Ravnik Anti-Virus

Hey there!
Message from future me, if you enjoy this.. erm.. thing (or even if you don't), you should check out my latest game! It's way better than this one, I'm sure you'd love it ;)/>
Click the link here to check it out!
Back to your original post already in progress..

Yes, yes, I know, another Anti-Virus. Before you click off the topic though, let me assure you, this is NOT just a stupid "string.find()" program. I DID actually work hard on this. And though it still has some bugs and glitches in it, I'm sure you will be pleased to use it.


Description:
Ravnik Anti-Virus isn't really an Anti-Virus as much as it is a sandbox tool.
I'm sure you will find a nice use for it. Even if it is just for sand-boxing your
own programs to see if they will pop up as viruses. The way Ravnik works,
everything is on a point system. Some functions give you a minimal point
dent (such as fs.open), and some give you a major point dent
(such as http.post). Whenever the points overflow their limit, Ravnik
will crash the program and report it to you immediately. The best
feature about the point system, is that YOU (the user) gets to choose
how sensitive, or how lax the sandbox is on your program.

Usage:
Just type in

*Whatever name you downloaded Ravnik with* sandbox *file name* *point limit*

and run your program like you normally would. Most dangerous
calls will be blocked by Ravnik, so don't be surprised if your
program bugs out when it realizes it can't save your file.

Download:

pastebin get mNHc16yK RavnikAV

Screenshots:
[attachment=1842:Ravnik1.JPG]
[attachment=1843:Ravnik2.JPG]

List of all functions considered "Dangerous" by Ravnik.

Spoiler

All Handles/Peripherals are considered dangerous by Ravnik, and are treated as such. They are not on this list.

os.setComputerLabel - No points, but blocked
os.getComputerID - No points, but blocked
shell.run - No points, but the new file is sandboxed.

fs.open - 1 Point
fs.makeDir - 1 Point
fs.combine - 1 Point
fs.move - 1 Point
fs.copy - 1 Point
io.open - 1 Point
os.loadAPI - 1 Point
os.run - 1 Point (Environment replaced with the Sandbox's Environment)
http.request - 1 Point
http.get - 1 Point
peripheral.wrap - 1 Point

os.shutdown - 2 Points
os.reboot - 2 Points
os.pullEventRaw - 2 Points
peripheral.call - 2 Points
shell.exit - 2 Points

fs.delete - 3 Points
http.post - 3 Points

Why would eg. reading from a file multiple times be worse than only once?

Also, can you list all functions witch are considered "bad"?

Can someone explain like, Better, how to use this? I downloaded it, did RavnikAV sandbox startup 20 and it didn't even start the startup program or anything

flaghacker, on 10 August 2014 - 10:06 PM said:

Why would eg. reading from a file multiple times be worse than only once?

Also, can you list all functions witch are considered "bad"?

The problem was, the program kept trying to read the file multiple times, because the first time didn't work, and every time it would try to read it, a point would be added. Like I said, glitches like these still exist. I may try to fix it in the future.

EDIT: Also, Sketch and Ink were really the only programs that had a problem with this, and this is when I was trying to open a file. If you try to save a file, for some reason it will (think it) save the file, and will just assume it worked and go on.

Win7yes, on 10 August 2014 - 10:13 PM said:

Can someone explain like, Better, how to use this? I downloaded it, did RavnikAV sandbox startup 20 and it didn't even start the startup program or anything

Do you happen to have a startup program on that computer? Is there any error? Surprisingly, you do have to give a bit of description of what is going wrong if you expect any help or support.

Added list of "Dangerous" functions that Ravnik uses.

If I tried to run the program to check startup, is because it did have a startup file. I also tried other files It had. The program that is ran crashes or only runs without any blue screen with information or anything.

Win7yes, on 11 August 2014 - 02:18 AM said:

If I tried to run the program to check startup, is because it did have a startup file. I also tried other files It had. The program that is ran crashes or only runs without any blue screen with information or anything.

Emulator or regular computer craft? Other wise, I'm not sure what's going on.

Looks pretty good.

Maybe rather than doing it points based do it based on proportions. So, if the file was 4 lines and had an fs.open and http.post it'd be flagged, whereas a 1000 line file with two or three wouldn't. It's exploitable, but I might be better.

oeed, on 11 August 2014 - 02:39 AM said:

Looks pretty good.

Maybe rather than doing it points based do it based on proportions. So, if the file was 4 lines and had an fs.open and http.post it'd be flagged, whereas a 1000 line file with two or three wouldn't. It's exploitable, but I might be better.

Yeah, I thought about doing something like that, but I figured that it would probably be best if I just let the user discern for himself how many points the limit should be. For example, I would probably set the point limit on ink to 100, and set the point limit of an unknown, short suspicious file to 8.

This program will basically report every program as malicious.

Why do you consider peripheral.wrap and peripheral.call dangerous? also you've missed coroutine.yield, however having os.pullEventRaw or coroutine.yield will 'cause problems due to the fact that os.pullEvent calls os.pullEventRaw which in turn calls coroutine.yield.

You should also look into metatables that way, for example, instead of

shell = {
  -- (Potentially) Dangerous
  exit = function() Points = Points + 2 PointCheck() sendtoLog("Program attempted to exit shell. + 2 points") end,
  run = function(path) Sandbox(funcs,path) end,

  -- Safe
  dir = shell.dir,
  setDir = shell.setDir,
  path = shell.path,
  setPath = shell.setPath,
  resolve = shell.resolve,
  resolveProgram = shell.resolveProgram,
  aliases = shell.aliases,
  setAlias = shell.setAlias,
  clearAlias = shell.clearAlias,
  programs = shell.programs,
  getRunningProgram = shell.getRunningProgram,
  openTab = shell.openTab,
  switchTab = shell.switchTab
}

it would be this

shell = setmetatable({
  --# we only need to redefine the dangerous functions
  exit = function() Points = Points + 2 PointCheck() sendtoLog("Program attempted to exit shell. + 2 points") end,
  run = function(path) Sandbox(funcs,path) end
}, {
  --# any function call that doesn't resolve in the above table will resolve in the original API
  __index = _G.shell
})

theoriginalbit, on 11 August 2014 - 02:57 AM said:

This program will basically report every program as malicious.

Why do you consider peripheral.wrap and peripheral.call dangerous? also you've missed coroutine.yield, however having os.pullEventRaw or coroutine.yield will 'cause problems due to the fact that os.pullEvent calls os.pullEventRaw which in turn calls coroutine.yield.

You should also look into metatables that way, for example, instead of

shell = {
  -- (Potentially) Dangerous
  exit = function() Points = Points + 2 PointCheck() sendtoLog("Program attempted to exit shell. + 2 points") end,
  run = function(path) Sandbox(funcs,path) end,

  -- Safe
  dir = shell.dir,
  setDir = shell.setDir,
  path = shell.path,
  setPath = shell.setPath,
  resolve = shell.resolve,
  resolveProgram = shell.resolveProgram,
  aliases = shell.aliases,
  setAlias = shell.setAlias,
  clearAlias = shell.clearAlias,
  programs = shell.programs,
  getRunningProgram = shell.getRunningProgram,
  openTab = shell.openTab,
  switchTab = shell.switchTab
}

it would be this

shell = setmetatable({
  --# we only need to redefine the dangerous functions
  exit = function() Points = Points + 2 PointCheck() sendtoLog("Program attempted to exit shell. + 2 points") end,
  run = function(path) Sandbox(funcs,path) end
}, {
  --# any function call that doesn't resolve in the above table will resolve in the original API
  __index = _G.shell
})

Thank you for that bit of code. I wasted so much time trying to find something to solve the problem of having to define all of the functions of the API.

Also, I don't like the way you say "every program as malicious". Ravnik most certainly does NOT report a program as "malicious". That is what most "string.find" Anti-Viruses do. All Ravnik does, is report any dangerous calls the program makes, and crashes the program if the points exceed the limit you set.

Also, in my testing, I have not noticed "os.pullEvent" calling "os.pullEventRaw" and adding a point to the total.

You never answered why you consider peripheral.wrap and peripheral.call dangerous… basically it means that a program could never use a peripheral, at all. Programs like edit would be shown as dangerous if you try to print something. the monitor program would be shown as dangerous due to using os.pullEventRaw and printing on monitors. these are just two examples of programs that would be falsely reported.

Jiloacom, on 11 August 2014 - 03:07 AM said:

Also, I don't like the way you say "every program as malicious". Ravnik most certainly does NOT report a program as "malicious". That is what most "string.find" Anti-Viruses do. All Ravnik does, is report any dangerous calls the program makes, and crashes the program if the points exceed the limit you set.

okay correction then. it would report all of my programs and APIs as dangerous. string.find anti-viruses don't do this.

Jiloacom, on 11 August 2014 - 03:07 AM said:

Also, in my testing, I have not noticed "os.pullEvent" calling "os.pullEventRaw" and adding a point to the total.

actually thinking about it again, you're probably correct there, due to the fact that os.pullEvent would still have os.pullEventRaw in its environment, due to your program not overriding the functions in the global space. which also introduces a way to bypass this btw.

theoriginalbit, on 11 August 2014 - 03:17 AM said:

You never answered why you consider peripheral.wrap and peripheral.call dangerous… basically it means that a program could never use a peripheral, at all. Programs like edit would be shown as dangerous if you try to print something. the monitor program would be shown as dangerous due to using os.pullEventRaw and printing on monitors. these are just two examples of programs that would be falsely reported.

Jiloacom, on 11 August 2014 - 03:07 AM said:

Also, I don't like the way you say "every program as malicious". Ravnik most certainly does NOT report a program as "malicious". That is what most "string.find" Anti-Viruses do. All Ravnik does, is report any dangerous calls the program makes, and crashes the program if the points exceed the limit you set.

okay correction then. it would report all of my programs and APIs as dangerous. string.find anti-viruses don't do this.

Jiloacom, on 11 August 2014 - 03:07 AM said:

Also, in my testing, I have not noticed "os.pullEvent" calling "os.pullEventRaw" and adding a point to the total.

actually thinking about it again, you're probably correct there, due to the fact that os.pullEvent would still have os.pullEventRaw in its environment, due to your program not overriding the functions in the global space. which also introduces a way to bypass this btw.

Peripheral call is potentially dangerous because a program could use it to directly send something via modem that I can't trace using my FakeHandler.
Peripheral wrap in itself is not dangerous, but the way it is used can be dangerous.

Now that you presented this to me, I have removed the additional point that is added from Peripheral Wrap, so a program can only gain points if it uses the FakeHandler methods.

Jiloacom, on 11 August 2014 - 02:35 AM said:

Win7yes, on 11 August 2014 - 02:18 AM said:

If I tried to run the program to check startup, is because it did have a startup file. I also tried other files It had. The program that is ran crashes or only runs without any blue screen with information or anything.

Emulator or regular computer craft? Other wise, I'm not sure what's going on.

Emulator. CCEmuRedux

You do realize that these two situations do exactly the same but the second one gets 1 point instead of 3?

Situation 1:

peripheral.call("top", "transmit", ...)

Situation 2:

peripheral.wrap("top").transmit(...)

Anyway, this looks kinda broken and not useful. It would be more useful if it would still let all functions do their thing, instead of overwriting them all with functions which don't do anything, that would let programs execute normally and still count points. Also, a way to see the total amount of points and a way to make the point limit infinite so you could see how many points a program got after executing it would be nice.

EDIT: ah, re-read your code and saw that whenever you wrap a peripheral it returns a fake handle with a few of File, Modem API's and rednet API's functions which just counts the points, how am I supposed to wrap a monitor or a printer?

EDIT 2: why is http.post more dangerous than http.request? They both can do the same thing, actuall http.request can make GET requests too, which http.post cannot.

Win7yes, on 11 August 2014 - 05:53 AM said:

Jiloacom, on 11 August 2014 - 02:35 AM said:

Win7yes, on 11 August 2014 - 02:18 AM said:

If I tried to run the program to check startup, is because it did have a startup file. I also tried other files It had. The program that is ran crashes or only runs without any blue screen with information or anything.

Emulator or regular computer craft? Other wise, I'm not sure what's going on.

Emulator. CCEmuRedux

That's probably why it won't work. Try it on regular Computer Craft and tell me if it works.

MKlegoman357, on 11 August 2014 - 10:51 AM said:

You do realize that these two situations do exactly the same but the second one gets 1 point instead of 3?

Situation 1:

peripheral.call("top", "transmit", ...)

Situation 2:

peripheral.wrap("top").transmit(...)

Anyway, this looks kinda broken and not useful. It would be more useful if it would still let all functions do their thing, instead of overwriting them all with functions which don't do anything, that would let programs execute normally and still count points. Also, a way to see the total amount of points and a way to make the point limit infinite so you could see how many points a program got after executing it would be nice.

EDIT: ah, re-read your code and saw that whenever you wrap a peripheral it returns a fake handle with a few of File, Modem API's and rednet API's functions which just counts the points, how am I supposed to wrap a monitor or a printer?

EDIT 2: why is http.post more dangerous than http.request? They both can do the same thing, actuall http.request can make GET requests too, which http.post cannot.

Like I said, It still has a bunch of glitches and bugs that could use some ironing out, and I haven't included everything in it just yet. I am considering creating a sort of "Emulator" that will allow the program to actually interact with a sandboxed file system and peripheral system.

Also, to everyone saying this really has no use/purpose, I really don't care. I just made this for fun. If you can find a use for Ravnik, great. If you can't, oh well.

You forgot so many. setfenv, getfenv, loadstring, loadfile, dofile, rawset, etc.

DeltaX, on 11 August 2014 - 02:04 PM said:

You forgot so many. setfenv, getfenv, loadstring, loadfile, dofile, rawset, etc.

I know that. I only implemented the basic functions for now.

I cracked it:

-- Get the environment that terminal executes in
local OldEnv = getfenv(term.write)
-- Now we can use this
local Handle = OldEnv.fs.open("Thing", "w")
for i = 0, 10, 1 do
  Handle.write("Hai!")
end
Handle.close()
-- Or even better
function EvilCode()
  -- Totaly outside the sandbox now
  os.setComputerLabel("HEHEHEHE")
end
setfenv(OldEnv, EvilCode)
EvilCde()

I'm pretty sure sandboxing is impossible within Lua without writing your own Lua bytecode executer (then it isn't sandboxing but just emulating Lua in Lua).

According to the Lua Docs you cannot include these functions without being able to escape the sandbox:

• getfenv
• getmetatable
• load (and loadfile/loadstring
• rawget
• rawset
• setfenv
• setmetatable

Also it is worth noting that every API should be 'recreated' as I could modify it outside the sandbox.

Should turtle also be sandboxed? Otherwise you could write a script to let them run loose…

os.shutdown and os.reboot shouldnt even be able to execute as it just shuts down the pc and the anti virus doesnt have a chance to do anything about it.
i like the concept but it needs ALOT of work still

good luck