mitigations.md

Mitigation Strategies Analysis for korlibs/korge

Mitigation Strategy: Secure Resource Loading with ResourcesVfs

Description:

1. Path Whitelisting: Create a hardcoded list (or set) of all allowed resource paths within the game's assets directory, managed by KorGE's ResourcesVfs.
2. Input Validation: When loading a resource using resourcesVfs["path/to/resource"], always validate the "path/to/resource" string. Do not allow user input to directly construct this path. Check if the requested path is present in the whitelist.
3. Rejection of Invalid Paths: If the requested path is not in the whitelist, reject the request using KorGE's error handling mechanisms (e.g., throwing an exception or returning a default "not found" resource). Log the attempt.
4. Relative Paths: Use relative paths within the game's resource directory, as managed by ResourcesVfs. Avoid absolute paths.
5. Checksum Verification (Optional): For critical assets loaded via ResourcesVfs, calculate checksums (e.g., SHA-256) during the build. When loading, recalculate and compare. If they don't match, handle the error appropriately (e.g., throw an exception, log, and potentially exit). This leverages KorGE's ability to read the resource data.

• Threats Mitigated:

  • Path Traversal (Critical): Prevents attackers from using ResourcesVfs to access files outside the intended resource directory, potentially including sensitive system files accessible to the application.
  • Arbitrary File Read (High): Prevents attackers from reading arbitrary files on the user's system via ResourcesVfs.
  • Resource Exhaustion (Medium): By limiting ResourcesVfs access to known resources, it helps prevent attempts to exhaust system resources.

• Impact:

  • Path Traversal: Eliminates the risk of path traversal attacks specifically through KorGE's ResourcesVfs.
  • Arbitrary File Read: Eliminates the risk of arbitrary file reads specifically through KorGE's ResourcesVfs.
  • Resource Exhaustion: Reduces the risk, but other resource management is still needed.

• Currently Implemented:

  • Partial path validation exists for some ResourcesVfs calls, but not consistently.
  • Relative paths are generally used within ResourcesVfs.

• Missing Implementation:

  • Comprehensive path whitelisting for all ResourcesVfs access is not implemented.
  • Checksum verification using ResourcesVfs read data is not implemented.
  • Consistent error handling and logging for invalid ResourcesVfs requests are lacking.

Mitigation Strategy: Secure Network Communication with HttpVfs

Description:

1. HTTPS Enforcement: Use https:// URLs exclusively with KorGE's HttpVfs. Reject any http:// URLs. This is crucial for secure communication.
2. Certificate Validation: Ensure that HttpVfs (or the underlying Ktor client KorGE uses) performs proper TLS certificate validation. This is usually handled automatically by Ktor, but verify the configuration.
3. Input Validation (Server Responses): Treat all data received via HttpVfs as untrusted. Apply strict input validation and sanitization to any data obtained from HttpVfs.read* methods (e.g., readString, readBytes, readBitmap). Validate data types, lengths, and formats.
4. Timeout Configuration: Set appropriate timeouts for all HttpVfs requests using Ktor's timeout configuration options. This prevents the game from hanging if a server is unresponsive.
5. Error Handling: Implement robust error handling for HttpVfs operations. Handle connection errors, timeouts, and invalid server responses gracefully, using KorGE's exception handling. Log errors.
6. Certificate Pinning (Optional, Advanced): For high-security, implement certificate pinning. This involves storing the expected server certificate (or its public key) and verifying it during the TLS handshake performed by HttpVfs (likely through Ktor configuration). This prevents MitM attacks even if a CA is compromised.

• Threats Mitigated:

  • Man-in-the-Middle (MitM) Attacks (Critical): Prevents attackers from intercepting and modifying network traffic handled by HttpVfs.
  • Data Tampering (High): Prevents attackers from modifying data in transit fetched via HttpVfs.
  • Information Disclosure (High): Prevents eavesdropping on HttpVfs communication.
  • Denial of Service (DoS) (Medium): Timeouts help mitigate DoS attacks targeting HttpVfs.
  • Injection Attacks (High): Input validation on data from HttpVfs helps prevent injection attacks.

• Impact:

  • MitM: Significantly reduces MitM risk (eliminates with pinning).
  • Data Tampering: Significantly reduces data tampering risk.
  • Information Disclosure: Significantly reduces information disclosure risk.
  • DoS: Provides some DoS protection.
  • Injection Attacks: Reduces risk, but server-side security is crucial.

• Currently Implemented:

  • HTTPS is used for most HttpVfs requests.
  • Basic timeout configuration is in place for some HttpVfs calls.

• Missing Implementation:

  • Consistent HTTPS use for all HttpVfs requests.
  • Thorough input validation on all data received via HttpVfs.
  • Certificate pinning is not implemented.
  • Comprehensive error handling and logging for all HttpVfs operations are incomplete.

Mitigation Strategy: Secure File I/O with LocalVfs and other VFS implementations

Description:

1. Least Privilege: If your game needs to write files using LocalVfs (or similar), use the most restrictive permissions possible. Avoid writing to system directories. Use KorGE's API to access appropriate application-specific storage locations.
2. Sandboxing: Utilize platform-specific sandboxing mechanisms, where available, in conjunction with LocalVfs to limit file access. KorGE doesn't directly provide sandboxing, but you can use platform-specific APIs (e.g., Android's storage access framework) to enhance security.
3. Input Validation (File Paths): If any part of a file path used with LocalVfs is derived from user input, strictly validate that input. Prevent path traversal attacks. Use whitelisting if possible.
4. Data Validation: Validate any data written to or read from files using LocalVfs. This helps prevent corrupted data or malicious payloads from being processed.
5. Error Handling: Implement robust error handling for all LocalVfs operations, including file creation, reading, writing, and deletion. Use KorGE's exception handling.

• Threats Mitigated:

  • Path Traversal (Critical): Prevents attackers from using LocalVfs to access or modify files outside the intended directories.
  • Arbitrary File Write/Read (High): Prevents unauthorized file access.
  • Data Corruption (Medium): Data validation helps prevent corrupted data from being used.
  • Denial of Service (DoS) (Medium): Proper error handling and resource management can help mitigate DoS attacks targeting file storage.

• Impact:

  • Path Traversal: Eliminates path traversal risk through LocalVfs.
  • Arbitrary File Write/Read: Significantly reduces unauthorized file access.
  • Data Corruption: Reduces the risk of data corruption issues.
  • DoS: Provides some protection against DoS.

• Currently Implemented:

  • Basic file writing is done using LocalVfs to the application's data directory.

• Missing Implementation:

  • Strict input validation for file paths used with LocalVfs is not consistently implemented.
  • Data validation for data written to/read from files using LocalVfs is not comprehensive.
  • Robust error handling for all LocalVfs operations is incomplete.
  • Platform-specific sandboxing is not utilized in conjunction with LocalVfs.