It seems baffling that we have this massive community making mods with highly insecure raw java code, and somehow nobody thought of figuring out how to sandbox the stuff.
What's amazing to me is you have an entire modscene of young or amateur programmers uploading binary code to god-knows-where and this is the first time this sort of thing has happened (that I can recall)
What's the security like on Steam workshop? Or Nexusmods? Gaming and modding is still rife with lots of little "here download my exe from this forum post and give it a run please".
Pretty much every game I play modded ends up with some kind of support framework DLL that tons of other mods build from. I am amazed that that has still not really blown up in our faces here in 2023.
I think this goes to show how effective the trust we place in the social network is. These things don't happen immediately for every new game because mod spread through word of mouth (or forums, or server-to-player-to-server), and each community's moderators are there to take down any malicious payload that does get discovered.
Generally the misadventures have been limited to attacks against individuals in personal bitch fights, and overzealous copy protection / license enforcement schemes from paranoid (people selling Xplane planes forex).
There's a lot of hinky stuff out there that doesn't quite reach the level of "malware", just potential fun.
specialized "Visual Studio" extensions are worth looking hard at too.
>What's amazing to me is you have an entire modscene of young or amateur programmers uploading binary code to god-knows-where and this is the first time this sort of thing has happened (that I can recall)
Which is especially surprising considering the sheer insanity of Minecraft modders and hackers.
I'm sure people have thought about it, it's just hard, annoying, and asking a lot of mostly unpaid OSS contributors. Many mod developers are high school / college aged.
Sandboxing Java code running in process requires ugly and obscure security APIs and restricts you to having to have a common modding API (Forge). Many mods use bytecode patching and would be broken completely.
The page this post links to is for the prism launcher, a 3rd-party launcher that enables a lot of very useful features such as automatic mod installs. Crucially, it is distributed as a flatpak with sane default permissions, which means that pretty much all linux users are safe (turns out even the ones not using flatpak were safe because they borked their unit file but still).
People thought of sandboxing the stuff, but the people thinking of that and the people making the mods aren't the same people and the people making the mods would rather be able to do things outside a single API.
I foresee this being a big problem for the Godot game engine as it gains popularity. There's absolutely no sandboxing or "safe mode" or anything when loading extra resource packs, and any resource or scene file can have an embedded script which executes upon loading.
Do you mean this would be an issue with regards to using their asset store/3rd party plugins for your game?
If so how is it really any different from just regular nodejs packages or Python packages?that’s a risk developers seem to ignore.
Or are your talking about scripts being added for modding purposes like Minecraft? If so that’s a pretty good point, would be nice to have godot implement some sort of sandboxed system you can use. Not sure what the term would be or how that would even work.
That's quite possible, I'm not super into the modding scene. I guess my default assumption is that mods should be running through some sort of scripting interface that doesn't have access to things like the filesystem.
When developers add an official modding interface, then it usually works the way you've suggested. They get access to much of the internal API and a sandboxed environment.
Many mods though, work by just subverting the game by replacing components with custom-made ones. This allows substantially more customization.
In Minecraft, both types exist. The first type are called "data packs" or "resource packs" and would not be subject to this attack. The latter type involves swapping in new .jar files and running them directly, which is unsupported by the developer and gives basically unrestricted access.
This might be a bit nitpicky but resource packs just replace assets without scripting capabilities, and datapacks do let you run commands which are Turing-complete but they aren’t really a great programming language because you can’t do things like loops in a normal way
You are running code on your CPU in ring 0 all the time? No. The same way a sandbox gives a whitelist approach to security — this app by default should have no filesystem access. It does want to open a file — ask the user whether it should be able to or not.
Security is upheld, user control is given, everyone is happy.
The same could be said about NPM, or pip, or crates. The security model is "they will probably find the backdoor before it affects me", and it's unreasonably effective.
What's the security like on Steam workshop? Or Nexusmods? Gaming and modding is still rife with lots of little "here download my exe from this forum post and give it a run please".
Pretty much every game I play modded ends up with some kind of support framework DLL that tons of other mods build from. I am amazed that that has still not really blown up in our faces here in 2023.