New Require Introspection Feature

Mr_Purrsalot · November 19, 2021, 12:18am

Hey Developers,

Today we have enabled some flags in the game engine to print when you require a MainModule script asset by id in-game. This is a simple tool to help you gain an understanding about script modules included in your game and debug where they are coming from in Studio and Game.

In an effort to not be too noisy, these will happen once per require and show you the call stack where the require happens.

Here’s a quick demo screenshot of what this looks like in Studio:

To understand what’s happening in this example above, it’s nice to know that the source code to asset 7881329664 is:

return require(7883454528)

and the source code to asset 7883454528 is:

print("This is a dummy require. Callstack is:")
print(debug.traceback())
return {}

As you can see, these generate console messages showing you what is required and where it was required.

Here’s a quick demo screenshot of what this same game produces on the server console when published and running as a developer in the game client:

In addition to printing the location, for additional transparency in finding errors coming from these modules, we have renamed the root to required_asset_#. You can see this in the screenshots above.

As some people use require to hide malicious logic in games or load exploits, we hope this introspection enables you to do more to keep your game safe. We are working to do more in this space and pay attention to your feedback.

-Mr_Purrsalot

system · November 19, 2021, 12:28am

This topic was automatically opened after 11 minutes.

Babybunnyiscute19 · November 19, 2021, 12:30am

This feature is just great, there isn’t much to comment on. I’m glad that you guys are doing changes like these!

It would be nice if it also showed that name of the asset. For example, if I required a module with the asset id of 10 (yes I know it’s not real), and the model’s name was “Gun Module”, it would be good if I could see what that name is if I didn’t know it already (like in a gun kit for example). So if a malicious script requires a module script that ill harm your game, and the model’s name is “ue2138saj218hs”, that would be very suspicious, and I could go to the script that requires the module, and delete it. I would already check every script that requires a module from its asset id, but having it display the name would make seeing if it’s safe or not would be even easier.

RussellSchutle · November 19, 2021, 12:32am

Regarding Modules, are there any updates to sandboxing 3rd party closed source modules? During the time this feature was removed I heard either promises or ideas about securely adding 3rd party closed source modules to games.

This feature demonstrated in this topic can help tackle backdoors which was the main idea of the removal of 3rd party closed source modules aswell.

local_ip · November 19, 2021, 12:35am

Is there anything stopping a required module from adding fake-looking similar messages to mislead the user or spamming other messages to obscure the message?

Abcreator · November 19, 2021, 12:43am

It would be nice if we could disable the output of these as I use asset id requiring quite a lot, but I also want my DevConsole to be clean.

Reapimus · November 19, 2021, 12:46am

This is an amazing feature to have, but was it ever considered for this to instead show in a new dedicated developer console tab instead? I feel like it would’ve been far better as its own tab than a print because those can easily get buried by a malicious script simply by spamming prints after the require.

CoinTheKit · November 19, 2021, 12:53am

Some of my old projects reuse code and module scripts will require each other so this will only make some things noisy. I was even going to make some Project Sand Cat modules that will eventually play into a bigger module be in that module for development of the bigger thing. Now when I finish Project Sand Cat the finished product will have 100 require messages from unique modules using each other.

plasma_node · November 19, 2021, 12:59am

This is a great feature, and will hopefully make it easier to identify malicious code in modules. Unfortunately, this can easily be bypassed if the module has several hundred statements that print “Requiring asset” followed by random numbers. It would be great if there was a dedicated way to search for required modules without having to use the search box.

eric12095 · November 19, 2021, 1:01am

probably the feature is great any updates to doing for changes like about asset seems like messages are require introspection for his feature some of projects to module scripts anything about only time when easily to get script simple there a reduce spamming and other thing about a message could believed that requires make it’s safely than modules message.

Dev_Ryan · November 19, 2021, 1:27am

According to the screenshot posted in the OP, you can see that the module’s require was printed before the module could print anything. This means if for any reason a malicious module was spamming the output, you can easily determine the asset id by going to the start of the spamming, provided you can scroll to the beginning in time before the history is chopped off. The only downside is if the module delays the spamming but even then you can just go through the modules that loaded before the spamming which shouldn’t be too hard unless for some reason your game has thousands of modules.

PersonifiedPizza · November 19, 2021, 1:31am

This isn’t necessarily true. The spam could come from the script, which after spamming requires the module.

Either way though, it would be very clear which script has malicious code.

Edit:
It would be nice though if the messages went into a different category so we could search for them even if there is spam.

(currently they go into “Log” like print statements)

CoinTheKit · November 19, 2021, 1:32am

A free model that reposts a another gun model could modify the gun controller module that so happens to be another model (like the official ROBLOX RPG models do) to spam fake require messages after some real log output from different things that will happen like the raycast debug output and then require the real module in the middle.

Dev_Ryan · November 19, 2021, 1:33am

Oh that is a good point. I was only thinking of the spamming coming from the module and not the script that required it. Thanks for mentioning that!

Reapimus · November 19, 2021, 1:34am

The malicious script can spam enough so that the require print gets erased because there’s a limit to how many logs the console shows before it starts removing older ones so this is not true.

Dev_Ryan · November 19, 2021, 1:39am

Yes I realize this which is why I mentioned:

But as another person pointed out, the printing could be from the script that required it and not the module which would be much harder to identify the module that was required.

However, I want to mention this. If for any reason your game is having this activity, shut it down immediately and review your game content. Do a recursive search through all content in the game for scripts of any type and look through them all. If you are careful enough, this issue shouldn’t really be happening in your game in the first place, but I do understand that it is easy to overlook something, especially if you are a beginner developer.

Reapimus · November 19, 2021, 1:43am

either way this would be far more useful a feature if it was displayed in its own developer console tab instead where there is a guarantee that it won’t ever get cut off or not shown to the user. As of right now, I’d say my own plugin I made a while back does a better job at showing what code in your game is using requires.

iGottic · November 19, 2021, 1:55am

Could we have an option to disable this?

CatzRule_81 · November 19, 2021, 1:58am

What effects will this have on obfuscated modules?

CoinTheKit · November 19, 2021, 1:59am

Probably none since it still calls require