Downloading and running jars from servers - Security?

Ecumene · August 26, 2016, 3:42pm

Say I had a game engine that can import plugins to extend the game’s code, and add new features. For servers to support the plugin, they need to have a copy and so does the user.

My question is, can downloading a jar from the web be a very easy break of security? I want to make it as easy as GMod, were you join a server and it downloads the mods. Although, those are lua scripts and are locked in a script layer.

I want to lock the jar in a vault where it can only access the game code, and no files except for a persistent save config. The game settings for example will be loaded into java and the file won’t, so it can’t mess with your settings either. Something like that…

The thought of downloading 5+ jars and running them makes me cringe, but the stuff modders can do with that is remarkable

ags1 · August 26, 2016, 4:30pm

Yes, huge security risk.

Riven · August 26, 2016, 5:13pm

You can write a bytecode analyser, block reflection, and then whitelist all privileges on each class/method/field that you want to expose (you can even only grant read-access on certain fields). There isn’t any performance overhead with this approach. It’s just quite advanced stuff.

Oh, and blacklisting never works. Whitelisting is your only option.

ddyer · August 27, 2016, 6:45pm

The theory behind applets was exactly that - lock the java code in a sandbox
that protects the user from harm. Sadly, Oracle gave up trying to maintain that
model.

The fundamental problem, IMO, was that the applet model tried to put
locks and barriers in front of the doors that allow java to have normal (ie; unlimited)
access to your machine; but the doors were still there, and exploits were all about
bypassing the impediments.

On the other hand, if the doors had never been there in the first place, there would have
been no barriers needed and no exploits possible. That’s more or less the situation with
Javascript, the only remaining extension language in browsers.

Riven · August 28, 2016, 2:28pm

The sandbox model blacklists (locks and barriers), it doesn’t whitelist.

Furthermore, the sandbox did checks at runtime, instead of whitelisting code at compile/load-time.

Ecumene · August 28, 2016, 6:26pm

This all sounds very reassuring :emo:
How does Minecraft manage the security risk in forge mods?

I could provide a security warning in our forum, explaining how insecure the jars could be…
We could ask mods to provide the source code, as well. But there’s no reason people can distribute binaries with different code.

EDIT: Is there any way to test if the binary deviates from a git repository? Some sort of hash?

Longor1996 · August 29, 2016, 6:20am

Not at all. One can easily add spyware into a MC-Forge mod; there is nothing stopping you from doing so.
It actually happened a couple of times with a well known Pokemon mod (don’t ask me which one!).

Gornova · August 29, 2016, 11:46am

I will be a little bit… cynical this time. :persecutioncomplex:

Security does not exist, you can slow down people from exploiting your architecture!
My suggestion is to provide a way to get working mods and put a clear disclaimer: “You accept the risk!”
Why only a warning? Because here at JGO we are most of the time speaking about hobbies java gaming developing: it worth time in developing a robust solution like this one for your game ?

Ecumene · August 29, 2016, 9:29pm

Good point, I should stop worrying about security and just make it more functional.
I’ll make the requirement that mods must be downloaded online, rather than from entering a server.

Thanks for the helpful information!
Everyone gets a medal!

Gornova · August 30, 2016, 6:45am

wait, inform your users they can be hacked using this method in a clear and straight way !

Longor1996 · August 30, 2016, 7:54am

You could also go and make two modding API’s (that are ‘one’ behind the scenes):
One that is based on ‘configuration files’ (json/xml/ini), and another that uses ‘code files’ (java).

The API based on configuration files is easy to secure:
Its entirely data driven, so as long as you don’t add the ability to reference resources that are not in the game assets, and/or functions that allow the modder to arbitrarily pack together data, it will be ‘secure’. These mods can be made downloadable from a server without much issues.

Problem might be that modding based on configuration files is pretty much useless, so you might have to add something like a simple ‘command’ language (similar to how Minecraft did it) that allows the modder to execute simple commands from simple actions, all still within the sandbox of the surrounding program.

The API based on code files ala’ Java… you cant secure. Mods based on these should not be downloadable from a server, since loading and executing class files is a security hole the size of the solar system and bigger.

Good luck!

ags1 · August 30, 2016, 10:23am

I’m not saying Java does not have extensive security features to lock down code, I’m saying these features have failed. E.g. applets.

basil · August 30, 2016, 12:15pm

what about a “sandbox” setup. a custom security-manager and class-loader ?