Version: 1.0
Status: Stable
Date: 2026-03-21
This document defines the security model, threat analysis, and authentication mechanisms for GABP (Game Agent Bridge Protocol). GABP prioritizes security through loopback-only connections, token-based authentication, and defense-in-depth principles.
GABP's security model is designed to achieve:
- Authenticated Access: Only authorized bridges can connect to mods
- Local-Only Communication: Prevent remote network attacks
- Process Isolation: Limit attack surface through proper isolation
- Audit Trail: Enable logging and monitoring of interactions
- Minimal Privilege: Grant only necessary permissions
- The host operating system provides basic security primitives
- File system permissions work correctly
- The bridge application is trusted by the user
- Network interface isolation (loopback vs external) is enforced by the OS
- Unauthorized Bridge Connection: Malicious software attempting to connect to mod
- Token Theft: Attacker gaining access to authentication tokens
- Network Eavesdropping: Interception of communications (mitigated by loopback-only)
- Privilege Escalation: Mod providing more access than intended
- Denial of Service: Overwhelming the mod with requests
- Malicious Mod: The mod itself being compromised (trusted component)
- OS-Level Attacks: Kernel exploits, rootkits, etc.
- Physical Access: Attacks requiring local machine access
- Social Engineering: User-targeted attacks outside the protocol
GABP uses shared secret tokens for authentication:
- Token Generation: Bridge generates cryptographically secure random token
- Token Storage: Token stored in configuration file with restricted permissions
- Token Exchange: Bridge sends token in
session/hellorequest - Token Validation: Mod validates token against stored configuration
- Session Establishment: Success results in
session/welcomeresponse
- Length: Minimum 128 bits (32 hex characters) of entropy
- Source: Cryptographically secure random number generator
- Format: Hexadecimal string for cross-platform compatibility
- Rotation: New token per session (recommended) or per bridge restart
1. Bridge Startup
↓
2. Generate Random Token
↓
3. Write Configuration File (with restricted permissions)
↓
4. Start/Connect to Mod
↓
5. Send session/hello with Token
↓
6. Mod Validates Token
↓
7. Establish Authenticated Session
↓
8. [Session Operations]
↓
9. Session Termination
↓
10. Token Invalidated
All network-based transports MUST use loopback interfaces only:
- TCP: Bind to 127.0.0.1 only (never 0.0.0.0 or external interfaces)
- IPv6: If supported, bind to ::1 only
- Verification: Implementations MUST verify loopback-only binding
- Process Isolation: Child process inherits minimal environment
- Pipe Security: OS-provided pipe security between processes
- No Network: Eliminates network-based attacks entirely
- Loopback Only: Prevents remote network access
- Ephemeral Ports: Use OS-assigned ephemeral ports when possible
- Connection Limits: Implement reasonable connection limits
- File Permissions: Restrict to owner (mode 0600)
- Path Security: Use unpredictable paths with session identifiers
- Cleanup: Remove pipe/socket on exit
Configuration files MUST be protected with restrictive permissions:
- Windows: Use ACLs to grant access only to current user
- Unix/Linux/macOS: Set file mode to 0600 (owner read/write only)
- Directory: Ensure parent directory has appropriate permissions
Configuration files MUST be created atomically to prevent race conditions:
- Write to temporary file with unique name
- Set appropriate permissions on temporary file
- Atomically rename/move to final location
- Verify permissions after creation
- No Sensitive Data in Logs: Never log authentication tokens
- Memory Protection: Clear token from memory when no longer needed
- File Cleanup: Remove configuration file on clean exit
Each bridge session MUST be isolated:
- Unique Tokens: Each session uses a unique authentication token
- Session IDs: Use
launchIdto distinguish sessions - Resource Namespacing: Isolate resources between sessions when possible
All incoming requests MUST be validated:
- Schema Validation: Validate against JSON schemas
- Method Authorization: Check if method is permitted for current session
- Parameter Sanitization: Validate and sanitize all parameters
- Rate Limiting: Implement reasonable rate limits
- Information Disclosure: Avoid leaking sensitive information in errors
- Generic Errors: Use generic error messages when appropriate
- Logging: Log security events for auditing without exposing secrets
- Input Validation: Validate all inputs at protocol boundaries
- Output Encoding: Properly encode outputs to prevent injection
- Resource Limits: Implement limits on memory, CPU, and other resources
- Fail Securely: Default to secure behavior when errors occur
function generateToken() {
// Use cryptographically secure random number generator
randomBytes = secureRandom(16) // 128 bits
return hexEncode(randomBytes)
}
function writeConfigSecurely(config, path) {
tempPath = path + ".tmp." + randomString()
// Write to temporary file
writeFile(tempPath, config)
// Set restrictive permissions
setFilePermissions(tempPath, 0600) // Unix
// or setFileACL(tempPath, currentUser) // Windows
// Atomic move
moveFile(tempPath, path)
// Verify final permissions
verifyPermissions(path)
}
Implementations SHOULD log the following security events:
- Connection attempts (successful and failed)
- Authentication attempts (successful and failed)
- Invalid request attempts
- Rate limit violations
- Configuration file access errors
Security logs SHOULD include:
- Timestamp (UTC)
- Event type
- Source information (process ID, user)
- Outcome (success/failure)
- Relevant context (without sensitive data)
- No Secrets: Never log authentication tokens or other secrets
- Tamper Resistance: Protect log files from modification
- Retention: Define appropriate log retention policies
- Minimal Permissions: Run with minimal required privileges
- Sandboxing: Use OS sandboxing mechanisms when available
- Network Isolation: Ensure proper network interface binding
- File System: Restrict file system access to necessary directories
- Default Security: Ship with secure defaults
- Configuration Validation: Validate security-relevant configuration
- Documentation: Clearly document security implications of settings
- Updates: Provide mechanism for security updates
Security testing SHOULD include:
- Authentication Bypass: Attempt to connect without valid token
- Token Brute Force: Test resilience to token guessing attacks
- Network Binding: Verify loopback-only binding
- File Permission: Test configuration file permission enforcement
- Input Validation: Test with malformed and malicious inputs
Regular security assessments SHOULD include:
- Network Reconnaissance: Attempt to discover services from remote hosts
- Local Privilege Escalation: Test for unauthorized access escalation
- Configuration Analysis: Review configuration security
- Code Review: Static analysis for security vulnerabilities
When security incidents are identified:
- Immediate Response: Isolate affected systems
- Impact Assessment: Determine scope and impact
- Containment: Prevent further damage
- Eradication: Remove threat and vulnerabilities
- Recovery: Restore normal operations
- Lessons Learned: Update security measures
- Responsible Disclosure: Establish process for reporting vulnerabilities
- Response Timeline: Commit to reasonable response times
- Coordination: Work with security researchers and users
- Transparency: Provide appropriate public disclosure
GABP security implementations SHOULD consider:
- OWASP Guidelines: Follow OWASP secure coding practices
- Platform Security: Leverage OS-specific security features
- Industry Standards: Align with relevant security standards
- Regulatory Requirements: Meet applicable regulatory requirements
- Design Review: Security review during protocol design
- Implementation Review: Code review with security focus
- Deployment Review: Security assessment of deployment practices
- Ongoing Assessment: Regular security evaluations