Could adding modding support by loading modder's assemblies create risk of malicious code?

I just had a very troubling thought. I've been working on a project for a while... and we know we'd like to have mod support.

One of the ways we think we could give mod support is letting the users compile their own assemblies against an exposed API... and then loading their assemblies.

But this got me to thinking... does this create a major security risk. Not for us... but for our users.

Could someone upload a mod for our game onto steam workshop that contained malicious code and then use it to install malware on a user's machine or something?

It's kind of a chilling thought.

 

Yes, absolutely.

Even without admin rights, such application would be able to wreck user's personal data easily.

 

Use lua or a similar interpreted language from which users could call specific functions in your game - you will have to write additional code.

 

if you let them load their own assemblies yes, but if you provided scripting support with a limited api no. I would try and expose lua or maybe a subset of python, where it can only use basic language features or interact with your api.

 

Still need to make sure that scripted language cannot load external files, though.

For example, python could probably "accidentally" have access to os, subprocess, etc.

 

yeah out of the box python can do a lot of damage, never tried to used python with unity before, but i know in more embedded uses of it like in nuke or maya it has more or less full privileges, with all modules available including sys, os and subprocess.

 

Yeah I meant to say that users should only be able to call the functions that provide to them.

 

Thanks, that's exactly what I expected to hear.

Of course... this also means that all the Unity games we download could also have that potential....

Cool... next time modding gets discussed I'll be sure to bring this up.

 

simply adding an .xml .. or .json thingy and asset bundles? ( i think thats the way to do it?) for 3d meshes / textures/ soundFX etc

, then people can add their own weapons or whatever

 

It depend on whether you want to mod functionality of graphics.

Also for models you can use .obj files and for sound clips you can use the .ogg or .wav files.
So it's possible to avoid asset bundles.

 

reaallyy?? how??
seriously couldnt find much information about making a moddable game in unity... really like NO INFO at all
so the only thing i could figure out was asset bundles

.obj and .ogg or .wav can be made read as text files im guessing??

 

Even Microsoft has mostly given up on sandboxing support at the framework level.

As of .NET 3.5 the new-hotness was Code Access Security; no idea if this works in Mono:

https://msdn.microsoft.com/en-us/library/bb763046(v=vs.90).aspx

But fast-forward to the current version of that guidance and you get stern warnings that CAS is probably insufficient:

https://msdn.microsoft.com/en-us/library/bb763046(v=vs.110).aspx

Eventually everything will move to some .NET Core flavor, which completely drops AppDomain and sandbox support in favor of AssemblyLoadContext (and OS-specific security features, which they mentioned in a .NET Core blog post last year but not in any detail).

Worse, AssemblyLoadContext is currently undocumented (but shipping).

https://github.com/dotnet/coreclr/issues/295#issuecomment-75266259