Unrestricted Python in 1.2?
Moderator: Forum Moderators
-
Maeglin Dubh
- Moderator Emeritus
- Posts: 1154
- Joined: November 16th, 2005, 8:38 pm
- Location: Valley of the Shadow of Death
- Contact:
Requested to be posted by a non-access member.
====================================================================
I think it's a good idea to think about the security of the Python AI.
Quote:
Actually attempt restricted execution of the Python code (i.e. override "file" and "sys.*" and so on, very easy to do). That still makes it possible to break out of it (would need some Python expert for more info here), but at least you would need to be able to do some Python black magic (or copy&paste it from somewhere) first in order to do bad things Razz
I think that would be a losing battle, I guess this is a plaster on a wound... Somebody who wants to do harm would probably find a way around it or another not restricted module which can do damage.
Quote:
Implement trusted files on the CS.. but not enough time to do for 1.2 I guess.
Quote:
Ah, I see. I guess, once a campaign is marked trusted, it should stay trusted.
This would mean if somebody wants to do harm (s)he only needs to get an innocent AI on the CS and afterwards change it to a harmful one Sad
I have another idea which could be done in the trunk:
Let all Python files be signed with GnuPG (or a similar program), the signing is only done by a small group of trusted people in the community. Implant a check routine in Wesnoth, including the public keys needed to verify the signed files. When Wesnoth sees a Python file it can check the signature and determine whether the file is valid. (Of course the imported not library files should also be checked.)
If there's no signature or the signature doesn't match the user can be warned and (s)he can decide what to do. (IMHO it should be a little bit difficult to activate the script, not a simple button. History has proven that user like to click oke, regardless of the consequences.)
When the campaign developer changes the campaign but not the AI there is no problem uploading, when the AI changes a new signature is required. This way every change to the AI will be validated. This way also campaigns which are downloaded from other locations can be checked.
I know this is not really KISS but security never is Sad
==========================================
Sorry if it's ugly, but I just copy/pasted it, and you all know how 1337 I am. Not.
====================================================================
I think it's a good idea to think about the security of the Python AI.
Quote:
Actually attempt restricted execution of the Python code (i.e. override "file" and "sys.*" and so on, very easy to do). That still makes it possible to break out of it (would need some Python expert for more info here), but at least you would need to be able to do some Python black magic (or copy&paste it from somewhere) first in order to do bad things Razz
I think that would be a losing battle, I guess this is a plaster on a wound... Somebody who wants to do harm would probably find a way around it or another not restricted module which can do damage.
Quote:
Implement trusted files on the CS.. but not enough time to do for 1.2 I guess.
Quote:
Ah, I see. I guess, once a campaign is marked trusted, it should stay trusted.
This would mean if somebody wants to do harm (s)he only needs to get an innocent AI on the CS and afterwards change it to a harmful one Sad
I have another idea which could be done in the trunk:
Let all Python files be signed with GnuPG (or a similar program), the signing is only done by a small group of trusted people in the community. Implant a check routine in Wesnoth, including the public keys needed to verify the signed files. When Wesnoth sees a Python file it can check the signature and determine whether the file is valid. (Of course the imported not library files should also be checked.)
If there's no signature or the signature doesn't match the user can be warned and (s)he can decide what to do. (IMHO it should be a little bit difficult to activate the script, not a simple button. History has proven that user like to click oke, regardless of the consequences.)
When the campaign developer changes the campaign but not the AI there is no problem uploading, when the AI changes a new signature is required. This way every change to the AI will be validated. This way also campaigns which are downloaded from other locations can be checked.
I know this is not really KISS but security never is Sad
==========================================
Sorry if it's ugly, but I just copy/pasted it, and you all know how 1337 I am. Not.
Cuyo Quiz wrote:I really should push for Temuchin's brainstorming with all my might someday, when the skies are cloudy, the winds dance and the light is free to roam over the soil along the fog.
Why do you need signing method for detecting a new python file if the campaign server can just remember upload date/time?
BTW, I moved this to Coder's Corner because it is a code development issue (and thus more likely to benefit from passing-by coders than to need protection from noise level).
BTW, I moved this to Coder's Corner because it is a code development issue (and thus more likely to benefit from passing-by coders than to need protection from noise level).
http://www.wesnoth.org/wiki/User:Sapient... "Looks like your skills saved us again. Uh, well at least, they saved Soarin's apple pie."
-
SkeletonCrew
- Inactive Developer
- Posts: 787
- Joined: March 31st, 2006, 6:55 am
The message by Maeglin Dubh was my request.
I can imagine a cracker breaking in to the CS and then uploads a modified AI script. With the current solution the script gets downloaded and executed by the user without noticing. With signing the user gets a warning that the script is either not signed or the file has been modified after signing. People who played the campaign before can ask here why the new AI isn't signed. At that moment the tampering will be discovered. The scenario is unlikely but not impossible.
It's not needed to detect a new file, it's a proposal to mark an AI as safe. Where safe means, the AI doesn't try to do something unwanted on your system, like deleting files or downloading and installing malware.Why do you need signing method for detecting a new python file if the campaign server can just remember upload date/time?
That's true but when it comes to security I always want to be a little bit paranoid.allefant wrote:I don't see this as a problem - since most campaigns probably would be by known people from the forum anyway.This would mean if somebody wants to do harm (s)he only needs to get an innocent AI on the CS and afterwards change it to a harmful one
I can imagine a cracker breaking in to the CS and then uploads a modified AI script. With the current solution the script gets downloaded and executed by the user without noticing. With signing the user gets a warning that the script is either not signed or the file has been modified after signing. People who played the campaign before can ask here why the new AI isn't signed. At that moment the tampering will be discovered. The scenario is unlikely but not impossible.
-
SkeletonCrew
- Inactive Developer
- Posts: 787
- Joined: March 31st, 2006, 6:55 am
I'm using GnuPG in my examples but there could be other packages also note I've never used it in practice, only looked at the options.
Wesnoth downloads the campaing, sees the python files and the signature files, then it uses the public key of the one who created the signature and checks whether the python file is the file which was signed.
Or to put it simple MD5 with security.
Gnupg http://www.gnupg.org/
and it seems there is a nice library to use it
Gpgme http://www.gnupg.org/(en)/related_softw ... index.html
Linux, MacOS X and Windows are supported.
It could of course be an configure option whether or not to use it.
A trusted person creates a signature with his private key this will result in a signature file. Both are uploaded to the campaign server.How would the signing and checking work?
Wesnoth downloads the campaing, sees the python files and the signature files, then it uses the public key of the one who created the signature and checks whether the python file is the file which was signed.
Or to put it simple MD5 with security.
YesWould we need to link Wesnoth against another library?
Gnupg http://www.gnupg.org/
and it seems there is a nice library to use it
Gpgme http://www.gnupg.org/(en)/related_softw ... index.html
Linux, MacOS X and Windows are supported.
It could of course be an configure option whether or not to use it.
Except that it wouldn't work, really. I think the reasons are rather obvious: just think what kind of a huge mess it would become if Python AI usage would become more common.appleide wrote:This is the most secure solution, IMHO.irrevenant wrote: (2) disallow Python AIs on the campaign server and include them with the main game download instead once they're vetted.
Why use python Ai's at all? I couldn't find any one advocating it in this forum. (through the search "Python AI", maybe I missed a relevant post... but I seriously couldn't find it.) Everyone has mixed feelings towards it.zookeeper wrote:I don't think python AI's, excluding ones that make a unit do something very specific and simple like run around in a circle, will be written before someone rewrites the default AI in python. That would give something that could be used as a base for more specialized AI's. Writing a functional AI completely from scratch is a pretty daunting task, but if one could just tweak the default one, creating a custom AI would be a much, much more appealing idea.
Why?
Why did the fish laugh? Because the sea weed.
Not much reasons, IMHO, to use it to really create a real AI that can actually play. Very, very useful however for scripting AI moves. Whenever you need to have an AI-controlled side/unit do something very specific, like moving to a location on a given turn, only attacking a given unit and never anything else no matter what or keeping units in a strict formation when moving, things like that. You can't really do things like that in WML very well, and some (most) not at all.appleide wrote:Why use python Ai's at all? I couldn't find any one advocating it in this forum. (through the search "Python AI", maybe I missed a relevant post... but I seriously couldn't find it.) Everyone has mixed feelings towards it.
Why?
-
SkeletonCrew
- Inactive Developer
- Posts: 787
- Joined: March 31st, 2006, 6:55 am
I like the Python API, I'm busy writing an AI in it. The biggest advantage is I don't need to recompile Wesnoth to change the AI, guess how much time it saves. 
The Python API also gives a nice interface so a new coder doesn't need to go through the C++ code and find the relevant entry points. Also simple special AI's like zookeeper mentioned are possible with python.
The Python API also gives a nice interface so a new coder doesn't need to go through the C++ code and find the relevant entry points. Also simple special AI's like zookeeper mentioned are possible with python.Found some time today, and coded this change (SVN log message):
Still not optimal, but required no new library dependencies, and I believe is good enough for 1.2 now: Unchecked scripts still will never be executed, but .py files can be approved on a per-file basis (not as easy or secure as with the proposed signing solution), and need re-approval on each actual code change. So it should be ready for the case that we actually will start to see lots of python-using campaigns made for 1.2.
Code: Select all
Improved the current ".py.unchecked" renaming by the CS somewhat:
* The CS renames files on upload instead of download now, and gives a warning message to the user.
* Approval of files now is possible by simply renaming the files back to ".py" on the CS.
* If approved ".py" files are unchanged or only renamed/moved, they are not renamed.
* When downloading a campaign with ".py.unchecked" files in it, a message is displayed to the user.
The first three items only affect campaignd.
-
ILikeProgramming
- Posts: 837
- Joined: April 14th, 2005, 4:17 am