Security of AngelScript
January 26, 2009 08:10 PM
Hi,
How secure the angelscript engine is?
Let's say, the script code on the client side can only load once by client application, is that possible for some hackers to replace the script code by using the instance of script engine?
the hacker can crack the angel engine code, understand the structure of engine inside of memory, and replace the bytecode of the specific module with precompiled bytecode.
Is this possible?
Cheers
359
January 27, 2009 01:44 AM
Your program will never be safe if attackers have compromised your system. It may be highly unlikely but it should be as possible as writing a C Hello world application in pure bytecode using notepad.
Since you're talking about client (and there's obviously a server involved), you should consider the following: Instead of trying to prevent someone from highjacking client side code (do it as long as it doesn't take a year to implement): let the server decide if a player can do a certain action.
Whenever the client requests anything (like building a tank, moving to tile (4,5), whatever), the server should try to run some validation check and see if this is possible. That way, even when the client circumvents your client-side protection, he will be unable to cheat (or will have a hard way) because the server won't allow it.
Since you're talking about client (and there's obviously a server involved), you should consider the following: Instead of trying to prevent someone from highjacking client side code (do it as long as it doesn't take a year to implement): let the server decide if a player can do a certain action.
Whenever the client requests anything (like building a tank, moving to tile (4,5), whatever), the server should try to run some validation check and see if this is possible. That way, even when the client circumvents your client-side protection, he will be unable to cheat (or will have a hard way) because the server won't allow it.
January 27, 2009 05:46 AM
Pre-compiled bytecode is more vulnerable to malicious attacks than pure script code. During compilation of the script code the compiler validates types and adds bounds checking. These things are not validated during the loading of pre-compiled bytecode, thus it is possible that someone may modify the bytecode to do something you didn't intend.
However, a hacker that knows how to modify the bytecode can just as well modify your application directly so the bytecode is not any less safe than your own application.
If you're worried about hacks then you need to add validation of the script code, for example MD5 checksums and perhaps even encryption of the files. If you use private/public-key encryption your application can hold the public key for decrypting the files, but the hacker will not have the private key to encrypt modified scripts. If you can also move some of this validation off the client to the server, then you'll be even more safe against hackers as they are unlikely to have access to the server itself.
However, a hacker that knows how to modify the bytecode can just as well modify your application directly so the bytecode is not any less safe than your own application.
If you're worried about hacks then you need to add validation of the script code, for example MD5 checksums and perhaps even encryption of the files. If you use private/public-key encryption your application can hold the public key for decrypting the files, but the hacker will not have the private key to encrypt modified scripts. If you can also move some of this validation off the client to the server, then you'll be even more safe against hackers as they are unlikely to have access to the server itself.
AngelCode.com - game development and more - Reference DB - game developer references
AngelScript - free scripting library - BMFont - free bitmap font generator - Tower - free puzzle game
This topic is closed to new replies.
Advertisement
Popular Topics
Advertisement
