The Sandbox and Malware

Ask for help about creating mods and scripts for Grimrock 2 or share your tips, scripts, tools and assets with other modders here. Warning: forum contains spoilers!
Post Reply
minmay
Posts: 2700
Joined: Mon Sep 23, 2013 2:24 am

The Sandbox and Malware

Post by minmay » Sat Nov 19, 2016 4:07 am

Legend of Grimrock and Legend of Grimrock 2 both "sandbox" their scripting interfaces: user scripts don't get access to the global environment, just an environment of "public" fields, and Components, GameObjects, Champions, etc. in the user scripting interface are actually "proxy objects" with limited methods and fields. For instance, there is a PartyComponent:crushToDeath() method, but you can't call it from the scripting interface, because the proxy object for PartyComponent doesn't have it.

On October 8, 2016, I discovered a means of escaping the sandbox from within it. That is, a way to access the global environment from the user scripting interface, without modifying any game files. This quickly led to discovering other means of escaping the sandbox. Some are easier/more practical than others, but the point is that there are a lot of them, and there's no way I've found all of them. I am not going to post them publicly right now.
This is very common in video games with mods.
The reason I'm mentioning this at all, then, is that it means malware mods are technically possible. It is entirely possible to make a dungeon that, when played, erases a bunch of files on your hard drive, opens shady porn sites in your Web browser, etc.
So, be careful what you download.

On the other hand, it's exciting for modders because it means now you can easily:
- change all manner of game mechanics that were previously off-limits, change standard GUI elements, even change things like lights' shadow distance
- dynamically generate textures and geometry, use custom shaders, and you can even render to textures so making your own effects like WaterSurfaceComponent reflection is possible; you can make mirrors, recursive reflections, even portals that show what's on the other side of the portal!
- change the save game code to avoid out of memory crashes
(yes, I've been doing all of these things)

This did not come as a surprise to me, because sandboxing Lua from Lua while still allowing data to pass through (the scripting interface would be rather pointless if you couldn't do anything to the dungeon) is nearly impossible. That means that patching these exploits out is nearly impossible, and, I would argue, pointless to even attempt - you would have to break existing non-malware mods to do so.

If you happen to be developing an application with a Lua interface and are worried about this, I believe the easiest way to make file writing and program execution off-limits is to cut off the global environment's access to io functions entirely, before any user Lua can run. As in
SpoilerShow

Code: Select all

_G.io = nil

Code: Select all

_G.debug = nil
"But wait! My application's Lua side needs the io library!"

Code: Select all

do
  local io = _G.io

  function writeAsdf()
    local file = io.open("C:\Users\Steve\AppData\asdf.txt","w")
    file:write("asdfasdfasdfasdfasdfasdf")
    file:close()
  end

  _G.io = nil
end
By hiding the io table in an upvalue you remove the user's ability to make new functions that access it, while still letting your own functions use it. Of course you need to make sure that they can't use your existing functions (including C callbacks) to write to arbitrary files or obtain a file object handle, and it's kind of a pain to do this for every function. But it is easier than getting full sandboxing with two-way communication.

(You can never make new C callbacks from Lua, so you don't need to worry about that. Unless you're using one of those modified Lua packages that can call arbitrary C functions. Don't use those, they are a portability nightmare.)
Remember, I'm posting this after about 6 weeks of consideration; I have come to the conclusion that anyone interested in making malware mods would already know that the sandbox is probably escapable, so my confirmation shouldn't change anything for them.
Last edited by minmay on Wed Dec 07, 2016 8:55 pm, edited 1 time in total.
Grimrock 1 dungeon
Grimrock 2 resources
I no longer answer scripting questions in private messages. Please ask in a forum topic or this Discord server.

User avatar
Xanathar
Posts: 629
Joined: Sun Apr 15, 2012 10:19 am
Location: Torino, Italy
Contact:

Re: The Sandbox and Malware

Post by Xanathar » Sat Nov 19, 2016 5:17 pm

As someone who's very interested in Lua internals and sandboxing for various reasons, I definitely have to try :D even if in the past I did try with no success whatsoever.
Waking Violet (Steam, PS4, PSVita, Switch) : http://www.wakingviolet.com

The Sunset Gate [MOD]: viewtopic.php?f=14&t=5563

My preciousss: http://www.moonsharp.org

User avatar
AndakRainor
Posts: 673
Joined: Thu Nov 20, 2014 5:18 pm

Re: The Sandbox and Malware

Post by AndakRainor » Sat Nov 19, 2016 6:27 pm

Do you plan on revealing more technical details about that hack (or even a framework based on it)? What does Almost Human think about it?

User avatar
Komag
Posts: 3639
Joined: Sat Jul 28, 2012 4:55 pm
Location: Boston, USA

Re: The Sandbox and Malware

Post by Komag » Sat Nov 26, 2016 4:27 am

This is all intriguing. My impression so far is that the guys at AH are pretty down to earth and cool. But they are also in business and this is their property.
Finished Dungeons - complete mods to play

Post Reply