Java-Gaming.org Hi !
Featured games (91)
games approved by the League of Dukes
Games in Showcase (804)
Games in Android Showcase (239)
games submitted by our members
Games in WIP (868)
games currently in development
News: Read the Java Gaming Resources, or peek at the official Java tutorials
 
    Home     Help   Search   Login   Register   
Pages: [1]
  ignore  |  Print  
  Downloading and running jars from servers - Security?  (Read 13984 times)
0 Members and 1 Guest are viewing this topic.
Offline Ecumene

JGO Kernel


Medals: 200
Projects: 4
Exp: 8 years


I did not hit her! I did not!


« Posted 2016-08-26 15:42:36 »

Say I had a game engine that can import plugins to extend the game's code, and add new features. For servers to support the plugin, they need to have a copy and so does the user.

My question is, can downloading a jar from the web be a very easy break of security? I want to make it as easy as GMod, were you join a server and it downloads the mods. Although, those are lua scripts and are locked in a script layer.

I want to lock the jar in a vault where it can only access the game code, and no files except for a persistent save config. The game settings for example will be loaded into java and the file won't, so it can't mess with your settings either. Something like that...

The thought of downloading 5+ jars and running them makes me cringe, but the stuff modders can do with that is remarkable

Offline ags1

JGO Kernel


Medals: 367
Projects: 7


Make code not war!


« Reply #1 - Posted 2016-08-26 16:30:57 »

Yes, huge security risk.

Offline Riven
Administrator

« JGO Overlord »


Medals: 1371
Projects: 4
Exp: 16 years


Hand over your head.


« Reply #2 - Posted 2016-08-26 17:13:52 »

You can write a bytecode analyser, block reflection, and then whitelist all privileges on each class/method/field that you want to expose (you can even only grant read-access on certain fields). There isn't any performance overhead with this approach. It's just quite advanced stuff.

Oh, and blacklisting never works. Whitelisting is your only option.

Hi, appreciate more people! Σ ♥ = ¾
Learn how to award medals... and work your way up the social rankings!
Games published by our own members! Check 'em out!
Legends of Yore - The Casual Retro Roguelike
Online ddyer
« Reply #3 - Posted 2016-08-27 18:45:46 »


The theory behind applets was exactly that - lock the java code in a sandbox
that protects the user from harm.  Sadly, Oracle gave up trying to maintain that
model.   

The fundamental problem, IMO, was that the applet model tried to put
locks and barriers in front of the doors that allow java to have normal (ie; unlimited)
access to your machine; but the doors were still there, and exploits were all about
bypassing the impediments.

On the other hand, if the doors had never been there in the first place, there would have
been no barriers needed and no exploits possible.  That's more or less the situation with
Javascript, the only remaining extension language in browsers.

Offline Riven
Administrator

« JGO Overlord »


Medals: 1371
Projects: 4
Exp: 16 years


Hand over your head.


« Reply #4 - Posted 2016-08-28 14:28:09 »

The theory behind applets was exactly that - lock the java code in a sandbox
that protects the user from harm.  Sadly, Oracle gave up trying to maintain that
model.
The sandbox model blacklists (locks and barriers), it doesn't whitelist.

Furthermore, the sandbox did checks at runtime, instead of whitelisting code at compile/load-time.

Hi, appreciate more people! Σ ♥ = ¾
Learn how to award medals... and work your way up the social rankings!
Offline Ecumene

JGO Kernel


Medals: 200
Projects: 4
Exp: 8 years


I did not hit her! I did not!


« Reply #5 - Posted 2016-08-28 18:26:30 »

This all sounds very reassuring Emo
How does Minecraft manage the security risk in forge mods?

I could provide a security warning in our forum, explaining how insecure the jars could be...
We could ask mods to provide the source code, as well. But there's no reason people can distribute binaries with different code.

EDIT: Is there any way to test if the binary deviates from a git repository? Some sort of hash?

Offline Longor1996

JGO Wizard


Medals: 116
Projects: 2
Exp: 8 years


The cake is probably a lie.


« Reply #6 - Posted 2016-08-29 06:20:31 »

How does Minecraft manage the security risk in forge mods?

Not at all. One can easily add spyware into a MC-Forge mod; there is nothing stopping you from doing so.
It actually happened a couple of times with a well known Pokemon mod (don't ask me which one!).

The cake is probably a lie... but it's a delicious lie!
Offline Gornova
« Reply #7 - Posted 2016-08-29 11:46:14 »

I will be a little bit.. cynical this time.  persecutioncomplex

Security does not exist, you can slow down people from exploiting your architecture!
My suggestion is to provide a way to get working mods and put a clear disclaimer: "You accept the risk!"
Why only a warning? Because here at JGO we are most of the time speaking about hobbies java gaming developing: it worth  time in developing a robust solution like this one for your game ?

Blog | Last game Number+
Offline Ecumene

JGO Kernel


Medals: 200
Projects: 4
Exp: 8 years


I did not hit her! I did not!


« Reply #8 - Posted 2016-08-29 21:29:37 »

Good point, I should stop worrying about security and just make it more functional.
I'll make the requirement that mods must be downloaded online, rather than from entering a server.

Thanks for the helpful information!
Everyone gets a medal!

Offline Gornova
« Reply #9 - Posted 2016-08-30 06:45:44 »

wait, inform your users they can be hacked using this method in a clear and straight way !

 Cheesy

Blog | Last game Number+
Games published by our own members! Check 'em out!
Legends of Yore - The Casual Retro Roguelike
Offline Longor1996

JGO Wizard


Medals: 116
Projects: 2
Exp: 8 years


The cake is probably a lie.


« Reply #10 - Posted 2016-08-30 07:54:24 »

Good point, I should stop worrying about security and just make it more functional.
I'll make the requirement that mods must be downloaded online, rather than from entering a server.

You could also go and make two modding API's (that are 'one' behind the scenes):
One that is based on 'configuration files' (json/xml/ini), and another that uses 'code files' (java).

The API based on configuration files is easy to secure:
Its entirely data driven, so as long as you don't add the ability to reference resources that are not in the game assets, and/or functions that allow the modder to arbitrarily pack together data, it will be 'secure'. These mods can be made downloadable from a server without much issues.

Problem might be that modding based on configuration files is pretty much useless, so you might have to add something like a simple 'command' language (similar to how Minecraft did it) that allows the modder to execute simple commands from simple actions, all still within the sandbox of the surrounding program.

The API based on code files ala' Java... you cant secure. Mods based on these should not be downloadable from a server, since loading and executing class files is a security hole the size of the solar system and bigger.

Good luck!

The cake is probably a lie... but it's a delicious lie!
Offline ags1

JGO Kernel


Medals: 367
Projects: 7


Make code not war!


« Reply #11 - Posted 2016-08-30 10:23:30 »

Yes, huge security risk.

I'm not saying Java does not have extensive security features to lock down code, I'm saying these features have failed. E.g. applets.

Offline basil_

« JGO Bitwise Duke »


Medals: 418
Exp: 13 years



« Reply #12 - Posted 2016-08-30 12:15:28 »

what about a "sandbox" setup. a custom security-manager and class-loader ?
Pages: [1]
  ignore  |  Print  
 
 

 
Riven (581 views)
2019-09-04 15:33:17

hadezbladez (5510 views)
2018-11-16 13:46:03

hadezbladez (2402 views)
2018-11-16 13:41:33

hadezbladez (5772 views)
2018-11-16 13:35:35

hadezbladez (1223 views)
2018-11-16 13:32:03

EgonOlsen (4661 views)
2018-06-10 19:43:48

EgonOlsen (5682 views)
2018-06-10 19:43:44

EgonOlsen (3198 views)
2018-06-10 19:43:20

DesertCoockie (4095 views)
2018-05-13 18:23:11

nelsongames (5115 views)
2018-04-24 18:15:36
A NON-ideal modular configuration for Eclipse with JavaFX
by philfrei
2019-12-19 19:35:12

Java Gaming Resources
by philfrei
2019-05-14 16:15:13

Deployment and Packaging
by philfrei
2019-05-08 15:15:36

Deployment and Packaging
by philfrei
2019-05-08 15:13:34

Deployment and Packaging
by philfrei
2019-02-17 20:25:53

Deployment and Packaging
by mudlee
2018-08-22 18:09:50

Java Gaming Resources
by gouessej
2018-08-22 08:19:41

Deployment and Packaging
by gouessej
2018-08-22 08:04:08
java-gaming.org is not responsible for the content posted by its members, including references to external websites, and other references that may or may not have a relation with our primarily gaming and game production oriented community. inquiries and complaints can be sent via email to the info‑account of the company managing the website of java‑gaming.org
Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines | Managed by Enhanced Four Valid XHTML 1.0! Valid CSS!