Jump to content




Ravnik Anti-Virus

utility

19 replies to this topic

#1 Saldor010

  • Members
  • 467 posts
  • LocationThe United States

Posted 10 August 2014 - 07:57 PM

Hey there!
Message from future me, if you enjoy this.. erm.. thing (or even if you don't), you should check out my latest game! It's way better than this one, I'm sure you'd love it ;)
Click the link here to check it out!
Back to your original post already in progress..

Yes, yes, I know, another Anti-Virus. Before you click off the topic though, let me assure you, this is NOT just a stupid "string.find()" program. I DID actually work hard on this. And though it still has some bugs and glitches in it, I'm sure you will be pleased to use it.


Description:
Ravnik Anti-Virus isn't really an Anti-Virus as much as it is a sandbox tool.
I'm sure you will find a nice use for it. Even if it is just for sand-boxing your
own programs to see if they will pop up as viruses. The way Ravnik works,
everything is on a point system. Some functions give you a minimal point
dent (such as fs.open), and some give you a major point dent
(such as http.post). Whenever the points overflow their limit, Ravnik
will crash the program and report it to you immediately. The best
feature about the point system, is that YOU (the user) gets to choose
how sensitive, or how lax the sandbox is on your program.

Usage:
Just type in
*Whatever name you downloaded Ravnik with* sandbox *file name* *point limit*
and run your program like you normally would. Most dangerous
calls will be blocked by Ravnik, so don't be surprised if your
program bugs out when it realizes it can't save your file.

Download:
pastebin get mNHc16yK RavnikAV

Screenshots:
Attached Image: Ravnik1.JPG
Attached Image: Ravnik2.JPG

List of all functions considered "Dangerous" by Ravnik.

Spoiler

Edited by Saldor010, 05 June 2019 - 09:15 PM.


#2 flaghacker

  • Members
  • 655 posts

Posted 10 August 2014 - 09:06 PM

Why would eg. reading from a file multiple times be worse than only once?

Also, can you list all functions witch are considered "bad"?

#3 Win7yes

  • Members
  • 110 posts

Posted 10 August 2014 - 09:13 PM

Can someone explain like, Better, how to use this? I downloaded it, did RavnikAV sandbox startup 20 and it didn't even start the startup program or anything

#4 Saldor010

  • Members
  • 467 posts
  • LocationThe United States

Posted 11 August 2014 - 01:00 AM

 flaghacker, on 10 August 2014 - 09:06 PM, said:

Why would eg. reading from a file multiple times be worse than only once?

Also, can you list all functions witch are considered "bad"?

The problem was, the program kept trying to read the file multiple times, because the first time didn't work, and every time it would try to read it, a point would be added. Like I said, glitches like these still exist. I may try to fix it in the future.

EDIT: Also, Sketch and Ink were really the only programs that had a problem with this, and this is when I was trying to open a file. If you try to save a file, for some reason it will (think it) save the file, and will just assume it worked and go on.

 Win7yes, on 10 August 2014 - 09:13 PM, said:

Can someone explain like, Better, how to use this? I downloaded it, did RavnikAV sandbox startup 20 and it didn't even start the startup program or anything

Do you happen to have a startup program on that computer? Is there any error? Surprisingly, you do have to give a bit of description of what is going wrong if you expect any help or support.

Edited by Jiloacom, 11 August 2014 - 01:03 AM.


#5 Saldor010

  • Members
  • 467 posts
  • LocationThe United States

Posted 11 August 2014 - 01:15 AM

Added list of "Dangerous" functions that Ravnik uses.

#6 Win7yes

  • Members
  • 110 posts

Posted 11 August 2014 - 01:18 AM

If I tried to run the program to check startup, is because it did have a startup file. I also tried other files It had. The program that is ran crashes or only runs without any blue screen with information or anything.

#7 Saldor010

  • Members
  • 467 posts
  • LocationThe United States

Posted 11 August 2014 - 01:35 AM

 Win7yes, on 11 August 2014 - 01:18 AM, said:

If I tried to run the program to check startup, is because it did have a startup file. I also tried other files It had. The program that is ran crashes or only runs without any blue screen with information or anything.

Emulator or regular computer craft? Other wise, I'm not sure what's going on.

#8 oeed

    Oversimplifier

  • Members
  • 2,095 posts
  • LocationAuckland, New Zealand

Posted 11 August 2014 - 01:39 AM

Looks pretty good.

Maybe rather than doing it points based do it based on proportions. So, if the file was 4 lines and had an fs.open and http.post it'd be flagged, whereas a 1000 line file with two or three wouldn't. It's exploitable, but I might be better.

#9 Saldor010

  • Members
  • 467 posts
  • LocationThe United States

Posted 11 August 2014 - 01:55 AM

 oeed, on 11 August 2014 - 01:39 AM, said:

Looks pretty good.

Maybe rather than doing it points based do it based on proportions. So, if the file was 4 lines and had an fs.open and http.post it'd be flagged, whereas a 1000 line file with two or three wouldn't. It's exploitable, but I might be better.

Yeah, I thought about doing something like that, but I figured that it would probably be best if I just let the user discern for himself how many points the limit should be. For example, I would probably set the point limit on ink to 100, and set the point limit of an unknown, short suspicious file to 8.

#10 theoriginalbit

    Semi-Professional ComputerCrafter

  • Moderators
  • 7,332 posts
  • LocationAustralia

Posted 11 August 2014 - 01:57 AM

This program will basically report every program as malicious.

Why do you consider peripheral.wrap and peripheral.call dangerous? also you've missed coroutine.yield, however having os.pullEventRaw or coroutine.yield will 'cause problems due to the fact that os.pullEvent calls os.pullEventRaw which in turn calls coroutine.yield.

You should also look into metatables that way, for example, instead of
shell = {
  -- (Potentially) Dangerous
  exit = function() Points = Points + 2 PointCheck() sendtoLog("Program attempted to exit shell. + 2 points") end,
  run = function(path) Sandbox(funcs,path) end,

  -- Safe
  dir = shell.dir,
  setDir = shell.setDir,
  path = shell.path,
  setPath = shell.setPath,
  resolve = shell.resolve,
  resolveProgram = shell.resolveProgram,
  aliases = shell.aliases,
  setAlias = shell.setAlias,
  clearAlias = shell.clearAlias,
  programs = shell.programs,
  getRunningProgram = shell.getRunningProgram,
  openTab = shell.openTab,
  switchTab = shell.switchTab
}

it would be this
shell = setmetatable({
  --# we only need to redefine the dangerous functions
  exit = function() Points = Points + 2 PointCheck() sendtoLog("Program attempted to exit shell. + 2 points") end,
  run = function(path) Sandbox(funcs,path) end
}, {
  --# any function call that doesn't resolve in the above table will resolve in the original API
  __index = _G.shell
})


#11 Saldor010

  • Members
  • 467 posts
  • LocationThe United States

Posted 11 August 2014 - 02:07 AM

 theoriginalbit, on 11 August 2014 - 01:57 AM, said:

This program will basically report every program as malicious.

Why do you consider peripheral.wrap and peripheral.call dangerous? also you've missed coroutine.yield, however having os.pullEventRaw or coroutine.yield will 'cause problems due to the fact that os.pullEvent calls os.pullEventRaw which in turn calls coroutine.yield.

You should also look into metatables that way, for example, instead of
shell = {
  -- (Potentially) Dangerous
  exit = function() Points = Points + 2 PointCheck() sendtoLog("Program attempted to exit shell. + 2 points") end,
  run = function(path) Sandbox(funcs,path) end,

  -- Safe
  dir = shell.dir,
  setDir = shell.setDir,
  path = shell.path,
  setPath = shell.setPath,
  resolve = shell.resolve,
  resolveProgram = shell.resolveProgram,
  aliases = shell.aliases,
  setAlias = shell.setAlias,
  clearAlias = shell.clearAlias,
  programs = shell.programs,
  getRunningProgram = shell.getRunningProgram,
  openTab = shell.openTab,
  switchTab = shell.switchTab
}

it would be this
shell = setmetatable({
  --# we only need to redefine the dangerous functions
  exit = function() Points = Points + 2 PointCheck() sendtoLog("Program attempted to exit shell. + 2 points") end,
  run = function(path) Sandbox(funcs,path) end
}, {
  --# any function call that doesn't resolve in the above table will resolve in the original API
  __index = _G.shell
})

Thank you for that bit of code. I wasted so much time trying to find something to solve the problem of having to define all of the functions of the API.

Also, I don't like the way you say "every program as malicious". Ravnik most certainly does NOT report a program as "malicious". That is what most "string.find" Anti-Viruses do. All Ravnik does, is report any dangerous calls the program makes, and crashes the program if the points exceed the limit you set.

Also, in my testing, I have not noticed "os.pullEvent" calling "os.pullEventRaw" and adding a point to the total.

#12 theoriginalbit

    Semi-Professional ComputerCrafter

  • Moderators
  • 7,332 posts
  • LocationAustralia

Posted 11 August 2014 - 02:17 AM

You never answered why you consider peripheral.wrap and peripheral.call dangerous... basically it means that a program could never use a peripheral, at all. Programs like edit would be shown as dangerous if you try to print something. the monitor program would be shown as dangerous due to using os.pullEventRaw and printing on monitors. these are just two examples of programs that would be falsely reported.

 Jiloacom, on 11 August 2014 - 02:07 AM, said:

Also, I don't like the way you say "every program as malicious". Ravnik most certainly does NOT report a program as "malicious". That is what most "string.find" Anti-Viruses do. All Ravnik does, is report any dangerous calls the program makes, and crashes the program if the points exceed the limit you set.
okay correction then. it would report all of my programs and APIs as dangerous. string.find anti-viruses don't do this.

 Jiloacom, on 11 August 2014 - 02:07 AM, said:

Also, in my testing, I have not noticed "os.pullEvent" calling "os.pullEventRaw" and adding a point to the total.
actually thinking about it again, you're probably correct there, due to the fact that os.pullEvent would still have os.pullEventRaw in its environment, due to your program not overriding the functions in the global space. which also introduces a way to bypass this btw.

#13 Saldor010

  • Members
  • 467 posts
  • LocationThe United States

Posted 11 August 2014 - 02:22 AM

 theoriginalbit, on 11 August 2014 - 02:17 AM, said:

You never answered why you consider peripheral.wrap and peripheral.call dangerous... basically it means that a program could never use a peripheral, at all. Programs like edit would be shown as dangerous if you try to print something. the monitor program would be shown as dangerous due to using os.pullEventRaw and printing on monitors. these are just two examples of programs that would be falsely reported.

 Jiloacom, on 11 August 2014 - 02:07 AM, said:

Also, I don't like the way you say "every program as malicious". Ravnik most certainly does NOT report a program as "malicious". That is what most "string.find" Anti-Viruses do. All Ravnik does, is report any dangerous calls the program makes, and crashes the program if the points exceed the limit you set.
okay correction then. it would report all of my programs and APIs as dangerous. string.find anti-viruses don't do this.

 Jiloacom, on 11 August 2014 - 02:07 AM, said:

Also, in my testing, I have not noticed "os.pullEvent" calling "os.pullEventRaw" and adding a point to the total.
actually thinking about it again, you're probably correct there, due to the fact that os.pullEvent would still have os.pullEventRaw in its environment, due to your program not overriding the functions in the global space. which also introduces a way to bypass this btw.

Peripheral call is potentially dangerous because a program could use it to directly send something via modem that I can't trace using my FakeHandler.
Peripheral wrap in itself is not dangerous, but the way it is used can be dangerous.

Now that you presented this to me, I have removed the additional point that is added from Peripheral Wrap, so a program can only gain points if it uses the FakeHandler methods.

#14 Win7yes

  • Members
  • 110 posts

Posted 11 August 2014 - 04:53 AM

 Jiloacom, on 11 August 2014 - 01:35 AM, said:

 Win7yes, on 11 August 2014 - 01:18 AM, said:

If I tried to run the program to check startup, is because it did have a startup file. I also tried other files It had. The program that is ran crashes or only runs without any blue screen with information or anything.

Emulator or regular computer craft? Other wise, I'm not sure what's going on.
Emulator. CCEmuRedux

#15 MKlegoman357

  • Members
  • 1,170 posts
  • LocationKaunas, Lithuania

Posted 11 August 2014 - 09:51 AM

You do realize that these two situations do exactly the same but the second one gets 1 point instead of 3?

Situation 1:
peripheral.call("top", "transmit", ...)

Situation 2:
peripheral.wrap("top").transmit(...)


Anyway, this looks kinda broken and not useful. It would be more useful if it would still let all functions do their thing, instead of overwriting them all with functions which don't do anything, that would let programs execute normally and still count points. Also, a way to see the total amount of points and a way to make the point limit infinite so you could see how many points a program got after executing it would be nice.

EDIT: ah, re-read your code and saw that whenever you wrap a peripheral it returns a fake handle with a few of File, Modem API's and rednet API's functions which just counts the points, how am I supposed to wrap a monitor or a printer?

EDIT 2: why is http.post more dangerous than http.request? They both can do the same thing, actuall http.request can make GET requests too, which http.post cannot.

Edited by MKlegoman357, 11 August 2014 - 10:00 AM.


#16 Saldor010

  • Members
  • 467 posts
  • LocationThe United States

Posted 11 August 2014 - 12:40 PM

 Win7yes, on 11 August 2014 - 04:53 AM, said:

 Jiloacom, on 11 August 2014 - 01:35 AM, said:

 Win7yes, on 11 August 2014 - 01:18 AM, said:

If I tried to run the program to check startup, is because it did have a startup file. I also tried other files It had. The program that is ran crashes or only runs without any blue screen with information or anything.

Emulator or regular computer craft? Other wise, I'm not sure what's going on.
Emulator. CCEmuRedux

That's probably why it won't work. Try it on regular Computer Craft and tell me if it works.

 MKlegoman357, on 11 August 2014 - 09:51 AM, said:

You do realize that these two situations do exactly the same but the second one gets 1 point instead of 3?

Situation 1:
peripheral.call("top", "transmit", ...)

Situation 2:
peripheral.wrap("top").transmit(...)



Anyway, this looks kinda broken and not useful. It would be more useful if it would still let all functions do their thing, instead of overwriting them all with functions which don't do anything, that would let programs execute normally and still count points. Also, a way to see the total amount of points and a way to make the point limit infinite so you could see how many points a program got after executing it would be nice.

EDIT: ah, re-read your code and saw that whenever you wrap a peripheral it returns a fake handle with a few of File, Modem API's and rednet API's functions which just counts the points, how am I supposed to wrap a monitor or a printer?

EDIT 2: why is http.post more dangerous than http.request? They both can do the same thing, actuall http.request can make GET requests too, which http.post cannot.

Like I said, It still has a bunch of glitches and bugs that could use some ironing out, and I haven't included everything in it just yet. I am considering creating a sort of "Emulator" that will allow the program to actually interact with a sandboxed file system and peripheral system.

Also, to everyone saying this really has no use/purpose, I really don't care. I just made this for fun. If you can find a use for Ravnik, great. If you can't, oh well.

#17 DeltaX

  • Banned
  • 26 posts

Posted 11 August 2014 - 01:04 PM

You forgot so many. setfenv, getfenv, loadstring, loadfile, dofile, rawset, etc.

#18 Saldor010

  • Members
  • 467 posts
  • LocationThe United States

Posted 11 August 2014 - 06:34 PM

 DeltaX, on 11 August 2014 - 01:04 PM, said:

You forgot so many. setfenv, getfenv, loadstring, loadfile, dofile, rawset, etc.

I know that. I only implemented the basic functions for now.

#19 SquidDev

    Frickin' laser beams | Resident Necromancer

  • Members
  • 1,427 posts
  • LocationDoes anyone put something serious here?

Posted 19 August 2014 - 07:02 AM

I cracked it:

-- Get the environment that terminal executes in
local OldEnv = getfenv(term.write)
-- Now we can use this
local Handle = OldEnv.fs.open("Thing", "w")
for i = 0, 10, 1 do
  Handle.write("Hai!")
end
Handle.close()
-- Or even better
function EvilCode()
  -- Totaly outside the sandbox now
  os.setComputerLabel("HEHEHEHE")
end
setfenv(OldEnv, EvilCode)
EvilCde()

I'm pretty sure sandboxing is impossible within Lua without writing your own Lua bytecode executer (then it isn't sandboxing but just emulating Lua in Lua).

According to the Lua Docs you cannot include these functions without being able to escape the sandbox:
  • getfenv
  • getmetatable
  • load (and loadfile/loadstring
  • rawget
  • rawset
  • setfenv
  • setmetatable
Also it is worth noting that every API should be 'recreated' as I could modify it outside the sandbox.

Should turtle also be sandboxed? Otherwise you could write a script to let them run loose...

#20 wilcomega

  • Members
  • 466 posts
  • LocationHolland

Posted 19 August 2014 - 02:26 PM

os.shutdown and os.reboot shouldnt even be able to execute as it just shuts down the pc and the anti virus doesnt have a chance to do anything about it.
i like the concept but it needs ALOT of work still

good luck





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users