Security Issues in Online Games

1
Security Issues in Online Games
Ref Jianxinn Jeff Yan and Hyun-Jin
Choi, http//www.cigital.com/presentations/eog07/
-Gary McGraw
Presenter Sagar Panchariya
1
2
Introduction
Game development often utilizes the cutting edge
technology in computer graphics, artificial
intelligence, human computer interaction and
programming, game providers do not pay much
attention to security techniques.
The traditional target of computer game security
was mainly copy protection, however in modern
games the focus should also be to discourage
cheating to protect legitimate customer base.
2
3
Overview

• Online games (like World of Warcraft) have
  500,000simultaneous users on six continents
• 8,000,000 people play WoW
• 12,000,000 play MMORPGs
• Clients and servers are massively distributed
• MMORPGs push the limits of software technology
  Modern distributed systems in other domains are
  evolving toward similar models SOA, Web 2.0

3
4
USD to wow Gold Conversion
4
5
Money
One game (WoW) like massively multiplayer online
role-playing game has over 8,000,000 subscribers

• 14 8M 112M 12 1.344B

A healthy middle market exists for pretend stuff
Cheating pays off
5
6
Trinity

• State Synchronization
• Fat client
• Extensibility

6
7
What is Cheating

• There is not a generally accepted definition on
  what a cheat is.
• Different games use different criteria to define
  cheating.
• Difficult to distinguish between smart play using
  strategies or using some unfair advantage.
• Example camping(sniping) behavior is fair however
  using macros to give a sniping gun rate of fire
  as of a machine gun is unfair.
• Any behavior that a player may use to get an
  unfair advantage, or achieve a target that he is
  not supposed to is cheating.

7
8
A Taxonomy of online cheatingby Pritchard

• Reflex Augmentation exploiting a computer
  program to replace human reaction to produce
  superior results
• Authoritative Clients exploiting compromised
  clients to send modified commands to the other
  honest clients who blindly accept them
• Information Exposure exploiting access or
  visibility to hidden information by compromising
  client software
• Compromised Servers modifying server
  configurations to get unfair advantages
• Bugs and Design Loopholes exploiting bugs or
  design flaws in game software
• Environmental Weaknesses exploiting particular
  hardware or operating conditions

8
9
Other techniques of cheating

• Cheating by Collusion using a group of two or
  more to cheat others.
• Cheating by abusing procedure or policy
• Eg escaping in ranking games whenever he/she is
  about to loose.
• Cheating related with virtual Assets trade
  cheating have been noticed recently
• Cheating by compromising passwords
• Cheating related to internal misuse eg an
  insider was fired in Korea because he abused his
  privilege to generate a super-character by
  modifying the game database.

9
10
Cheating Contd.

• Cheating by modifying game software or data Many
  tools are available for cheaters to modify either
  program file or memory.
• Cheaters may use debuggers to reverse engineer
  game programs and customize them to get various
  unfair advantages.
• Ex they may remove validation routines, modify
  configuration parameters, or change the weapons'
  loading time.

10
11
Cheating contd.

• Memory scanning tools such as Game buster are
  developed to help cheaters look for critical
  variables in the memory.
• With the help of this the cheater do have to
  modify game file however they just have to modify
  the memory values at runtime.
• Sol could be to encrypt files and memory values
  all the time.
• Modifying design such that some variable could be
  kept on the server.
• Modifying security protocols to be designed to
  validate software and critical data in an
  encrypted way.

11
12
Cheating and Hacking Opportunities Summarized
12
13
Cheating mitigation

• Mechanisms such as encryption, authentication,
  integrity checking, digital signature and
  cryptographic protocol all can find plenty of
  applications in online games.
• A systematic approach is needed to mitigate
  online cheating.
• Some means are required to preventing cheating
  from happening in the first place, and others
  needed for detecting cheating after it happens.
• Pure technical mechanisms cannot provide a
  complete solution management and policy means
  are also needed.

13
14
Cheating mitigation contd.

• Some game providers proposed to use experienced
  game developers to police their online games by
  randomly monitoring player behaviors.
• A cheating detection engine can be designed and
  implemented as one built-in component of each
  game software.
• A carefully designed built-in cheating detection
  engine will provide a cheap alternative.
• Automatically detect and prevent many cheating
  behaviors by monitoring critical game events and
  variables.
• This engine can be shared by different games,
  though triggering events may be specific to each
  game.

14
15
Cheating mitigation contd.

• Making players be security aware
• Game providers need to educate players about
  security, e.g., what potential security threats
  exist, and what to do when they face a potential
  security threat.
• Fair Trading This fair-trading of virtual assets
  can be achieved by introducing a trusted third
  party (TTP). Players may negotiate deals by
  themselves, and then pass their items to the TTP

15
16
Cheating mitigation contd.

• Bug patching approach The traditional bug
  patching approach in security still works here.
• An active complain-response channel
• A complain channel should be maintained, so that
  players can report new bugs, potential cheatings
  or cheaters. Game providers should provide prompt
  responses to complaints from players. Otherwise,
  the enthusiasms of players will be hurt.

16
17
Cheating mitigation contd.

• Logging and audit trails Logging and audit
  trails provide not only good protection against
  insider cheating, but also a unique solution for
  dealing with some cheats. Eg scoring cheat.
• Post-detection mechanisms Cheaters should be
  punished by disciplinary means, and victim's
  damage unfairly caused by cheating should be
  restored. A checkpoint mechanism can be used for
  this recovery.
• All DDos attacks discussed before also apply here
  so those solutions also apply here.

17
18
Conclusion

• The emergence of online games fundamentally
  changed the security requirement for computer
  games.
• new context, copy protection is not, at least not
  the only, security issue any more.
• Games are commonly regarded as one of distributed
  E-Commerce applications, they have their own
  unique security challenges.
• All security mechanisms should be given serious
  thoughts, also solution's developed in this
  domain also apply to other e-commerce
  applications.

18
19
Additional References

• http//www.cigital.com/papers/download/attack-tren
  ds-EOG.pdfhttp//www.computer.org/portal/site/se
  curity/menuitem.6f7b2414551cb84651286b108bcd45f3/i
  ndex.jsp?pNamesecurity_level1_articleTheCat100
  1pathsecurity/2007/n5fileattack.xmljsessioni
  dJ10JVBr8695GL1Gsj5nGy5dSwSgQqYWQm1Kg8MdjVvNyT47B
  JjSV!1201751879http//cubist.cs.washington.edu/S
  ecurity/2008/01/20/online-game-security/

19
20
20
21
Thank you
21