDDemon »

However, if you be carefull to not have a turing complete scripting language (in example, on each event you can only play a list of actions, so no loops and no dynamic allocation), or if turing completeness is emergent (redstone in minecraft), then there are good chances that you can prevent most (not all) exploits.
Junior Irrlicht Developer.
Real value in social networks is not about "increasing" number of followers, but about getting in touch with Amazing people.
- by Me
Post Reply