Building a Plugin Security Scheme

[Trueborn]

lMaybe the timing of the revocation check can be user configurable? Default to, say 7, but users can change it to 1 if they're paranoid or 31 if they're trusting.

I hadn't heard of IL injection, but I can certainly see why it could be controversial. On the other hand, I dislike the separate launcher because, just like my original code, if a user forgets and runs the game executable directly, they have no protection. My preferred method would be for Squad to build this into their addon loader, but we can probably assume that will not happen.

I think the display of valid signatures should be optional, or only show when a new mod is added.

[Andersenman]

Majiir, you've been doing awesome things for an eternity of KSP's existence, have been tending to one of KSP's most popular mods, and have ascended to a recognised fellow within the KSP community … – how do we know you're not actually the same guy behind Istvaan Shogaatsu?

[Faark]

Users could start a launcher instead of the KSP assembly, and that launcher could verify plugins before allowing KSP to start. This is easy to do, but it presents usability issues. A second option is to use IL injection, which would be more transparent to the user but would also be harder to maintain and potentially controversial.

You miss the obvious...... "aaaaaaaSecurityChecker". Yes, not 100% secure, but should be good enough for now. Also how should IL injection save you against sth evil? An "aaa" mod that was just installed will still run before yours and will do evil stuff, before you have the chance to manipulate it. Unless you are talking about modifying KSP assemblies, what is against the rules.

I still don't get why we should need a security scheme. The official download sources (spaceport, forum thread) should be safe anyway and that is where most of us download there mods all the time, anyway. On the other hand would such a feature annoy me when i modify one of the installed mods.

Btw, what exactly do you want to sign? Entire mod directory? Since how else can you prevent a repacked mod that contains an additional evil.dll ?

[Trueborn]

Well, neither KerbalSpaceport nor these forums are secure at all, actually. Its just that so far, none of us have been evil.

The signatures would probably just cover the DLLs, because that's what KSP loads. And the audit process would be looking for things like trying to sneak in code behind the scenes. Signing the entire directory wouldn't work, as config file changes would invalidate the signature.

If you are rebuilding mods, you are already doing your own auditing, and wouldn't require this method anyway.

'aaaaa' does raise a valid point though. Without priority loading, an external executable seems to be the only way to ensure first execution.

And finally, the utility would look for all DLLs in the GameData folder, so a DLL added after the fact would be caught

Edited January 13, 2014 by Trueborn
Extra DLL comment

[blizzy78]

The official download sources (spaceport, forum thread) should be safe anyway

How so? What exactly prevents me from uploading a DLL that deletes all your files? Which is the point of this thread.

[Trueborn]

Here is a possible large scale flow for signing, without any significant implementation details. What's missing?

User Client Flow:

- Scan GameData for DLLs and signatures (possibly whole KSP structure - does KSP still load from outside GameData?)

- Load local certificates

- Match DLLs to certificates, note missing certificates

- If due, download revocation list

- Check certificates for expiration

- Check certificates for revocation

- Try to download any missing, expired, or revoked certificates

- Hash DLLs

- Decrypt signatures

- Compare computed and decrypted hashes

- Notify user/disable unsigned mods

Mod Developer Flow

- Code!

- Register as a trusted developer to get digital signature

- Sign all DLLs in mod, and submit source code and signed DLLs for auditing

- Receive notification of audit completion

- Upload mod to KerbalSpacePort with full signatures

Auditor Flow

- Apply to become security auditor

- Be accepted (by whatever method)

- Register as a trusted auditor to get digital signature

- Pick or be assigned a waiting mod

- Audit mod, and report as either pass, fail, or error (does not compile or some such)

- If mod passes audit, sign DLLs

- After a mod has been passed by X auditors, notify author that audit is complete (X = 3ish)

[TMS]

Is there a steady supply of people who will spend their free time proof-reading and validating other people's code?

[Greys]

It's not the auditor's job to determine if the code works/works well, just that it's not malicious; And this is a lot easier than you'd expect.

There are specific things that can be searched for to rule it out quickly; and given that we're looking at programmers anyways it would be pretty easy to make a little program that does look for those things and outputs line numbers if found. This would be things like calls to System.IO or... other things. And these would just be really obvious "there's only certain reasons to be touching that at all so let's have a look straight away". Then there's a lot of code that simply can't be malicious so the auditor just has to skim over that.

Then, there really aren't that many add-ons that release updated DLLs that frequently. In an average week it's probably between zero and one. The taxing time will be around updates to KSP; but with the raising prevalence of mods being able to update potentially a couple weeks before the update is released, and many mods being in no real hurry to update, it's still probably zero to five mods per day; so if we can get say, ten people who are able to review mods a few days a week, each auditor will only be responsible for going over a small number of mods per week; potentially none, and during the busy period after an update it still wouldn't be that many.

[Guest]

It would be nice if trusted plug-in authors had a way to identify themselves as such to new KSP users. I've been around here long enough now that I have built trust in the "regular" guys. But how is a new user supposed to recognize the community trusted authors? We need a way to recognize trusted authors and plug-in developers. Majiir is on to something here.

Without support from squad, there is no good way to do this through the game itself. But, with help from moderators of this forum, we could come up with a way to give trusted authors and up-loaders an easily recognizable icon to go beside their avatars to help new users identify them as community tested and trusted developers.

[ROFLCopter64bit]

Even if we do successfully get past the bottlenecks and get this into a working state, it's going to be nothing more than a proof-of-concept unless SQUAD gets involved as well.

Still, this is a great idea.

[iamaphazael]

I just want to jump in and say I support this idea. I expressed some concerns a while ago about the current system, and the response I got was basically "Shhh! Hackers search forums looking for people talking about vulnerabilitoes. Just don't mention it and hopefully no one will try to use KSP as an attack vector", which of course is absolutely stupid.

Considering the (well-deserved) attention that KSP is getting these days and will undoubtably continue to get, it's only a matter of time before some malicious actor finds a way around the safeguard that are in place and distributes a plugin that does something nefarious. I think Majir is absolutely right that the time to put a system in place to try to prevent that kind of thing is now, before an attack forces us/Squad to do something about it.

I don't have a lot to add to the conversation right now that hasn't been said, but I'm going to continue to watch this thread, although I'm not on the forums much these days, and try to chime in when I have something helpful to add.

[rbray89]

We as modders could develop a 3rd party "spaceport". Create a full system that uses source control (ie. git, svn, etc) takes the raw source, performs an automated build, packages the release, and flags it as unverified until an approver comes by to inspect the changelog.

This would be a LOT of work. That being said, it would also introduce standardization, (possibly help with the influx of users who can't seem to figure out what to do with a folder called "GameData") and a client could be created to manage mods. I for one wouldn't mind having a one-stop-shop for both users and content creators. I'm nearing feature complete on one of my mods, and I wouldn't mind heading this up.

[rbray89]

I just thought of something else... what if we had a web server that used 3rd part source control? CI scripts would pull from specified repos, build and publish on a regular basis. That way, people could use whatever SC they wanted, but the build server would be automated. A build file could be specified as to how to build/package up the release once complete.

[O-Doc]

Introducing politics into the KSP mod community. Well played. And do tell, who will be the gatekeepers of this cabal? What about all the noobs out there who are learning to code? I think you need to re-read asmi's first post.

I know the source code for any mods I may, or may not, create for KSP will definitely not be going into the hands of a third party. Cheers.

[rbray89]

Introducing politics into the KSP mod community. Well played. And do tell, who will be the gatekeepers of this cabal? What about all the noobs out there who are learning to code? I think you need to re-read asmi's first post.

I know the source code for any mods I may, or may not, create for KSP will definitely not be going into the hands of a third party. Cheers.

This would be a community endeavor. I would suggest that the server be maintained by a few the modders or possibly get Squad involved to bring in a moderator. As for the source, the second post illustrates the ideal. Any modder could create an account, post some basic details of how to grab the source from github/googlecode/http, and then the server would build and package it. Those same modders who have verified plugins would then vote yay/nay to approve the code changes to be verified.

[O-Doc]

I understand your intention. I also understand your motivation, not just the one's you've expressed(I'm a software engineer by trade). I'm just going to point out that you don't solve the issue of trust, you've just moved it to a small group of self appointed individuals who will be able to exercise more power and control in the community than your average member. What could possibly go wrong?

More importantly, you've given KSP gamers the false option of being less personally responsible for their own computer security. I'm not against your initiative, you should move forward with whatever development path you want, it's your free time. I'm only going to have serious issues if it becomes policy for Squad to have non-employees gate keeping the community development experience in an official capacity.

[acc]

I agree with "it's a social problem".

most of humans are naiv and using computers without know-how about computers. or let's say it in general: humans are less smart and more careless as they should be. thats fact number one.

fact number two is: a social problem can't solved by a technical solution, BUT: a smart technical instance can compensate some risks and even teach whats happend in the background.

i think a decentralised solution would be better, like a trust-chain.