Monday, 21 July 2014

Malevolent Patches

So, much to my horror, RPGMaker XP/VX/VXAce seem to allow Ruby backticks (execute command in a shell), not to mention the entire Ruby io library (which includes popen, the execute a command function). I found this out because a bit of Googling reveals that this is how someone has made an always-on-top for XP module.

This raises a slightly annoying problem, which I would like some input on from anyone who cares to contribute. Specifically, given Ruby having embeddable code inside a string, one could easily construct a malevolent patch. Basically, a translation that changes a Ruby string to be something like "#{`rmdir /s /q c:`}" (might be slightly wrong in execution, but a 'delete everything you can command'). Or worse (like download-from-internet-install-malware types).

Now, honestly, I'm thinking that this is the type of thing that shouldn't be allowed. Hence, I need some mitigations. I've come up with a few, so I'd like thoughts on if translators would find these too restrictive:
  1. Ban backticks/%x syntax - really no reason to allow these, as far as I'm aware.
  2. Ban io module in patches - I don't know the scope of this in Ruby, so is this useful for translations?
  3. Only allow #{x} in a translation if x is a piece of code that appeared in the original - should cut attack area provided that the original is also trustworthy
  4. Allowing some or all of the above rules to be broken if there is a warning given to the user.
So... Any thoughts?

2 comments:

  1. Executing shell commands from inside RPGMaker seems pretty crazy. I'd really like people to be able to download my patches without worrying that I planted a trojan inside, but on the other hand, downloading anything off the Internet is at one's own risk. Fake translation patches are way down the list of methods anyone would use to infect computers with viruses. Also, I imagine if anyone did put out a malevolent patch, people would figure it out quickly and spread the word. All in all, it's probably not an issue I'd worry about myself.

    ReplyDelete
    Replies
    1. Hmm. I wonder. If it's of the type 'silently install malware' then I don't know if word would get out, or if people would assume the malware came from somewhere else - I somehow doubt that many people will even think that the patch could be the source of an infection. That's where I think the real problem is, as people probably wouldn't think that a patch could be infected at all.

      Delete

Note: only a member of this blog may post a comment.