Application is not FIPS compliant. about roblox-studio-mod-manager HOT 9 CLOSED

... except the updating process is, more or less, the exact same as the installing process. Why would you run this isolated, anyway?

from roblox-studio-mod-manager.

So I looked into this problem a few weeks ago, and it might actually be possible for me to stop using MD5 if I can avoid having to compute hashes for any files.

It’s easier said than done though, given that Roblox doesn’t list all files in the manifest.
I could try to work around this by using SHA256 hashes for these instead.

This is a solvable issue and I do want to take it on, but I ran into several problems when I tried to get it working during my first attempt. It’ll need to be something I spend like a day working on, and I don’t have that much spare time due to my job and college related stuff.

Stay tuned.

from roblox-studio-mod-manager.

Not what I mean -- when a user is running Windows under an Isolated Environment, it is not possible to launch applications that are not FIPS compliant. It throws a hardcrash exception every time.

Pressing continue does not work, as the program itself needs this function to operate properly.

When you click "Launch Studio" and your installation is out of date, the program forces an update.
What I mean by "a solution can be made by not running the update process at all, and rather just running the installation.", is exactly what I mean, add an option to not bother updating Studio and rather run the executable.

from roblox-studio-mod-manager.

Tada! I finally got around to it.
Let me know if this satisfies the FIPS compliance!
a77f9e3

from roblox-studio-mod-manager.

Resolved.

from roblox-studio-mod-manager.

I figured this might come up, so let me explain what the situation is here with MD5.
MD5 is used because those are the checksums provided by Roblox’s manifest files, and I need them to deduce what directories the zip files are extracted into.

When installing a build from Roblox on production, I use the following endpoint:
https://clientsettings.roblox.com/v1/client-version/WindowsStudio64

At present, the provided version-guid is version-ca3bf34f8a0c4134
Using this, I can fetch the manifest files from Roblox’s Amazon S3 bucket, via:

https://s3.amazonaws.com/setup.roblox.com/version-ca3bf34f8a0c4134-rbxPkgManifest.txt
https://s3.amazonaws.com/setup.roblox.com/version-ca3bf34f8a0c4134-rbxManifest.txt

These manifest files tell me what zip files I need to install using the version-guid prefix, and what the outcoming file directory structure will look like using the files in those zip files.

All of these files are downloaded over an HTTPS connection. I check the zip file MD5 hashes (via rbxPkgManifest.txt) to verify it transferred correctly, and deduce the relative extraction directories using the provided MD5 file hashes (via rbxManifest.txt)

I recognize the risks of MD5 for cryptographic reasons, but I am using it for a non-cryptographic purpose at the application level. I put trust into .NET to throw an exception if it can not establish a trusted HTTPS connection to Amazon S3, and assume TLS 1.2 handshakes are handled appropriately there.

If there is a flaw I am overlooking here, please let me know!

from roblox-studio-mod-manager.

Also worth mentioning, the setup.roblox.com Amazon S3 bucket is a trusted 3rd party vendor (in this case, being Roblox) that is assumed to be distributing files correctly as would be expected for Roblox’s own bootstrapper.

One theoretical attack that could happen here is if Roblox were to suddenly abandon one of its sitetestX.robloxlabs Amazon S3 buckets and someone was somehow able to swoop in and take the bucket for themselves, and then spoof the existing protocol. This is VERY unlikely to happen, but I would likely notice it very fast and issue a patch to the application to disable further use of that bucket domain.

This flaw is unfortunately a side effect of Roblox making their API domains private on their test domains, so I had to fallback to inference using the DeployHistory.txt file they write upload logs to.

At the end of the day, this flaw is on Roblox’s end. Any attack that could happen which affects my mod manager would also affect their own bootstrapper. I would happily switch to SHA256 if they started using it for their file signatures.

from roblox-studio-mod-manager.

Understandable, but when a program is not FIPS compliant, it is not possible to run it on isolated environments. Therefore, a solution can be made by not running the update process at all, and rather just running the installation.

from roblox-studio-mod-manager.

The routine of installing is the same as updating. The difference is that when updating, it is applied incrementally to the existing install directory. The MD5 hashes are used to check which zip files actually need to be installed, what files need to be extracted, and what files can be removed after an update.

The bootstrapper is a separate form because some features of the mod manager (particularly the flag editor and class icon editor) prefer Roblox Studio to be kept up to date to provide accurate data to the user.

from roblox-studio-mod-manager.