Jump to content

  • Log In with Google      Sign In   
  • Create Account

Ollhax

Member Since 22 Jan 2012
Offline Last Active Today, 07:34 AM

Posts I've Made

In Topic: Using whitelisting to run untrusted C# code safely

06 October 2015 - 12:06 PM

Roslyn cannot make the distinction between good and malicious intents. Something like encrypting all files in "my documents" is just business as usual for the system, but the majority of users certainly don't want a game to do that.

The overarching problem is that it is impossible to recognise harmful code in advance. And when all of your users get hacked by a malicious content pack that slipped past your inspection, it largely becomes your problem.

 

Yes, that's right. I'm just using it to figure out what can potentially do that encryption (or whatever) - or rather, only enable stuff that I'm pretty sure cannot.

 

Could you please elaborate on what you are trying to protect, your application, or your user's system?

 

I would probably read that caution as "don't rely solely on CAS".

 

You can provide a handler for the AppDomain resolve assembly name / type, and prevent particular types/assemblies from being accessed in your AppDomain. This might also help you prevent reflection from bypassing a whitelisting implementation (e.g. restrict access to the reflection types).

 

Btw, reflection can let you mess with non-public members as well, so don't ignore that.

 

Maybe all this combined with a "peer review/approved" approach to marking safe maps/plugins would be enough - then the user can be warned about the dangers of using a particular extension.

 

Add-ins might also be of interest: https://msdn.microsoft.com/en-us/library/bb384200.aspx and https://msdn.microsoft.com/en-us/library/bb355219.aspx

 

I'm trying to protect the user's systems. They'll download mods in the form of code, compile it and run it locally. There won't be a central server that keeps the mods, at least not at first, so any security measures have to be done on the users' local machines.

 

As you say, CAS (or whatever the new security model is called) is still useful. I'll probably leave it in place as an added precaution for PC builds. However, I don't want to be limited to only PC releases, so I need an alternative as well.

 

You're completely right about runtime checking via assembly resolves, I have that check in place already. As far as I know, those are the only assemblies you'll be able to touch, in addition to the ones given to the compiler.

 

Reflection is tricky, agreed. Private member access may be hard to stop, so I'll have to think about that closely. I can probably make tools that let you do "safe" reflection, or just disallow it entirely.

 

Peer-reviewing is definitely a safeguard too. If a mod messes with your computer, you will probably report it, or at least not recommend it to others. But this is obviously only a last resort.


In Topic: Using whitelisting to run untrusted C# code safely

05 October 2015 - 12:49 PM

Thanks for the replies so far! I should have explained my situation a bit more. It's about the same as BitMaster's example of WC3 maps. I want to use C# for scripting-type of work. Even when limited, I expect it to be very useful. Some points for context:

  • Users will download mods as code and compile+run them locally. There's no downloading/running of arbitrary .exes or other files. I can examine the code thoroughly before running it.
  • I'll examine the actual semantic model of the code through Roslyn, not match raw code strings.
  • Disallowing the unsafe keyword should avoid problems with buffer overruns, etc. (Well, if I haven't missed something, which is why I'm posting this!)
  • Crashing isn't an issue. I can't help if a mod crashes the sandbox process, but it won't bring down the entire application at least. I imagine mods that crashes the game for you won't be that popular.
  • Allowing reflection isn't a requirement.

I'm interested to hear about specific ideas/examples for how you'd be able to attack this setup, given the constrains I mentioned above. I know it's a tricky thing to guarantee that something is secure, but at the same time I can't come up with a single concrete example in my setup where this would be an actual problem. If you'd like, consider it a challenge! smile.png

 

Side note: I use C# instead of Lua because I prefer that language, and I'm hoping to ride a bit on the XNA/Unity-wave. I can use Roslyn for real-time compiling, giving error messages, providing with intellisense-like tooling, etc. Also, it lets me use a common framework for my engine code and mod code. Basically, it saves me a *ton* of works, which makes this a feasible (more or less...) project for me.


In Topic: Exclusive maximum in random functions

16 February 2015 - 01:32 PM


If everybody was jumping off of a bridge...

 

Mm, totally with you on that point. That's what I was looking for; whether this is just a convention or if there's something I've not thought about. Good arguments on either side. But, in line with what you said, I've made my problem easier by just calling it a gameplay-oriented randomizer instead (throwing in some helpers for random directions, colors, etc). I can definitely stand behind inclusive maximums for that use case.


In Topic: Exclusive maximum in random functions

15 February 2015 - 08:33 AM

 

None of the mapping functions are inherently better than the other. However, when you look at many different use cases, the math of 0-based exclusive ranges falls out prettier without magic numbers more often than not. You rarely have to add or subtract 1 to compensate for exclusive ranges.

 

 

This pretty much nails it. I agree that neither way (exclusive or inclusive max) is inherently better than the other. So unless I'm missing something, it boils down to my arguments above (counter-intuitive and weird states) vs usefulness for indexing arrays and convention.

 

Thanks for taking your time to answer, I'll go pounder this a bit more smile.png

 


In Topic: Exclusive maximum in random functions

15 February 2015 - 07:29 AM

But you can turn that argument around and ask, why would one design the random function's range only to index stuff in arrays smoothly when it's just as likely to be used for simulating die rolls? Stated differently, I *am* designing for general use, and I get the feel that exclusive maximum is a weirdness designed for indexing arrays, a very specific problem.


PARTNERS