Running untrusted code (video game modding)

[Lazersquid]

Hey,

I'm trying to add c# modding support to my Unity3d game. I already did so with Moonsharp (Lua) but wanted to try c# aswell.

I'm not shooting for a completely unbreakable setup, but a reasonable amount of security (I know this is might be a bit too vague).
EDIT: To give a better idea on the amount of security I'm thinking about: Other Unity3d games (Kerbal Space Program & Cities: Skylines) provide modding support by loading a mods .dll file and I assume they use 'Code Access Security' to limit the damage these mods can do.

I found this and I was wondering how secure CSharpScript.RunAsync and CSharpScript.EvaluateAsync are.

The ScriptOptions looked like they provide some kind of whitelist approach for Types to me, which would be ideal, but is that even the case?

scriptOptions = scriptOptions.AddReferences(mscorlib, systemCore);
//Add namespaces
scriptOptions = scriptOptions.AddNamespaces("System");
scriptOptions = scriptOptions.AddNamespaces("System.Linq");
scriptOptions = scriptOptions.AddNamespaces("System.Collections.Generic");

I'm not very familiar with Roslyn or Code Access Security, but my understanding is that Code Access Security won't help me in my use case, please correct me if I'm wrong.

Thanks in advance!

[PathogenDavid]

I assume they use 'Code Access Security' to limit the damage these mods can do.

They do not. Most games do not impose any kind of security restrictions on mods and rely on community trust.

Code Access Security is very deprecated and has been for quite some time. Mono (and by extension Unity) never really supported it in the first place. The main reason being is it's really hard (bordering on impossible) to have trusted and untrusted code running in the same process. (This is why modern web browser sandboxing is implemented with low privilege processes communicating with high privilege ones.)

Most Unity games use Harmony for their modding support. I would recommend making a simple mod for a game you like to get an idea of how it works, or look at some existing ones. Here's a simple one for Oxygen Not Included (Here's the workshop listing.)

The problem with modding approaches like using Lua is you're limiting what the modders have access to and you're now on the hook for anticipating their needs. If you aren't using Lua for your own scripting, you're also adding this huge extra burden for you to maintain, and people will probably end up using Harmony anyway to change behaviors you didn't think to expose via Lua. (That being said, if modding is something intrinsic to your game, the Lua mods might be a good choice for a more easily accessible modding tier. Just know people will probably try to use Harmony too unless you use IL2CPP on your game.)

If you really want to do this, you might look into using Unbreakable, which is used by SharpLab to safely execute your code. Basically it validates the APIs used by an assembly and decides whether it's safe or not. Everything is blocked by default and it uses a whitelist to mark assemblies as safe. (Which leads to situations like this)

However, using Unbreakable now means you're on the hook for making a list of APIs allowed to be used in mods. (And Unity has an astronomically huge API surface.)

---

If you still care about mod security after reading all that, I'd probably go with the following strategy:

1. If you think Lua is worth maintaining, offer it as the official method for easy modding.
2. Support Harmony as the "advanced modding" route.
3. Use Unbreakable to decide if a mod is known safe. If it isn't, show a warning when enabling the mod that "This mod may have access to system resources. Are you sure you want to enable it?" or something along those lines.

The other alternative is that you sandbox your entire game, at which point I start wondering if you want to make games or security software. (Normally simple stuff like Steam integration would become a huge chore. Would be a cool project though.)

One other alternative that I don't know enough about to guess if it's actually viable: Make your game a UWP app on Windows. My understanding is UWP apps are locked down by default, and doing things like communicating with Steam from UWP apps is more likely to be a solve problem. (Although I've also heard that UWP games are a huge pain to mod because of it, so this might just mean mods don't work.)

[Lazersquid]

Thank you so much for your detailed answer and linked references!

I didn't think about this security aspect as something that I want to do, but something that I have to do. To be honest I kind of thought about ditching modding support all together, because creating a game in itself is so much work. So it's a relief to hear that relying on community trust is something that's done by others and I think I'll do the same.

I guess I'll provide a simple API layer only consisting of C# methods that both C# and Lua mods can use, to provide some stability to modders. And ditch my idea of also wrapping objects, that are passed around in API methods, in special types.

Most Unity games use Harmony for their modding support. I would recommend making a simple mod for a game you like to get an idea of how it works, or look at some existing ones. Here's a simple one for Oxygen Not Included (Here's the workshop listing.)

Harmony looks very cool, I'll create a mod with it for sure, to see how I can support it, thank you again for all the references!

[PathogenDavid]

No problem, good luck on your game!