How secure is Crystal Space

[dominic]

I'm wondering, how secure is Crystal Space.  Is it safe to ask Crystal Space's loader (not a custom loader) to load map files and models and stuff like that wich come from an untrusted source ?

[jorrit]

I'm wondering, how secure is Crystal Space.  Is it safe to ask Crystal Space's loader (not a custom loader) to load map files and models and stuff like that wich come from an untrusted source ?

We have done absolutely nothing for security. This is really not an issue for CS for us. So no. CS is not secure at all.

Greetings,

[dominic]

We have done absolutely nothing for security. This is really not an issue for CS for us. So no. CS is not secure at all.

Greetings,

What about multiplayer games ?  I'm shure I'm not the only one wanting to create a multiplayer game with Crystal Space.  In fact, PlaneShift is a multiplayer game using CS.  Security IS an issue for ANY library that could be used in a networked environment.  I hope this will be fixed soon, or I will have to either change engine or write my own loader.  Unfortunatly, the second option would take forever.  And the first would require lots of research.  CS is the only suitable engine I have found for my game.  Other engines either work with dsp trees or manage only exterior scenes.  I can't use dsp in my game because I want to be able to break through any wall.  However, the biggest problem with this, is that some people probably think that it IS safe, since there are no warnings in the doc.

Thanks

[jorrit]

We have done absolutely nothing for security. This is really not an issue for CS for us. So no. CS is not secure at all.

Greetings,

What about multiplayer games ?  I'm shure I'm not the only one wanting to create a multiplayer game with Crystal Space.  In fact, PlaneShift is a multiplayer game using CS.  Security IS an issue for ANY library that could be used in a networked environment.  I hope this will be fixed soon, or I will have to either change engine or write my own loader.  Unfortunatly, the second option would take forever.  And the first would require lots of research.  CS is the only suitable engine I have found for my game.  Other engines either work with dsp trees or manage only exterior scenes.  I can't use dsp in my game because I want to be able to break through any wall.  However, the biggest problem with this, is that some people probably think that it IS safe, since there are no warnings in the doc.

Thanks

Multiplayer games are fine with CS. But then security is up to the game and not to CS. i.e. you build your security in the game network interface itself (this is how PlaneShift works). The networking module doesn't directly touch any CS code. It just transfers packets from client to server and server to client. Security on CS side doesn't matter there.

Greetings,

[dominic]

Multiplayer games are fine with CS. But then security is up to the game and not to CS. i.e. you build your security in the game network interface itself (this is how PlaneShift works). The networking module doesn't directly touch any CS code. It just transfers packets from client to server and server to client. Security on CS side doesn't matter there.

Greetings,

I have revised the LoadMapFile.  I have not finished but so far it looks fine when it comes to "undefined behaviors" possibilities.  Errors seem to be checked and buffers bounds enforced (Except for ReportError() and ReportWarning() in csloader.cpp, but these have been fixed in the CVS).  Actually, all (if I recall well) of CS source that I have looked at seem to follow this philosophy.  I guess the main concern with the map loader would be with plugins that could be insecure.  In many multiplayer games today, the server can send maps and models to clients when they don't have them and this is supposed to be as secur as oppening a HTML page on the Web.  I intend to do the same in my game.
Since CS is well written, I guess it would not be much work to make opening a map or model file trough the provided loader as secure as opening a .png or .mp3.  Maybe a CS security subproject could be created to fix this.  Since I'm already busy with my own game, I could not lead it, but I could participate a little.

Greetings

[morgul]

As Jorrit said, security is up to the game, not the engine. My project (a MMORPG) has to face some of the concerns you've raised. Basically, we simply only trust things that come across the network (from the server). 'Undefined behaviours' aren't a problem... because we ignore them in our game logic. All other security concerns are taken care of be similiare methods. It's actually pretty easy.

--Morgul

[dominic]

As Jorrit said, security is up to the game, not the engine. My project (a MMORPG) has to face some of the concerns you've raised. Basically, we simply only trust things that come across the network (from the server). 'Undefined behaviours' aren't a problem... because we ignore them in our game logic. All other security concerns are taken care of be similiare methods. It's actually pretty easy.

--Morgul

Well, I have continued my evaluation of the loader's source.  I'm not finished and I won't, but if you want some good piece of advice, DON'T load any XML file that comes from an untrusted source using the Crystal Space XML plugins (be it tinyXML or the other one I forgot the name of).

-- greetings

[res]

Well, I have continued my evaluation of the loader's source.  I'm not finished and I won't, but if you want some good piece of advice, DON'T load any XML file that comes from an untrusted source using the Crystal Space XML plugins (be it tinyXML or the other one I forgot the name of).

Of course, feel free to inform us about the issues you find.
Still, CS doesn't have concepts of "trust" - if such a thing is desired, it's really up to the application to check that a data source is legit.

[dominic]

Of course, feel free to inform us about the issues you find.
Still, CS doesn't have concepts of "trust" - if such a thing is desired, it's really up to the application to check that a data source is legit.

Who shall I contact about this ?  Or should I simply state these issues here (I'm not shure it would be wise) ?

[jorrit]

Of course, feel free to inform us about the issues you find.
Still, CS doesn't have concepts of "trust" - if such a thing is desired, it's really up to the application to check that a data source is legit.

Who shall I contact about this ?  Or should I simply state these issues here (I'm not shure it would be wise) ?

Why not? CS is Open Source. Anyone can find these issues. I'd rather be open about them.

Greetings,

[res]

Who shall I contact about this ?  Or should I simply state these issues here (I'm not shure it would be wise) ?

I don't think publishing the issues would lead to a sudden flood of exploits targetting CS, so any communication facility (be it this forum, or be it the mailing list) is probably okay.
If it makes you more comfortable, just mail the info to me and/or Jorrit and/or any other CS dev.

[dominic]

I have made a patch for the vulnerabilities I have found.  I don't guarantee it will work, I haven't tested it, but it is very simple, so if something is wrong with them, you won't have much problem solving it.  I made it against the most recent CVS version of the affected files.  I haven't posted it on the sourceForge page yet, because I haven't tested it.
My very first patch for someone else's code. 

Greetings

[jorrit]

I have made a patch for the vulnerabilities I have found.  I don't guarantee it will work, I haven't tested it, but it is very simple, so if something is wrong with them, you won't have much problem solving it.  I made it against the most recent CVS version of the affected files.  I haven't posted it on the sourceForge page yet, because I haven't tested it.
My very first patch for someone else's code. 

Greetings

At first glance that patch looks ok. If I find a little time I'll try to submit it. Please if this hasn't been done in a few days from now then remind me by replying to this thread (I'll get a mail then).

Greetings,

[dominic]

Ok, thanks

[res]

At first glance that patch looks ok. If I find a little time I'll try to submit it.

I've fixed the issues in the patch, though differently; I just used csStrings instead of a char arrays.