I'm looking at adding vfs-based file access to a few lua functions so they can be reenabled. But first I should know how safe it is to allow lua to pull in external libraries. Is loadlib a major security risk or is it fine to enable?
[code]
// File access should probably be limited to the virtual filesystem. Disabled for now
def("dofile", &DisabledFunction),
def("loadfile", &DisabledFunction),
def("loadlib", &DisabledFunction),
def("require", &DisabledFunction),
[/code]
Is loadlib safe?
Moderator: Moderators
Re: Is loadlib safe?
It largely depends on the ability of the community to keep track of mods and prevent them being used as a distribution method for malware. Most commercial games make a big deal out of this but I think since mod distribution is handled by a small number of sites and trackers it isn't a big deal. If i wanted to distrubute a virus as a spring mod i'd probably just put it in an installer or something. The actual risk is pretty overrated since mods are mostly opensource and any strange behaviour would get reported pretty quickly. There are easier ways to do malware than spending months to learn Spring modding and Lua and pimping a mod.
Re: Is loadlib safe?
Nobody took notice of the idea of malicious lobbies and lua gadgets/widgets or the flaw in the existing VFS that allows unitsync to tell lua the contents of c:\windows and other private folders
Re: Is loadlib safe?
Considering that I have totally lost track of how many places are passing around P.U.R.E. RC3, I would strongly suggest that we not assume that obscurity == security. Sorry in advance if that seems snippy, but I am afraid that that is a genie that's already exiting the bottle.It largely depends on the ability of the community to keep track of mods and prevent them being used as a distribution method for malware. Most commercial games make a big deal out of this but I think since mod distribution is handled by a small number of sites and trackers it isn't a big deal. If i wanted to distrubute a virus as a spring mod i'd probably just put it in an installer or something. The actual risk is pretty overrated since mods are mostly opensource and any strange behaviour would get reported pretty quickly. There are easier ways to do malware than spending months to learn Spring modding and Lua and pimping a mod.
Re: Is loadlib safe?
As far as I know, such functions are just disabled for lua startscripts (those use a totaly different lua enviroment) & synced lua. Also I don't see any risk of loading external LUA files, stuff that is in them can be written in your own files, too ...
Loading DLLs is a security issue and you should just add a new LuaDlls or LuaLibraries key to the .springrc, so users can disable those.
But the only really safe way (with loading DLLs) would be that the _user_ run spring in a sandbox ...
But disabling lua's io library and replacing it with the VFS functions, would already be a lot safer (trepan even wrote some code todo so).
Loading DLLs is a security issue and you should just add a new LuaDlls or LuaLibraries key to the .springrc, so users can disable those.
But the only really safe way (with loading DLLs) would be that the _user_ run spring in a sandbox ...
But disabling lua's io library and replacing it with the VFS functions, would already be a lot safer (trepan even wrote some code todo so).
Re: Is loadlib safe?
My main concern with disabling these libraries is that real TC's like PURE might need additional libraries loaded from lua (such as a custom AI, pathing or networking library). In some cases it may be more convenient to just load these from a gadget, AI, startscript or widget than modify or fork Spring.
This isn't an idle guess, i ran into exactly this issue with a Supreme Commander mod. In fear of litigation and bad press GPG basically went as far as removing the whole os library (including the date functions!). My save game mod actually had to write entire save games into the users prefs file!
I know Spring isn't going that far but I'm just pointing out it's hard to know in advance what features a mod might need. There's already a guy in the AI forum doing a Lua->Java binding for his widget. Once you have binding any pretense of control is out the window.
I really think this is a matter of false security. I'm sure that within a few hours I could find a way to make a mod exploit a weakness in VFS or some other system. Since we have no legal liability concerns I think the best option all-round is just leave the os and package libraries alone and warn people via the forums and lobby if any malicious packages start doing the rounds.
Given that Spring checksums mod packages before running them I think the ability to run a viruzed mod (at least online) is pretty low. If I were a virus writer I think I'd look elsewhere (like distributing fake cracks).
To be honest I think we're trying to solve a problem that is too hard to solve, where the solution itself has serious side-effects, and with no evidence that the problem is even being exploited (AFAIK nobody is distributing viruzed modz even though the ability to do so exists).
This isn't an idle guess, i ran into exactly this issue with a Supreme Commander mod. In fear of litigation and bad press GPG basically went as far as removing the whole os library (including the date functions!). My save game mod actually had to write entire save games into the users prefs file!
I know Spring isn't going that far but I'm just pointing out it's hard to know in advance what features a mod might need. There's already a guy in the AI forum doing a Lua->Java binding for his widget. Once you have binding any pretense of control is out the window.
I really think this is a matter of false security. I'm sure that within a few hours I could find a way to make a mod exploit a weakness in VFS or some other system. Since we have no legal liability concerns I think the best option all-round is just leave the os and package libraries alone and warn people via the forums and lobby if any malicious packages start doing the rounds.
Given that Spring checksums mod packages before running them I think the ability to run a viruzed mod (at least online) is pretty low. If I were a virus writer I think I'd look elsewhere (like distributing fake cracks).
To be honest I think we're trying to solve a problem that is too hard to solve, where the solution itself has serious side-effects, and with no evidence that the problem is even being exploited (AFAIK nobody is distributing viruzed modz even though the ability to do so exists).
-
Evil4Zerggin
- Posts: 557
- Joined: 16 May 2007, 06:34
Re: Is loadlib safe?
I seem to recall diezkat getting past checksum?