I'm not entirely sure that this is a quite a "game design" topic, but at the moment this sub-forum seems to me to be the best fit.

In my current project, I've given some thought to the idea of allowing the base game to run what amount to expansion packs: new, shorter games. Importantly, these may introduce new or alter extant game mechanics, meaning that I would want them to be more than just level packs; they would include code of their own.

In thinking about this, however, it occurred to me that this potentially incurs a significant security hole: even if I never provide tools with which the community might make their own modules, it's plausible that either someone will figure it out anyway, or will find a way to subvert an "official" expansion, allowing them to run arbitrary code via the game.

So, my questions: is it worth my being concerned about this, and if so, what approach do you recommend I take to it? Offhand, the (halfway reasonable, to my mind) options that I see are to: remove the capacity for these expansion packs; allow expansions, but force them to use the mechanics already present in the game--no custom code would be read; allow expansions with custom code, but only my own "official" expansions; allow any expansions that are properly integrated with the game.

(I daresay that even the strictest of those approaches listed above isn't entirely impervious to a decent attempt at subversion, but it seems reasonable to me to consider such attempts sufficiently improbable--especially against an indie game--and problematic to deal with that I can ignore them.)

So: if someone modified your game, the game will be modified :D

Keep in mind people can hack new code into your EXEs no matter what you do... So if someone wants to run modded code, that's their own business.

This sounds like it would only be a security hole if the game automatically downloads expansions from game servers -- so a player could run a modded server that 'infects' anyone who connects to it.

If it's something that players have to do themselves, just put in a warning about there being no support for unofficial/user-made expansions.

Thank you for the response.

So: if someone modified your game, the game will be modified

Exactly! The horror! The horror! *faints* ;P

In all seriousness, however:

Keep in mind people can hack new code into your EXEs no matter what you do... So if someone wants to run modded code, that's their own business.

I'm not really worried about people modifying the game for their own enjoyment, or cheating--for one thing, this isn't a multiplayer game, and I don't intend any sort of automatic updating. What I'm worried about is the possibility of my game providing an avenue for malicious code: while I doubt that it would provide a level of access not otherwise available to such code, being hidden in a game expansion might provide such code with an appealing and non-suspicious cover.

Put another way, such expansions would (by design) allow modification to the gameplay--enabling new mechanics, puzzle- or enemy- types, etc.--by providing a means for the game to run custom code. Having it run custom code, however, means that it can potentially run any code that's fed to it, including malicious code.

If it's something that players have to do themselves, just put in a warning about there being no support for unofficial/user-made expansions.

This does seem fairly reasonable... For what it's worth, I'm currently thinking that, if I do end up making such expansions (such things are somewhat in the future at this point), I'll probably not release any sort of community tools or modding resources, simply because I don't enjoy making tools, and really don't relish the idea of supporting a community toolset; I'd rather move on to new games.

(I'm somewhat tempted to simple drop the idea of expansions entirely--they're small things, in all fairness.)

In general I would say it's not a big deal. For peace of mind I would consider a few options:

• As others said, big disclaimer that 3rd party expansions are not your problem.
• Digitally sign your expansions. That way you can raise a confirmation box every time they load a 3rd party expansion. Maybe require all expansions to be signed by someone?
• If you're using a sandboxable language, limit the permissions for the expansions and/or use reflection to ensure as much as possible that it only calls methods that you expose rather than general system functions.

I'm not entirely sure that this is a quite a "game design" topic ... this potentially incurs a significant security hole:

Security isn't a game design concern. Moving it to Business/Law.

I'm not entirely sure that this is a quite a "game design" topic ... this potentially incurs a significant security hole:

Security isn't a game design concern. Moving it to Business/Law.

On the other hand, I'm not sure that it's more a business or legal issue than a design one: I'm not worrying overmuch about liability at this point, but rather about potential harm to players. I suppose that it's a business issue in that it affects whether or not I release expansions at all, but by the same logic it's a technical and a design issue, as it affects whether I implement security techniques (and if so, which), and what features my game has (specifically, whether I allow expansions, and if so, to what degree). That last point was, I think, my rationale for placing the thread in the "Game Design" sub-forum (aside, admittedly, from simply feeling most comfortable there for now).

However, if it's moderator preference that the topic be here, then fair enough.

In general I would say it's not a big deal. For peace of mind I would consider a few options:

• As others said, big disclaimer that 3rd party expansions are not your problem.
• Digitally sign your expansions. That way you can raise a confirmation box every time they load a 3rd party expansion. Maybe require all expansions to be signed by someone?
• If you're using a sandboxable language, limit the permissions for the expansions and/or use reflection to ensure as much as possible that it only calls methods that you expose rather than general system functions.

As to the first point, again, that is a good point--both in that it somewhat forewarns users of the potential for threat, and against liability (although again, that's not (yet) really my worry here).

As to the second... Honestly, that's more incentive for me to simply cut the feature: I'm not really familiar with digital signing, and not convinced that it's worth learning for the sake of allowing a few expansions. (Although I wouldn't be surprised if I do end up learning about such things simply as part of shipping the game...)

As to the third, I'm using Python (with the Panda3D engine). I think that I might be able to do what you're suggesting there--but I also suspect that doing so would rather limit what expansions could do...

I dare say that, unless you plan on your game to be a multi-million seller, this is a moot point:

Someone hacking your game would possibly provide more visibility for actual buyers than provide clear "free" access to your game.

If, on the other hand, your concern is that the game might become quite popular, and that the lack of security could potentially attract hackers interested in doing harm (spreading viruses, etc.) then there's always the opportunity to revisit your structure and issue a general patch which would retroactively implement all of the necessary logic under one safe download link with any required protection you see fit.

I think it's something you can "wait and see" rather than try to prevent.

Someone hacking your game would possibly provide more visibility for actual buyers than provide clear "free" access to your game.

I'm not entirely clear on what you're suggesting here: visibility of what, in particular? (If you mean "visibility" in the sense of "publicity"--that is, raising awareness of the game itself--than again, business considerations are not really my concern here.)

If, on the other hand, your concern is that the game might become quite popular, and that the lack of security could potentially attract hackers interested in doing harm (spreading viruses, etc.) ...

Well, I'm not really thinking about how popular it's likely to become, but the security concern is indeed what worries me: that the game might provide a vector for malicious code to be run on someone's computer.

... then there's always the opportunity to revisit your structure and issue a general patch which would retroactively implement all of the necessary logic under one safe download link with any required protection you see fit

The thing is, by that point the damage has been done. I realise that I'm not likely to prevent all harm, but if there's a reasonable concern that harm might be done through it then I want to at least give some thought to action taken against it now than let someone get hurt before I do anything about it.

But that's the thing: I'm not sure of how reasonable my concern is. Security issues are not really a strong suit of mine, I fear. :/

For example, even with support for expansions, it's plausible that someone might hack the game itself such that it carries malicious code; but ultimately, as far as I'm aware, there's little to be done against that within what seems reasonable to me. On the other extreme, if I were to (for some reason) install an always-online, open communication port into the game that I used only to gather game-related data, but that was so general that it could be used to gather anything from the computer, then that would, I feel, be a security issue to be dealt with well before actually shipping. My problem, then, is that I don't know where this issue lies between those two points: how serious an issue it is, and how reasonably it might be fixed.

Apologies, I misunderstood your concern it seems.

Not a problem--thank you for answering either way. ^_^