Securing mods against expliotation

Obligatory “I am really drunk writing this”

So, our mods are written in c#. And that means if i wanna write a bitcoin miner and hide it in my mod, I can do so.
But what if all mods were checked by an internally-integrated antivirus? If they can detect regular spyware and miners and shit, they can also do it in our .dll mods? can they not? What other ways of checking for malicious code are there?

Regards

2 Likes

Aren’t mods/addons directly uploaded to Steam workshop’s servers? Even if forced people to use a special addon uploader people could just reverse engineer it and send directly to the steam servers, if I remember correctly something similar is done so that you can get a .gif as your addon’s picture.
Only way I can see it working is if S&box has its own servers.

2 Likes

I hope they have a solution if there is the ability to be bad stuff in addons. And it’s going to suck because C# isn’t as easy as LUA therefore even server owners wouldn’t be able to tell the difference between code that doesn’t belong and code that does. Only developers might be able to, however even so there are very few that know of C# that are coming from the GMod community.

1 Like

imo readability in C# is much easier. I think it would be about the same in C# to check for bad code, check to see if anything is tabbed super far off the page, check for any code that is out of the ordinary with names, etc

1 Like

I’ll link this here so we’re all on the same page regarding FP’s current (that I know of) stance on code security.

2 Likes

700th bitcoin miner comment. haha.

1 Like

From what I know, FP has not yet said if they are going to use Steam’s Workshop at all, so hosting the content themselves is not out of the question. In fact, there was a lot of discussion about working with repos themselves, not just the packaged versions like it’s done with Steam’s Workshop, which, while not a solution at all, would help interested players to make sure that a less popular addon does not contain malicious code or backdoors.

i would link it here, but it was all said in the old #sandbox-general, which garry deleted

This was a few months ago, so their position might have changed from then to now.

1 Like

It’s pretty much confirmed for me that they will use the Workshop:

(See “Q: Will we be able to mount games like we can in Garry’s Mod?” under “Game info”)

1 Like

I’m sorry, but what do you mean by confirmed for you? Have they said something else more recently besides what garry responded on the thread and what I printed from the discord?

“most likely” != pretty much confirmed, at least to my mind.

1 Like

With that, I meant that I’m very sure about it, but of course it has not been officially confirmed.
And you apparently haven’t seen this screenshot?
2020-11-30_03-28-58

2 Likes

Workshop != Steam workshop

2 Likes

So is an internal antivirus feasible? Would it yield any advantage over sandboxing? Disadvantages? Would it be considered? What antivirus vendor would agree to supply such a protection?

Or perhaps our regular antivirus we might have on our pcs would actually detect ‘bad’ DLLs and remove them from the game’s directory?

I think it’s the best solution that doesn’t involve sandboxing imo.

In minecraft modding that uses unchained java, if there happen to be any keyloggers (because people only though to check for those, and not miners), the situation quickly becomes public and nobody trusts such a mod anymore. Would it be safe to say that without any form of protection, bad mods will be found out and taken care of quickly by the community?

2 Likes