• The Malicious module executes its malicious tests when its system is initialized. Look for messages from this class in the Terasology log file.
• The Sample module provides a ReallyCrashGameBlock that attempts unauthorized use of System.out when you use it.
  • use the console to give ReallyCrashGameBlock
  • place the block on the ground
  • hit the Use key

For example:

• a local file
• capture your desktop (outside the game window)
• snoop on local devices (keyboard, webcam, USB drives)

• smartphones and other computers
• printers and other Internet-connected Things

• uploading data to a third-party server
• using network resources to attack a remote target

⚠ A module will send data to the game server you are connected to. The thing to prevent is sending information to a third party without the consent of either client or server.

The game creates new objects and executes methods on them in response to network input. An attacker may attempt to craft a message that tricks the server in to executing an unsafe method.

Terasology relies on Gestalt Module Sandboxing to protect from these risks of running untrusted JVM code. However, it's up to the application to make sure the sandbox is configured and applied correctly.

• o.t.engine.core.module.ExternalApiWhitelist defines a hardcoded list of allowable packages and classes.

• ModuleManager.setupSandbox configures a PermissionProviderFactory with modules and the allowable packages and classes.
• ModuleManager.loadEnvironment constructs a gestalt.module.ModuleEnvironment with that PermissionProviderFactory.

o.t.engine.core.ModuleManager.setupSandbox installs the gestalt ModuleSecurityPolicy and ModuleSecurityManager.

The restrictions of ModuleSecurityPolicy apply to classes which were loaded using a ModuleClassLoader.

⚠ This API is proposed for removal from a future version of the JDK (JEP 411). If it's first deprecated in JDK 17, it will be quite a while yet before it's removed entirely, but eventually will come a time when we'll want the features of a new JDK and the Security Manager is no longer available.

• The nui-reflect TypeRegistry uses lists of allowable classes and packages to guard against ⎵⎵⎵⎵⎵.
• an o.t.persistence.typeHandling.TypeHandlerLibrary makes use of both a nui-reflect TypeRegistry and a gestalt ModuleEnvironment.

• Modding API
• IO API for Modules for local persistent storage

• local denial of service attack (excessive CPU and RAM consumption)
• exploiting local computing resources (crypto mining)
• …?