Security APIs and Massively Multiplayer Games
Transcript of Security APIs and Massively Multiplayer Games
Security APIs andMassively Multiplayer Games
Mike Bond, Cryptomathic Ltd.
ASA 2008, Pittsburgh, 26th June
This Talk
⢠Why?â why study games?
⢠Where?â what sort of games need help
⢠What?â whatâs a security API got to do with gaming?â what goes wrong? Example attacks
⢠How?â how can the analysis community help?
Why?
⢠Massively Multipler Online Games (MMOGs) are big money
⢠Cheating/Exploiting/Unbalancing damages a gameâs subscriber baseâ undermines player achivement
â damages player econonmyâ can facilitate âgriefingâ
â makes generated content less satisfying
Where?
⢠World of Warcraftâ Size (7 million+), demand for items. WoW â Interesting
tradeability/instancing model keeps economic demand up. Items can be unbound / bind-on-equip / bind-on-pickup , unique/non-unique/quest â Itâs DRM on physical goods.
⢠Second Lifeâ In-game scripting, ânot a gameâ, user-generated content. Socially
oriented.
⢠Lineage seriesâ a national pastime in S.Korea, tens of millions of players
(need local knowledge to analyse, my recollection sketchy)
⢠EVE Onlineâ case-study
EVE Online⢠The largest, maturest economy of any game
â 200,000 users in one shard (~5000 per shard in Wow)â Conquest orientedâ Typical group size 60-100, alliance 300-5,000
⢠Sink-or-swim game.â If you arent skilled, you canât progress. If you can do politics you
can get rich. If you can fight well (fighter pilots skills and much research required), you get rich. If you have no skills youâll find a dull job you can handle (hauling goods, mining). In other games,lack of skill can be countered by money.
⢠Most virtual economies have realistic faucets⌠human effort to extract natural resources
⢠EVE Economy has a natural economic sink⌠warfareâ Warfare for territorial conquest, to settle long standing disputesâ Territory held permits (with effort) harvesting of resources.â Most wars are won or lost by the economic health of the
combatants.
Territorial Disputes
What?
⢠Just to recap⌠what is a security API?
âAn API which enforces apolicy on the user.â
MMOG APIs
GUI
Low-level
Scripting
Local State
Protocol
Packets
High-level Tactic
Exploit
HackMainly public
Mainly private
Whatâs the Policy?
⢠You must not be able toâŚ
gain an unfair advantage
cause grief to other players
GUI
make money from nowhere duplicate resources
travel faster than top speed
see through wallsbecome invulnerable
Protocol
become turing powerfulaccess forbidden I/O
Scripting
Game Server APIs
ConnectionHandlerNode
ConnectionHandlerNode
ConnectionHandlerNode
GameClientEngine
Scripting
3D Graphics
SimulatorNode
SimulatorNode
DatabaseCluster
SecureDB
(Money etc)
SpecalisedFunctions
These APIsof direct concern
These APIsindirectly accessible
Some Example Attacks
⢠Dogs Days of Duping⢠The Stochastic Breastplate⢠The Maypole Totem⢠Daley Thompsonâs Wow Mod
Dog Days of Duping
⢠Everquest 2: Guy called âMethicalâ discovers duping exploit by accidentâŚâ Put a âgnomish thinking chairâ on the market, it is then flagged as
in escrow for saleâ Options remain⌠examine/destroy/place , he decides to place it
down on the floor. It remainsâ Third party buys it off market -> gets fresh copy
⢠Methical industrialises his exploit, making thousands of dollars from gold sales (actually platinum in EQ2).
⢠Upgrades to duping the most valuable item, pet dogs called âhaulaisian maulersâ (best sell to NPC price)
⢠Soon the size of the industry gives it awayâŚ
Dog Days of Duping (2)
How to destroy the evidence?
Dog Days Decomposed
⢠Why didnât the API preserve non-duplication properties? â non-duplication is an obvious policy to implement
â Clark/Wilson model has explicit invariants which are preserved by all transactions. Why not this too?
⢠A hypothetical explanationâŚ
SimulatorNode
DatabaseCluster
SecureDB
(Money etc)
Auction/MarketEngine
transact(from,to,amount)
id=register(itemName,amount)
abort(id)
buy(id)
oid=create(object, location)
destroy(oid)
buy, sell, place,examine, move, eat etcâŚ
contains only textual representationsof objects (for performance)
holds master informationabout 3D objects
The Stochastic Breastplate
⢠Stat Boosting + PvP + Unfair + Rewards/Betting = Economic Risk
⢠âMagic Breastplates of Cryptographyâ vary in strength, having a intelligence boost of from 10-20.
⢠Cock up in the implementationâŚ
event BREASTPLATE_equip{intellect += 10 + rand() % 10;}
event BREASTPLATE_unequip{intellect -= 10 + rand() % 10;}
The Maypole Totem
⢠Flaws can be more sophisticatedâŚ
Totem
Area ofeffect
The Maypole Totem (2)
⢠World of Warcraft zone boundaries are normally small bottlenecks where combat doesnât take place. But in one area, two large plains join.
⢠Each plain handled by separate server, with hand-over protocol
Simulator A
Totem
Simulator B
Path B
Path A
+5
+5
-5
Daley Thompsonâs Wow Mod
⢠In the days of the ZX Spectrum, hammering the keys as fast as possible was a real test of skill!
⢠Meanwhile, in World of Warcraft, UI-Mods have gotten so good that all the skill is taken outâŚ
Daley Thompsonâs Wow Mod (2)⢠UI actions should be a single click away⌠Left click to heal
Right click to dispeletcâŚ
Daley Thomsonâs Wow Mod (3)⢠Wowâs LUA scripting language allows all sorts of interesting and
useful stuff to be displayedâ show my targetâs healthâ show my targetâs targetâ show the health of my targetâs targetâ etc
⢠Loads of functionsâ ActionButtonUp(), GetActionBarPage(), GetMouseButt onClicked(),
IsEquippedAction() , PickupAction(), AcceptDuel(), TogglePVP(), LoadAddon(), CalculateAuctionDeposit(), PurchaseSlo t(), SetBindingMacro(), GetPlayerBuff(), GetBlockChance( ), GetContainerNumFreeSlots(), SplitContainerItem(), G etLootMethod(), GuildPromote(), EquipPendingItem() , etc..
⢠http://www.wowwiki.com/World_of_Warcraft_API⢠Problem arose: it was easy to customise UI to assist player, but
player could be over assisted, for instance automatic selection of target with lowest health, automatic healing using most efficient spell for the level of damage taken and the mana remaining.
Daley Thomsonâs Wow Mod (4)
⢠Solution: mark variables and code with metadata⢠Make some variables only displayable to user,
but cannot be used as a conditionalâ prevents sophisticated post-processing
⢠Make some actions only launchable if triggered by code traceable to a real human action (i.e. keypress or mouse click)â prevents âbotâ autotmatically launching actions
http://www.wowwiki.com/Secure_Execution_and_Tainting
Daley Thomsonâs Wow Mod (5)
⢠But there are still ways to read variablesâŚ
// heal player if health goes too low
for ( int i=0;i<100;i++)
{
try
{
health=ProtectedGetHealth(âplayerâ);
int foo = 10 / (health-i);
}
catch ( DivideByZeroError )
{
break ;
}
}
if ( i < 50 )
{
nextAction=[âhealâ,âplayerâ];
triggerAction(nextAction);
}
// draw player health bar
int health=ProtectedGetHealth(âplayerâ);
int max=GetMaxHealth(âplayerâ);
writeName(x,y,âplayerâ);
drawBar(x,y, (health/max)*width , height);
// heal player if health goes too low
if ( ProtectedGetHealth(âplayerâ) < 50 )
{
nextAction=[âhealâ,âplayerâ];
triggerAction(nextAction);
}
Exception raised by this conditional,for using protected variable
Daley Thomsonâs Wow Mod (6)
⢠And still ways to autonomously launch actionsâŚ
// drink potion if health goes too low
if ( ProtectedGetKeyPress() == âXâ )
{
if ( timeSinceLastBonus > 5*60 )
{
nextAction=[âdrinkPotionâ,âplayer â];
triggerAction(nextAction);
}
if ( condition2 )
{
etc...
}
}
// cast spell when user hits âXâ
if ( ProtectedGetKeyPress() == âXâ )
{
nextAction=[âdrinkPotionâ,âplayerâ];
triggerAction(nextAction);
}
// drink potion every 5 mins
if ( timeSinceLastBonus > 5*60 )
{
nextAction=[âdrinkPotionâ,âplayerâ];
triggerAction(nextAction);
}
Exception raised by this action,for not being linkable to keypress
and the user hammers awayat X all night long(or sets a keyboard macro)âŚ
Where Next?
⢠Second Life UI has gone open sourceâ http://secondlifegrid.net/programs/open_sourceâ In-game scripting language already integral part of
everyday activity in the game (creating stuff)â Network API is now there in the code to reviewâ Interesting consequences if Second Life server side
goes open (community hosted worlds, new physics laws, SL money implementation)
⢠EVE-Onlineâs GUI is pretty much entirely stackless python ⌠ripe for analysis.
Further Reading
⢠Dozens of academics researching virtual worlds
⢠Terra Nova Blogâ Castronova, Dibble, Hunter, Lastowka, Bartle, Burkeâ http://terranova.blogs.com
⢠IBM Netgames 2005â CCP, Eve Online Developers, Rekjavik
⢠Meâ http://www.cl.cam.ac.uk/~mkb23/â [email protected]