WoW Forums -> Guide to Secure Execution and Tainting

= = = = =

= = 60 =

= = =

Night Elf<= /b>','#ffffff')"; onmouseout=3D"hideddrivetip()">

= = = =

Hunter= ','#ffffff')"; onmouseout=3D"hideddrivetip()">

= = = = = =

= =

= = =

= =

= = =

= = Iriel =

= = = = = = = = =

< The Vigilance C= ommit… >

= = = = = = = = = = = = =

Silver Hand

= = = = = = = = =

= =

0. Gui= de to Secure Execution and Tainting | 10/13/2006 = 06:19:46 PM UTC

Secure Execution and Tainting

The User Interface API's for Wow 2.0 have been updated to prevent sc= ripted automation of decision making using the same code security model = that protects the movement functions in prior releases. This means that= several more of the API functions have been protected against execution= from insecure code.

A number of common WoW UI coding practices (most notably hooking) ca= n easily cause problems in this model, preventing players from casting s= pells or performing actions, so I hope to explain how the security model= works for developers in order for you to avoid these problems, as well = as introducing some new Blizzard features to make existing ideas work un= der the new constraints.

Secure execution and "Tainting"

When WoW starts executing lua code, the execution starts off 'secure= ', and able to run protected functions. Execution remains secure until i= t encounters 'taint' - which is an indicator that a function or object c= ame from an untrusted (AddOn or /script) source. The basic idea is that= execution becomes 'tainted' as soon as it reads tainted data or execute= s tainted code, and any data written by a tainted execution is itself ta= inted. Protected functions refuse to operate when called from an executi= on path that is not secure.

When the UI first loads, all code and data from Blizzard signed Fram= eXML and AddOns (plus their saved variables) is secure, and all code and= data from user provided AddOns (plus their saved variables) is tainted.=

What can be tainted?

All lua values and references can be tainted - local variables, glob= al
variables, table keys, table values:

* When new values are created (e.g. local x =3D 2) then they inherit= the current taint of their execution path.
* When code accesses secure values, the resulting value will be tain= ted by the current execution path (but the original value remains clean)= .
* When code accesses tainted values, the resulting value will remain= tainted and the execution path is also tainted.
* When code sets global values, the resulting value has the taint of= the execution path.

Function closures can also be tainted, executing a function closure = applies its
taint to the current environment.

Hooking and the hooksecurefunc function

The taint model is the reason that 'hooking' as it is commonly done = today can easily break lots of UI functionality, trying to hook a functi= on that is used by secure code causes a tainted function to be called in= the middle of an otherwise secure execution path, this then taints the = execution path so that nothing following the hook can use secure functio= ns - don't be too dismayed however, we've been given a tool to get aroun= d this.

The new hooksecurefunc API function allows AddOn code to 'post hook'= a secure global function, that is run another function after the origin= al one has been run. So for example you could track calls to CastSpellBy= Name using hooksecurefunc("CastSpellByName", mySpellCastTracke= r). The API replaces the original global function with its own secure ho= ok function that calls the original function, saves its return values aw= ay, and then calls your hook function with the same arguments as the ori= ginal function (any return values from your hook function are thrown awa= y) and then it returns the return values from the original.

The 'special' feature of this secure hook is that when your hook fun= ction is executed, it executes with the taint that was present at the ti= me the hook was created, and when your hook function is done that taint = is discarded and the original secure (or possibly tainted - you cannot u= se hooksecurefunc to REMOVE taint, just avoid it) execution mode is rest= ored.

(continued...)
= = = = = =

UI and Macros Forum MVP - Understand GC!

= = = = =

= = 60 =

= = =

Night Elf<= /b>','#ffffff')"; onmouseout=3D"hideddrivetip()">

= = = =

Hunter= ','#ffffff')"; onmouseout=3D"hideddrivetip()">

= = = = = =

= =

= = =

= =

= = =

= = Iriel =

= = = = = = = = =

< The Vigilance C= ommit… >

= = = = = = = = = = = = =

Silver Hand

= = = = = = = = =

= =

1. Re:= Guide to Secure Execution and Tainting | 10/13/2= 006 06:20:57 PM UTC

Protected frames and secure templates

WoW 2.0 also introduces a new Frame concept, protected frames, which= act like normal frames out of combat, but when in combat cannot be prog= ramatically shown, hidden, re-sized or re-anchored, nor can its attribut= es be changed. Once a frame has been declared protected it cannot be mad= e unprotected, and protection is inherited from templates. You can still= initiate user moving or sizing of protected frames while in combat, you= just cannot use lua to move them. Secure code is allowed to bypass thi= s restriction.

The control restrictions on protected frames also get applied to the= ir parents and any frames they are anchored to. This is important when a= nchoring a protected frame to another normally non-protected frame, as i= t can lead to unexpected and often undesired behavior. This propagation = is temporary, and re-anchoring or re-parenting the frame out of combat c= an release the restriction.

Protected frames are important because they form the basis of the Bl= izzard action and spell buttons, but also because they allow for some ne= w secure button templates. Since normal AddOn code is tainted, it canno= t change targets or perform actions directly, however WoW 2.0 contains a= number of secure templates which can be inherited by AddOn code. These = secure templates provide one or more secure handlers, usually OnClick, t= hat use frame attributes to perform actions. When a secure template is i= nherited then any handlers it defines remain secure unless they are over= ridden by the inheriting frame (or another template).

The secure templates are configured using the new frame attribute me= thods, these can only be used outside of combat, and set a named attribu= te to a specific lua value, discarding the value's taint.

Terminology
Since there are a number of similar concepts at work here, the termi= nology can
be confusing, here's a summary of the common terms and their meaning= s:

* Secure generally means 'without taint'.
* Secure code refers to either an untainted current execution or an = untainted function.
* Values/References/Parameters are sometimes referred to as 'clean',= this means the same as 'secure'.
* A protected function is one that can only be successfully called f= rom a secure execution state.
* A protected frame is one that is locked down during combat.
* A protected method is one that cannot be successfully called on a = protected frame during combat.
* Secure templates are simply XML templates that define secure scrip= t handlers, they usually also create protected frames.

Last Updated: 2006-10-13 11:15am = = = = = =

UI and Macros Forum MVP - Understand GC!

= = = = =

= =

= = =

= = = =

= =

= = Slouken =

= Blizzard Poster = =

= =

2. Re:= Guide to Secure Execution and Tainting | 10/13/2= 006 06:38:06 PM UTC

Great explanation, thanks Iriel! = = = = = =

= = = = =

= = 60 =

= = =

Undead= ','#ffffff')"; onmouseout=3D"hideddrivetip()">

= = =

Priest=
Click to View Talent Build','#ffffff')"; onmouseout=3D"hidedd= rivetip()">

= = = = = =

R= ank: Sergeant
Lifetime Highest PvP Rank','#ffffff')"; onmo= useout=3D"hideddrivetip()">

= = =

= =

= = =

= = Potillan =

= = = = = = =

< Flawed >

= = = = = = = = = = = = =

Archimonde

= = = = = = = = =

= =

3. Re:= Guide to Secure Execution and Tainting | 10/13/2= 006 06:39:49 PM UTC

If I inherit a proctected frame can I then modfy it with out 'tainti= ng' it?
Like adding another texture or text layer to it? = = = = = =

= = = = =

= = 60 =

= = =

Night Elf<= /b>','#ffffff')"; onmouseout=3D"hideddrivetip()">

= = = =

Hunter= ','#ffffff')"; onmouseout=3D"hideddrivetip()">

= = = = = =

= =

= = =

= =

= = =

= = Iriel =

= = = = = = = = =

< The Vigilance C= ommit… >

= = = = = = = = = = = = =

Silver Hand

= = = = = = = = =

= =

4. Re:= Guide to Secure Execution and Tainting | 10/13/2= 006 06:44:46 PM UTC

Q u o t e:
If I inherit a proctected fra= me can I then modfy it with out 'tainting' it?
Like adding another texture or text layer to it?

The 'protection' of a protected frame only extends down towards its = parent and anchors. You can add new children to the frame and do whateve= r you need to do with them.
= = = = = =

UI and Macros Forum MVP - Understand GC!

= = = = =

= = 60 =

= = =

Undead= ','#ffffff')"; onmouseout=3D"hideddrivetip()">

= = =

Priest=
Click to View Talent Build','#ffffff')"; onmouseout=3D"hidedd= rivetip()">

= = = = = =

R= ank: Sergeant
Lifetime Highest PvP Rank','#ffffff')"; onmo= useout=3D"hideddrivetip()">

= = =

= =

= = =

= = Potillan =

= = = = = = =

< Flawed >

= = = = = = = = = = = = =

Archimonde

= = = = = = = = =

= =

5. Re:= Guide to Secure Execution and Tainting | 10/13/2= 006 06:47:19 PM UTC

Q u o t e:
The 'protection' of a protect= ed frame only extends down towards its parent and anchors. You can add n= ew children to the frame and do whatever you need to do with them.

Ok thanks (especially for understanding my kind of cryptic question = hehe)

And thanks for the great write up. = = = = = =

= = = = =

= = 60 =

= = =

Human'= ,'#ffffff')"; onmouseout=3D"hideddrivetip()">

= = =

Paladin
Click to View Talent Build','#ffffff')"; onmouseout=3D"hided= drivetip()">

= = = = = =

R= ank: Knight
Lifetime Highest PvP Rank','#ffffff')"; onmous= eout=3D"hideddrivetip()">

= = =

= =

= = =

= = Sabindeus =

= = = = = = =

< Runehammer ><= /li> =

= = = = = = = = = = = = =

Smolderthorn

= = = = = = = = =

= =

6. Re:= Guide to Secure Execution and Tainting | 10/13/2= 006 06:53:35 PM UTC

Is it possible to call the new secure functions from tainted code ou= t of combat?

For example, if I wanted to use TargetUnit out of combat, would it = silently fail, return/throw an error, or actually work? = = = = = =

http://www.curse-gaming.com/en/wow/addons-1996-1-turn-in= .html

= = = = =

= = 60 =

= = =

Night Elf<= /b>','#ffffff')"; onmouseout=3D"hideddrivetip()">

= = = =

Hunter= ','#ffffff')"; onmouseout=3D"hideddrivetip()">

= = = = = =

= =

= = =

= =

= = =

= = Iriel =

= = = = = = = = =

< The Vigilance C= ommit… >

= = = = = = = = = = = = =

Silver Hand

= = = = = = = = =

= =

7. Re:= Guide to Secure Execution and Tainting | 10/13/2= 006 06:55:06 PM UTC

Q u o t e:
Is it possible to call the ne= w secure functions from tainted code out of combat?

For example, if I wanted to use TargetUnit out of combat, would it = silently fail, return/throw an error, or actually work?

See the 2.0 changes thread for details of which can be called when. = Targetting is off limits at all times, but casting spells will currently= be allowed out of combat.
= = = = = =

UI and Macros Forum MVP - Understand GC!

= = = = =

= = 65 =

= = =

Human'= ,'#ffffff')"; onmouseout=3D"hideddrivetip()">

= = = =

Priest= ','#ffffff')"; onmouseout=3D"hideddrivetip()">

= = = = =

R= ank: Master Sergeant
Lifetime Highest PvP Rank','#ffffff')= "; onmouseout=3D"hideddrivetip()">

= = =

= =

= = =

= = Helpinghand =

= = = = = = =

< Dawn Breaker >

= = = = = = = = = = = = =

Gorefiend

= = = = = = = = =

= =

8. Re:= Guide to Secure Execution and Tainting | 10/13/2= 006 07:59:38 PM UTC

Q u o t e:

See the 2.0 changes thread for details of which can be called when. = Targetting is off limits at all times, but casting spells will currently= be allowed out of combat.

Will mods such as WhisperCast still work in 2.0 then? They require = the ability to target something and cast a spell? I wouldn't mind one b= it if WhisperCast still worked, but only out of combat (in combat the mo= d would cease to function). = = = = = =

http://wow.blupp.net/item.php?id=3D338321<= /span>

= = = = =

= = 60 =

= = =

Night Elf<= /b>','#ffffff')"; onmouseout=3D"hideddrivetip()">

= = = =

Rogue'= ,'#ffffff')"; onmouseout=3D"hideddrivetip()">

= = = = =

R= ank: Private
Lifetime Highest PvP Rank','#ffffff')"; onmou= seout=3D"hideddrivetip()">

= = =

= =

= = =

= = Leynna =

= = = = = = =

< Insomniacs ><= /li> =

= = = = = = = = = = = = =

Stonemaul

= = = = = = = = =

= =

9. Re:= Guide to Secure Execution and Tainting | 10/13/2= 006 08:22:43 PM UTC

Thanks Iriel. I really appreciate your hard work and dedication. = = = = = =

= = = = =

= = 60 =

= = =

Night Elf<= /b>','#ffffff')"; onmouseout=3D"hideddrivetip()">

= = = =

Hunter= ','#ffffff')"; onmouseout=3D"hideddrivetip()">

= = = = = =

= =

= = =

= =

= = =

= = Iriel =

= = = = = = = = =

< The Vigilance C= ommit… >

= = = = = = = = = = = = =

Silver Hand

= = = = = = = = =

= =

10. Re= : Guide to Secure Execution and Tainting | 10/13/= 2006 08:27:42 PM UTC

Q u o t e:

Will mods such as WhisperCast still work in 2.0 then? They require = the ability to target something and cast a spell? I wouldn't mind one b= it if WhisperCast still worked, but only out of combat (in combat the mo= d would cease to function).
=

Out of combat you would likely be able to reconfigure an action butt= on to cast on the appropriate target, though i'm not sure if that works = reliably with non-unitID-targets.
= = = = = =

UI and Macros Forum MVP - Understand GC!

= = = = =

= = 60 =

= = =

Undead= ','#ffffff')"; onmouseout=3D"hideddrivetip()">

= = = =

Rogue'= ,'#ffffff')"; onmouseout=3D"hideddrivetip()">

= = = = =

R= ank: First Sergeant
Lifetime Highest PvP Rank','#ffffff')"= ; onmouseout=3D"hideddrivetip()">

= = =

= =

= = =

= = Corpserie =

= = = = = = =

< Unholy Tribunal >

= = = = = = = = = = = = =

Elune

= = = = = = = = =

= =

11. Re= : Guide to Secure Execution and Tainting | 10/13/= 2006 08:49:31 PM UTC

I've been working on an add on for my guild to streamlinethe process= of buffing a raid, that scans the raid and applies group buffs or cheap= buffs to players or parties that need them. Upon first reading about = the changes it seemed like this would be broken, but I'm kind of hopeful= that it might work out of combat. Any ideas? = = = = = =

= = = = =

= = 60 =

= = =

Gnome'= ,'#ffffff')"; onmouseout=3D"hideddrivetip()">

= = = =

Mage',= '#ffffff')"; onmouseout=3D"hideddrivetip()">

= = = = =

R= ank: Knight
Lifetime Highest PvP Rank','#ffffff')"; onmous= eout=3D"hideddrivetip()">

= = =

= = </

UI & MACROS FORUM