I’ve posted similar for .NET in general (c# - Is there a list of dangerous .NET namespaces/classes/members? - Stack Overflow) so I’m only looking for Unity specific items here. Though this should probably extend to assemblies accessible in Unity, but are not part of a Unity* namespace. like Cecil, though I don’t know if that is still part of it any more in 2018.4.
By dangerous, I mean that if a programmer had access to this method, they could get information about the user, hijack a different application, read/write the registry, use the network, or touch files.
Supporting Reason:
I have a game, that allows the user to edit and compile C# live and change the behavior of the game they are in. I’m using Roslyn to parse the C# prior to compiling to filter out certain namespaces/classes/members. even down to XMLDocument.FromFile. Since its executing in the same namespace, I cannot put a different security level on it, and the main app needs access to network, and the file system.
If you want to see details on the game, you can check it out here. (In construction at the moment) http://Codavore.com - I don’t intend this as an ad, but if have more questions about details or just want to see why this would be used, there it is.
If the intention is for the user to write code in their own game, what is the harm in allowing them access to everything? The user needs to be responsible for the code they run in the same way they are responsible for the programs they run.
Security problems crop up when the programmer is not the owner of the computer it is running on.
@eisenpony the core problem with giving the user access to everything, is that they will not enter all the code they use. I.e. most any game that gets to market has walkthroughs, tips/tricks, hacks, etc. And when people come accross examples of how to do something interesting, they will often try it. In this case, someone could post some code, claiming to make the spaceships run around like PacMan, Except that instead of (or in addition to) it actually grabs a copy of all their browser cookies, or anything else that a windows application run by a user with local admin power could do.
If the game actually becomes popular, that risk is way to great. I need to have some semblance of protection in there. I’ll probably just go with a whitelist that allows only approved code, but also wanted to know what additional options might be available.
Someone could also write a “game hack” claiming to do interesting things but really it does exactly what you are worried about. The point is, while we do all we can to prevent things, there is nothing stopping an end user from doing whatever they want to try. If the game is popular, you’ll probably want to either list trusted sources or hope the community finds their own trusted sources.
I believe OP is talking about importing assets that then do something dangerous, like collecting data, without him as developer knowing this, he then ships the game and thus the dangerous code. Correct me if i’m wrong.
You might look into executing the code in a sandbox, if you aren’t already. Additionally, I would look at this the other way round, from the perspective of a whitelist rather than a blacklist.
Find the namespaces that you want to expose, and ban all others.
One thing to keep in mind, if your game is installed locally, is that a “guide” could just as easily tell the user to replace such and such file - the one with the whitelist for instance - with this file I “prepared”.
The difficulty will also depend on what kind of dangers you are trying to protect against. For instance, even this could be considered a form of “DOS attack”
while (true);
I think you’re basically just looking for a way to “raise the bar”, to encourage would-be troublemakers to look somewhere else. However, a simple warning to the user that “code executed here has access to your system and files” and to “only use code that you trust” may go a long ways.
As Madgvox mentioned, it would be better if you could get your user code to execute in a secure sandbox. Of course, that would require quite a bit more effort to create a safe way to transfer the data between processes.
From the first post, OP seems to suggest the user could write their own code, so he’s worried a user may look online, find some code that someone suggested does something cool, copy it and it instead steals the user’s data because the user doesn’t really understand what the code does.
Sorry, I haven’t been back to check on this. I ultimately decided to go with a Safe/Unsafe/Unknown list. Safe means it is acceptable namespaces, classes, members- while Unsafe is flagged as specifically having a security risk, such as XmlDocument.LoadFile(…). “Unknown” refers to classes/members that are not called out, and the user will be notified that the risk has not been evaluated, but they can submit a ticket for us to review, and approve it in a later version.
While(true) is actually being dealt with anyway, among other things. We are detecting loop code, and injecting a time check to exit and disable the code. I have Roslyn SyntaxTree running in the code to detect safe/unsafe classes/members, parse/format the code view and also detect loops.
In the game, we will have events for the inifinite loop code, which the “physical devices” (in game) will have visual responses, like over heating, smoking, shaking, etc. In the first code issue, the user enters the mess hall, and is attacked by a toaster, which is bouncing everywhere. They have to fix the code to get past it. The code is that they put an infinite loop in it, that causes the toaster to eject continuously. It’s bounce behavior is triggered by the infinite loop event.
If you are referring to third party executables, like trainers, that give you infinite life or other useful in game features, then of course, that is on the user/third party developer. But if you are talking about someone entering C# into the game C# editor and doing what ever they want, that is exactly what I’m talking about restricting. Before compiling, I’m using Roslyn SyntaxTree to detect any types and members used. In this case, I will go with a “Safe” list, and anything outside it will prevent it from compiling. This will block the user from accessing anything but the basic system classes I allow, skipping most things Unity (vectors and other structs will be allowed) and most of the internal game code.
Thanks, you are close. It is literally code that a player will enter into the game. We write our games for players to resolve directly, but often they will find walk-throughs online. In this case, copying and pasting large functions which promise cool things, but ultimately hide nefarious intentions.
I think it’s far off the normal path. Game programmers tend not to care what language they use, or read complex details – Unity was glad to use a home-brew named “unityscript” for its 1st few years. The main focus is on commercial games. Even if you wanted to make a game that involved coding, it would probably be for kids, using a hand-made graphical system. Unity modding is usually “open this in your copy of Unity” (and Unity now runs mostly on tablets and phones, which aren’t so mod-friendly).
XmlDocument.LoadFile will accept URLs, which can be used to transmit locally collected information via URL parameters.
Cybersecurity is a really nuanced field. There are all kinds of unexpected ways to use things that seem completely benign. It’s a really hard problem to take on.
Good point about URL parameters. But wouldn’t the collected information be your own information? And whom would you be passing your own information to?
If the code was able to first read something locally, like from a file or from a browser cookie, etc etc then it could theoretically send information from a unsuspecting user who typed it in. It’s a multi-pronged attack but theoretically possible.
yes. reading any file on the local system I would consider dangerous. I.e. it could have commonly known paths for communication apps, and possibly other apps/tools/services that might store sensitive information in XML. attempt to read them, and if it finds any, send it off in some other open system, such as sockets or a TCP Client of sorts. I am planning to offer a file saving/loading ability, but provide a read/write file option that limits you to a name, and get list of names, under a specific path. If any additional path information is placed into it, it will throw an error. I don’t want them to be able to get outside the game. I also plan to block off any network tools, and try to protect as much as I can.
But since this will end up using a safe list now, I should be fine without a dangerous list provided from elsewhere.
The point is, that since the player can enter code for the game on their local machine, that they might not write that code themselves. They might download it from a forum where some anonymous user posted a way to make the space ships act like Angry Birds. I would suspect many will simply copy and paste it. I’m trying to protect the user from the code they enter. The game is about learning to program in C#, and doesn’t need every piece of C# available.
Thanks.
A dangerous list would have made it easier, but it has been pointed out that what is defined dangerous changes depending on the need. Network might be dangerous to one, but not another. Files the same for another. etc. in my case, I bascially want the user in a sand box, but since I still want the main app to be able to read and write files and have network access, I’ll be safe listing the files the things they can use and prevent compiling of code that uses it.
