[security] integrity of process

is it possible for potential hackers that has access to the robot(or PC) the process is running on, to create a rogue nupkg with same version number/metadata, resulting in their rogue process executing instead?
if processes are deployed to robots through the orchestrator, is the above also possible?

There are a few things preventing this from happening.

The first is that the package is stored in a folder that requires local admin rights to access. Meaning you would need to have admin rights on the machine in order to access the existing nupkg metadata or insert a new nupkg. Presumably, having full administrative privileges to the machine provides a greater threat than being able to change the package contents.

The second is the option to cryptographically sign packages. This feature was added in 2019.4. packages are signed by Orchestrator using a customer provided certificate and then verified by the robot before execution.

4 Likes

What about attended bots on pcs without internet access?
How does uirobot check for script integrity in this case?

I assume you are referring to an attended bot with no access to Orchestrator as internet access is not required. In this case, the robot will only work off of the local folder of already downloaded nuget packages. As stated above, local admin rights are required to access that folder.

1 Like