It is important indeed, sooner this is done the better. Because as soon as coding-modding community starts growing it will be too late...
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#2
Ideas / Anti malware in assemblies
August 24, 2014, 09:25:59 AM
Hello, this is my first post but i have been reader of these forums for a while.
Attachment contains sample mod (and its source) that will read your username, google it, and write result to 'maliciousFile.html' next to executable as soon as you build 'Malicious Blasting Charge' building. All this works, and it is a problem. Mod could as well (with bit more effort) read your browser passwords, report them to hacker's server and download something like bitcoin miner.
Definition of the problem
Mod code is not sandboxed and mods can use System.IO and System.Net namespaces.
Proposed solution #1
Blacklisting System.Net and System.IO namespaces (maybe creating wrapper for game related IO) in mod .dlls should do the trick. Even better could be whitelisting only specific namespaces like unity stuff, math, collections, linq and serialization.
Proposed solution #2
Everything in #1 but with opening mod's source code and using compiler as a service on it. So every time mod is loaded it is compiled. Then comunity would be able to easily check mod contents and verify that it does not do anything malicious. It would also improve mod-dev's learning curves because they would be able to use other mods as reference.
[attachment deleted by admin: too old]
Attachment contains sample mod (and its source) that will read your username, google it, and write result to 'maliciousFile.html' next to executable as soon as you build 'Malicious Blasting Charge' building. All this works, and it is a problem. Mod could as well (with bit more effort) read your browser passwords, report them to hacker's server and download something like bitcoin miner.
Definition of the problem
Mod code is not sandboxed and mods can use System.IO and System.Net namespaces.
Proposed solution #1
Blacklisting System.Net and System.IO namespaces (maybe creating wrapper for game related IO) in mod .dlls should do the trick. Even better could be whitelisting only specific namespaces like unity stuff, math, collections, linq and serialization.
Proposed solution #2
Everything in #1 but with opening mod's source code and using compiler as a service on it. So every time mod is loaded it is compiled. Then comunity would be able to easily check mod contents and verify that it does not do anything malicious. It would also improve mod-dev's learning curves because they would be able to use other mods as reference.
[attachment deleted by admin: too old]
Pages1