Securing publicVariableEventHandlers

A big issue with most game modes in ArmA 3 is how they handle network messages. Most servers I have come across do nothing to protect publicVariableEventHandlers and remoteExec calls. Now before I get started I will mention that there are many different ways to secure network messages and I will only be showing one. I wanted to create a system that allowed for multiple calls to be made to the event at the same time. This created issues with variable combining and multiple events. I also wanted to make sure their was no simple way for someone to make direct calls to the underlying event.

The idea can be broken down into a simple process

  1. Client sends a request to the server
  2. The server asks the target of the request if they are the ones that made the call
  3. The client verifies they sent the request and tells the server to go ahead
  4. The server executes the event code

I will explain how it works at the end.

This is the server side event handler

This is the client side event handler

This is how the client sends a request to kill themselves.

Now this system works by creating a randomize event handler on the server that is only known by the targeted client.  To be more specific this is how it runs out step by step.

  1. On the client: Toggle AmSuiciding so the callback knows we did indeed mean to run this event
  2. On the client: public variable Suicide to the server containing our unit
  3. On the server (inside suicide event): Generate a random string to act as our randomized event handler
  4. On the server (inside suicide event): Create an event handler attached to our randomized string that contains our actual event code within it
  5. On the server (inside suicide event): Notify the targeted client of the randomized string
  6. On the client (inside suicide2 event): If the variable AmSuiciding is true then we can run the code that notifies the callback on the server
  7. On the client (inside suicide2 event, inside the if statement): We take the random string the server sent us and create a variable containing our unit object
  8. On the client (inside suicide2 event, inside the if statement): We public variable that randomized string so that the actual event on the server is triggered
  9. On the server (inside suicide, inside the created event handler): Kill the unit that ran suicide

This system prevents people from creating “Kill target” scripts using our suicide event. Obviously it is really dumb to use an event handler for suicide but the idea for protecting other functions (like admin menu items) is solid.

Liked it? Take a second to support Lystic on Patreon!
About Lystic 19 Articles
ArmA Scripter. Former cheater. Always have security in mind.