I don't need to test my programs. I have an error-correcting modem.

UnrealScript security considerations

From Unreal Wiki, The Unreal Engine Documentation Site
Revision as of 12:45, 4 March 2012 by Wormbo (Talk | contribs) (it's a start...)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

This article lists some basic security considerations concerning anything you create using UnrealScript.

If I prevent the client from clicking the wrong button, I'm safe, right?

an unsuspecting modder

Well, not really. The uncomfortable truth is, the client can do stuff the author can't predict. In fact, crackers (i.e. the evil kind of Hackers) have found many ways to make servers do things they would never done for regular players.

The following things need to be done on this page or in this section:
  • add examples
    Further information might be found on the talk page.


Kinds of exploits

All the evil things crackers may do to a game server can be categorized as follows:

Cheating
This involves all the annoying things to break the rules of the game, like wall hacks, speed hacks, aim bots, etc.
Denial of service
Anything that makes the game unplayable for technical reasons, for example hogging the server's CPU, causing network lag or simply crashing the server.
Taking control
The attacker breaches security measures to change game settings or make the server do things only the server administrator should be able to do.

Entry points

Attackers have different ways to achieve any of the above exploits:

Console commands and configuration settings
As simple as it may sound, but the game itself or any of the mods running on the server may make console commands or settings available to regular players that allow any of the above exploits. Of course that can be considered a serious bug in the game or mod and needs to be fixed. An example is a crash vulnerability in older versions of the Unreal Engine that involved invalid class names. If a client was able to make the server try and load such an invalid class, the server would crash, and there were many ways to do that.
Loading additional code to use existing code in unexpected ways
This is probably the most common way to activate cheats nowadays. The client runs some loader program or otherwise "injects" custom code into the game client, be it via a DLL file or an Unreal package file. In both cases the client gains access to new features, such as radars, aiming helps or even more powerful weapons.
Modifying existing code
Files that came with the game or belong to mods running on the server are modified in a way to unlock otherwise inaccessible features or to add custom code. This approach could be used to disable built-in features, such as no longer blinding the player after he was exposed to a flashbang explosion.
External tools
For some exploits it's not even necessary to run the game. As soon as the server provides other means of access, such as a web interface or some kind of query protocol, those can be used to trigger unwanted behavior.

Preventing exploits

So, how do you prevent malicious players from doing all these things, if you have so few control about what the client does? The answer is actually quite simple:

Do not trust the client. Ever!

Validate everything the client sends. "Client" in this case is not only the game client, but for other access methods (e.g. web interfaces) it includes the tools to access those (e.g. a web browser).

Game client and server communicate through replication, particularly the client uses replicated functions to send anything to the server. Under no circumstances let the client call functions directly through replication if they can cause any of the following things:

  • perform expensive operations, such as iterating over all actors or loading irrelevant objects (causes lag due to CPU hogging)
  • cause function calls to be replicated to all or many clients (causes lag due to increased network traffic)
  • instantiate actors/objects (uses up memory and CPU)
  • modify admin-only settings
  • execute arbitrary console commands
  • modify the URL options for the next map (danger of admin password override!)
  • set game-relevant default or instance properties to arbitrary values

This list is likely incomplete, so apply common sense to figure out other potentially critical things. Whenever you create a function that is replicated to the server, ask yourself if a client could cause problems by calling it with special parameter values or simply by calling it extremely often. Do not rely on your own client code to prevent such things!

Retrieved from "https://wiki.beyondunreal.com/UnrealScript_security_considerations?oldid=45019"