FreeGameDev Forums < General

[Lyberta]

Deleted.

[Duion]

Why you always want to make drama?

[charlie]

This really shows that Xonotic developers are insecure and possessive. We value free software because we want to play games the way we want. Banning legitimate servers is a censorship that is not tolerable in free society.

So, I agree, on the face of it (presuming your description is accurate) it is wrong.

However isn't the advantage of open source the ability to do something about it? You, or people who care - such as those running the mods - can fork Xonotic. You can keep it in sync, so you don't have to do anything other than maintain the reversion of the ban.

Or do you desire to control their development, because they do something you do not like?

[leilei]

This is not "censorship", it's a filter workaround to maintain the Xonotic experience. Banning the servers from the master end would mean excluding Nexuiz from using the same master at all and that would be a bit closer to this so-called "censorship".

Considering one of Xonotic's forks turned into....it may be a blessing in disguise.

[andrewj]

While I don't like the idea of servers being completely hidden from the user (and no way of knowing they exist or to turn off the hiding), I bet the Xonotic developers have good reasons to ban those servers.

A "free society" does not mean people can do absolutely anything they want. For example, many online games will ban people who cheat or who are only griefers, which helps everyone else who are playing the game. The banned people may feel their rights are infringed, but everyone else are very glad they cannot come in and ruin the game.

[c_xong]

Usually games have a "modded server" filter that the user can choose, so they can play on modded servers or vanilla ones as they please. Is this what the Nexuiz servers essentially are, or is there more to the story? FaTony is not giving us the full story here.

[Lyberta]

Deleted.

[charlie]

This is not "censorship", it's a filter workaround to maintain the Xonotic experience.

I couldn't care less about "Xonotic experience" or "Red Eclipse experience" or any other vanilla game experience. I have chosen free software to play the game the way I want, not what devs want.

The problem you have is the development model, Free software, gives the developers their own freedom to do what they want. You choose Free software so you have the freedom to do what you want with that software, but what they want and what you want are 2 distinct things and you have no right to try to control their goals. You DO have a right to fork. That is why Free software is good for you, not because it allows you to analyse the code then complain about it.

[Lyberta]

Deleted.

[Sauer2]

which is compiled into the bytecode. This makes it possible to make client-side mods and upload the bytecode to the client during connection.

That reminds me to ask OT stuff: Has anybody (or do you know someone security related that) tried to create a server that uploads handcrafted bytecode to break out of the VM?

To clarify: Have QuakeC vms some kind of bytecode verifier or do Quake-like players rely on servers that are assumed to be trustworthy?

[Lyberta]

Deleted.

[Sauer2]

That reminds me to ask OT stuff: Has anybody (or do you know someone security related that) tried to create a server that uploads handcrafted bytecode to break out of the VM?

To clarify: Have QuakeC vms some kind of bytecode verifier or do Quake-like players rely on servers that are assumed to be trustworthy?

I would guess that each function that is possible to call from VM has been audited for security. Otherwise, there would be tons of viruses from the Quake days.

This is not so much about functions the VM calls but the VM itself, as explained here: https://www.dartlang.org/articles/dart- ... e-of-trust
For example, imagine, one would do a jump to an adress that doesn't exist as part of the bytecode.

[andrewj]

That reminds me to ask OT stuff: Has anybody (or do you know someone security related that) tried to create a server that uploads handcrafted bytecode to break out of the VM?

To clarify: Have QuakeC vms some kind of bytecode verifier or do Quake-like players rely on servers that are assumed to be trustworthy?

In Darkplaces (which Xonotic uses), the VM with all the game code runs on the server, and the client does not need a copy of it. So each server can have completely different QuakeC game code.

There is also two other VMs which run client-side, which are mainly UI stuff. These can be downloaded from the server (i.e. the server can supply modded client-side QuakeC code). There is a CRC check to guarantee that the client has the VM code which the server expects -- that check may be optional though (I'm not sure).

[Sauer2]

@andrewj: Interesting, thanks.

[Lyberta]

Deleted.

[andrewj]

The question is can malicious code escape from those VMs.

File creation and writing are strictly "sandboxed" to a particular folder, something like $HOME/.darkplaces/name_of_mod/data on Linux, and it cannot overwrite any normal files of the game or any other parts of the filesystem.

File reading is a slightly more relaxed but still sandboxed, limited to files of the game or mod (including stuff in pk3 files) and also the write directory mentioned above, but cannot read any other part of the filesystem.

So no, downloaded client-side VMs cannot do anything malicious.

[Sauer2]

So no, downloaded client-side VMs cannot do anything malicious.

Assuming, the client verifies the bytecode sufficiently. Which may harder than it sounds at first, given that JVM, Silverlight CLR and NaCL had their share of holes in their verifiers and Python and Lua gave up. Apparently, the original QuakeC VM has some kind of bytecode verification - whatever good that was - but I wasn't able to find it in the Darkplaces implementation, so I assume they either didn't reimplement it or removed it...

[onpon4]

I think the more interesting question is: does Xonotic download these programs by default without consulting the user? If yes, then that would mean that Xonotic and other games that have this feature need to be added to this list:

https://onpon4.github.io/other/gaming-trap/

Because if the source of the code is whatever server you happen to be playing on, then it could easily be proprietary software that you're downloading and executing without knowing it. I would suggest to the Xonotic developers that this feature should be removed, or possibly replaced with an official, audited source of libre UI modification scripts.

Also, it is my firm opinion that sandboxing is a losing battle. There is always something you're overlooking, so any time you depend on sandboxing to protect users (in this case from malicious server operators), you make it necessary to be constantly on the lookout for these things and deliver prompt security updates. No feature is ever worth that stress or risk. Just make sure that any new script added to the program is installed because of the explicit action of a user, and maybe include a notice that the user should check the integrity of these scripts before installing them, or only install them from trusted sources. Leave any security beyond that to the OS.

[Lyberta]

Deleted.

[andrewj]

Assuming, the client verifies the bytecode sufficiently.

There is no need to verify anything. The bytecode is interpreted and has limited functionality, for example it can only access memory set aside for the VM, not any arbitrary memory, and can only call built-in functions, which again are limited in what they can do (I already described how the file functions cannot access anything outside of game folders).

The examples you give (JVM, CLR) are designed for running full applications and hence are naturally difficult to sandbox. QuakeC has a much much smaller scope and is perfectly sandboxed (barring bugs in the engine).

[Lyberta]

Deleted.

[onpon4]

Security is a side issue. The main issue is whether or not software is silently installed and executed on the client's machine without the consultation of the user of the client. It's bad for the same reason that JavaScript is bad.

Could anyone link to some examples of these programs, or a document explaining what they do in better detail? I don't know what to look for in the Xonotic source code.

[Lyberta]

Deleted.

[Wuzzy]

Thank you for this Public Service Announcment.
I literally had not known that some servers are hidden. OMG.

I would have changed that immediately, but I can't find the file, however. No “misc” folder anywhere. Can you please give me a hint where I have to look? I'm on Arch Linux.

But I don't really think this is so “evil”. Maybe a “lesser sin”. If they had banned a Xonotic-modded server, that would be a different beast.

But the easiest fix for this is obvious:
If you want to play Nexuiz, just download Nexuiz.

[Lyberta]

Deleted.