Title: Security Issues in Online Games
1Security Issues in Online Games
Ref Jianxinn Jeff Yan and Hyun-Jin
Choi, http//www.cigital.com/presentations/eog07/
-Gary McGraw
Presenter Sagar Panchariya
1
2Introduction
Game development often utilizes the cutting edge
technology in computer graphics, artificial
intelligence, human computer interaction and
programming, game providers do not pay much
attention to security techniques.
The traditional target of computer game security
was mainly copy protection, however in modern
games the focus should also be to discourage
cheating to protect legitimate customer base.
2
3Overview
- Online games (like World of Warcraft) have
500,000simultaneous users on six continents - 8,000,000 people play WoW
- 12,000,000 play MMORPGs
- Clients and servers are massively distributed
- MMORPGs push the limits of software technology
Modern distributed systems in other domains are
evolving toward similar models SOA, Web 2.0
3
4USD to wow Gold Conversion
4
5Money
One game (WoW) like massively multiplayer online
role-playing game has over 8,000,000 subscribers
A healthy middle market exists for pretend stuff
Cheating pays off
5
6Trinity
- State Synchronization
- Fat client
- Extensibility
6
7What is Cheating
- There is not a generally accepted definition on
what a cheat is. - Different games use different criteria to define
cheating. - Difficult to distinguish between smart play using
strategies or using some unfair advantage. - Example camping(sniping) behavior is fair however
using macros to give a sniping gun rate of fire
as of a machine gun is unfair. - Any behavior that a player may use to get an
unfair advantage, or achieve a target that he is
not supposed to is cheating.
7
8A Taxonomy of online cheatingby Pritchard
- Reflex Augmentation exploiting a computer
program to replace human reaction to produce
superior results - Authoritative Clients exploiting compromised
clients to send modified commands to the other
honest clients who blindly accept them - Information Exposure exploiting access or
visibility to hidden information by compromising
client software - Compromised Servers modifying server
configurations to get unfair advantages - Bugs and Design Loopholes exploiting bugs or
design flaws in game software - Environmental Weaknesses exploiting particular
hardware or operating conditions
8
9Other techniques of cheating
- Cheating by Collusion using a group of two or
more to cheat others. - Cheating by abusing procedure or policy
- Eg escaping in ranking games whenever he/she is
about to loose. - Cheating related with virtual Assets trade
cheating have been noticed recently - Cheating by compromising passwords
- Cheating related to internal misuse eg an
insider was fired in Korea because he abused his
privilege to generate a super-character by
modifying the game database.
9
10Cheating Contd.
- Cheating by modifying game software or data Many
tools are available for cheaters to modify either
program file or memory. - Cheaters may use debuggers to reverse engineer
game programs and customize them to get various
unfair advantages. - Ex they may remove validation routines, modify
configuration parameters, or change the weapons'
loading time.
10
11Cheating contd.
- Memory scanning tools such as Game buster are
developed to help cheaters look for critical
variables in the memory. - With the help of this the cheater do have to
modify game file however they just have to modify
the memory values at runtime. - Sol could be to encrypt files and memory values
all the time. - Modifying design such that some variable could be
kept on the server. - Modifying security protocols to be designed to
validate software and critical data in an
encrypted way.
11
12Cheating and Hacking Opportunities Summarized
12
13Cheating mitigation
- Mechanisms such as encryption, authentication,
integrity checking, digital signature and
cryptographic protocol all can find plenty of
applications in online games. - A systematic approach is needed to mitigate
online cheating. - Some means are required to preventing cheating
from happening in the first place, and others
needed for detecting cheating after it happens. - Pure technical mechanisms cannot provide a
complete solution management and policy means
are also needed.
13
14Cheating mitigation contd.
- Some game providers proposed to use experienced
game developers to police their online games by
randomly monitoring player behaviors. - A cheating detection engine can be designed and
implemented as one built-in component of each
game software. - A carefully designed built-in cheating detection
engine will provide a cheap alternative. - Automatically detect and prevent many cheating
behaviors by monitoring critical game events and
variables. - This engine can be shared by different games,
though triggering events may be specific to each
game.
14
15Cheating mitigation contd.
- Making players be security aware
- Game providers need to educate players about
security, e.g., what potential security threats
exist, and what to do when they face a potential
security threat. - Fair Trading This fair-trading of virtual assets
can be achieved by introducing a trusted third
party (TTP). Players may negotiate deals by
themselves, and then pass their items to the TTP
15
16Cheating mitigation contd.
- Bug patching approach The traditional bug
patching approach in security still works here. - An active complain-response channel
- A complain channel should be maintained, so that
players can report new bugs, potential cheatings
or cheaters. Game providers should provide prompt
responses to complaints from players. Otherwise,
the enthusiasms of players will be hurt.
16
17Cheating mitigation contd.
- Logging and audit trails Logging and audit
trails provide not only good protection against
insider cheating, but also a unique solution for
dealing with some cheats. Eg scoring cheat. - Post-detection mechanisms Cheaters should be
punished by disciplinary means, and victim's
damage unfairly caused by cheating should be
restored. A checkpoint mechanism can be used for
this recovery. - All DDos attacks discussed before also apply here
so those solutions also apply here.
17
18Conclusion
- The emergence of online games fundamentally
changed the security requirement for computer
games. - new context, copy protection is not, at least not
the only, security issue any more. - Games are commonly regarded as one of distributed
E-Commerce applications, they have their own
unique security challenges. - All security mechanisms should be given serious
thoughts, also solution's developed in this
domain also apply to other e-commerce
applications.
18
19Additional References
- http//www.cigital.com/papers/download/attack-tren
ds-EOG.pdfhttp//www.computer.org/portal/site/se
curity/menuitem.6f7b2414551cb84651286b108bcd45f3/i
ndex.jsp?pNamesecurity_level1_articleTheCat100
1pathsecurity/2007/n5fileattack.xmljsessioni
dJ10JVBr8695GL1Gsj5nGy5dSwSgQqYWQm1Kg8MdjVvNyT47B
JjSV!1201751879http//cubist.cs.washington.edu/S
ecurity/2008/01/20/online-game-security/
19
2020
21Thank you
21