Page 1 of 1

Unknown

Posted: Thu Jul 21, 2016 4:55 pm
by LunaRebirth
Hello!

I tried removing this post but wasn't able to. Carry on!

Unknown

Posted: Thu Jul 21, 2016 4:59 pm
by LunaRebirth
Here's a pic from early development when I had friends helping me test for bugs

Re: Graal3D

Posted: Thu Jul 21, 2016 5:16 pm
by CuteAlien
So... you just wrote your own Second-Life? Wow :-)

Re: Graal3D

Posted: Thu Jul 21, 2016 5:48 pm
by LunaRebirth
CuteAlien wrote:So... you just wrote your own Second-Life? Wow :-)
I suppose so, but this one will be on mobile devices too :-)

Re: Graal3D

Posted: Thu Jul 21, 2016 6:10 pm
by LunaRebirth
Another link from early development -- the world editor

Re: Graal3D

Posted: Sat Jul 23, 2016 5:34 pm
by sudi
LunaRebirth wrote: Players are able to create their own "worlds" where they can upload 3D objects, 2D images, sounds, and other files to their world to use with LUA scripting and create their own MMO with any storyline theyd like to create.
How are you dealing with the security issues that come from allowing third party code to run on basicly any players device?

Re: Graal3D

Posted: Sat Jul 23, 2016 9:45 pm
by Vectrotek
Looks cool! :D

Re: Graal3D

Posted: Sun Jul 24, 2016 9:04 pm
by LunaRebirth
Sudi wrote:
LunaRebirth wrote: Players are able to create their own "worlds" where they can upload 3D objects, 2D images, sounds, and other files to their world to use with LUA scripting and create their own MMO with any storyline theyd like to create.
How are you dealing with the security issues that come from allowing third party code to run on basicly any players device?
I could be wrong in thinking that there isn't much a player can do with Lua to compromise security?
The server deals with everything login-wise, and no scripts will run on the login/register screen.
The most I can see someone doing with the Lua code is to get account names (which is a feature I added if you want to find a specific client with a specific account name)

Re: Graal3D

Posted: Thu Jul 28, 2016 7:40 pm
by LunaRebirth
If you want to help me achieve my goals to get the game started and running, that would be AMAZING!

Re: Graal3D

Posted: Fri Aug 19, 2016 4:32 am
by Cube_
LunaRebirth wrote:
Sudi wrote:
LunaRebirth wrote: Players are able to create their own "worlds" where they can upload 3D objects, 2D images, sounds, and other files to their world to use with LUA scripting and create their own MMO with any storyline theyd like to create.
How are you dealing with the security issues that come from allowing third party code to run on basicly any players device?
I could be wrong in thinking that there isn't much a player can do with Lua to compromise security?
The server deals with everything login-wise, and no scripts will run on the login/register screen.
The most I can see someone doing with the Lua code is to get account names (which is a feature I added if you want to find a specific client with a specific account name)
Pretty much anything if the coder is clever enough, LUA is turing complete and even the strongest sandbox can be escaped - it's a neat idea but a security nightmare, I wouldn't want to figure out how to solve it :P

Re: World of Hello

Posted: Fri Sep 09, 2016 8:54 pm
by LunaRebirth
aaammmsterdddam wrote:Pretty much anything if the coder is clever enough, LUA is turing complete and even the strongest sandbox can be escaped - it's a neat idea but a security nightmare, I wouldn't want to figure out how to solve it :P
Well, although that may be true, I'm making all of the C++ Lua functions myself. Not using irrlua or anything. So I should be able to easily see where vulnerabilities can come into play

Re: World of Hello

Posted: Mon Sep 12, 2016 1:02 pm
by REDDemon
If the lua VM has a vulnerability, users can write malicious code to overflow the C++ app and run any code with the same permissions of the APP. Lua continuosly fix those vulnerabilities at each major update but it is likely there are still some (un)known of them around. It all depends on lua VM and functions you do expose. Your best bet is to use a old lua release with all possible security Patches already applied. Newer versions are more likely to be exploited.

Basically:
- If users know VM vulnerability => they can do anything that is allowed to do to your application (internet access, file deletion/reading to particular folders etc.)
- If users know also a Operative System vulnerability to => once they gained application control they could scale up to get root privileges
- If you do not carefully expose C++ function => apart from incurring the risk to expose application, it is likely users can cause nasty side effects (like crashing application to other users)

I'm not saying that's easy to hack, just it is possible.

The only way to work around it is to create "trusted maps" that you carefully check, but you could miss anyway to see important malicious code, also if those maps have no direct malicious code but rather vulnerabilities in their code, it is hard to see it.

You can however be very social. If users can invite only friends, if they get hacked the will know the hacker is their friend, and you can Always let your team create maps so that one can Always have maps in addition to map of their friends (note that there is a lot of scum in social networks, those scums would work anyway with your game)..
Well come in turing-complete wolrd!), maybe you create just 100 maps and then selectively show only of them based on a hash of usernames and gradually show more maps over time to give impression of evolution. Also if network communication happens only through your C++ layer, you could even be able to record that traffic in order to create a sandbox (a user creating a map just see more players playing but those in reality are just recorded instances), not saying that will be ethical, but users will be happy to see playing more players (and believe me, most MMOs already do that, but maybe in your case since maps are custom it is hard to create bots)

Re: World of Hello

Posted: Wed Dec 07, 2016 3:37 pm
by REDDemon
However, if you be carefull to not have a turing complete scripting language (in example, on each event you can only play a list of actions, so no loops and no dynamic allocation), or if turing completeness is emergent (redstone in minecraft), then there are good chances that you can prevent most (not all) exploits.