Networked Games

Lecture XX:
Securing Networked Games
CS 598: Network Security
Matthew Caesar
April 25, 2013
1
Today: Networked Games
• What are networked games?
• How are they designed and hosted?
• Security/Cheating in networked games
2
Overview of Networked Games
3
Online Games
• Computer games are a fast-growing
business
– Revenues already twice that of movies
– MMORPG revenues alone are >$3 billion
• Spurred by popularity of Flash and Java
• Increasingly associated with online
communities and social networks
• Varying business models
– Pay up front, advertising based, pay for
unlocking content, virtual currency
4
Genres of Online Games
• FPS (First-person shooters)
– You control a gun/crosshair
– You shoot and kill other players doing the same
• MMORPG (Massively multi-player on-line roleplaying games)
– You control an avatar
– You kill other avatars to gain loot and power
• RTS (Real-time strategy)
– You control an army
– You go head-to-head against another player’s
army
5
Popular FPS Games
• Half-Life/Counter-Strike (1/2), Battlefield (2 &
2142)
• Wolfenstein: Enemy Territory, Call of Duty (1/2)
6
Popular MMORPG Games
• World of Warcraft, Lineage (1 & 2)
• Runescape, Final Fantasy XI, EverQuest
(1 & 2)
7
Popular RTS Games
• Warcraft 3/Starcraft, Age of Empires
• Warhammer 40000, Command &
Conquer 3
8
Challenges in Network Game
Design
• Need for consistent views across players
– Player A thinks I got shot, but I didn’t see the bullet yet
• Large Scale: Extremely large numbers of clients
– Apple’s gaming platform has >67 million active users
• Clients can be malicious
– People sometimes cheat to win the game or make money
• Bandwidth-constrained clients
– Insufficient capacity, especially in upload direction
– Heterogeneous capacities across clients
9
Gaming architectures
• Hosted
– Racks of servers in data centers
– Example: OnLive (games on the cloud)
– Advantages: easier to manage and secure game, easier to
guarantee resources, privacy of client data, compatible with
advertising and content-unlocking business models
• Unhosted
– P2P sessions formed autonomously between clients
– Advantages: reduced hosting costs, avoids bandwidth
bottlenecks, no need to trust/coordinate with game provider
• Hybrid
– Host only subsets of the game
– Best (or worst?) of both worlds
10
Idea #1: Constrain updates to
Area of Interest (AOI)
• Observation: players only
interact with other players
within “Area of Interest” (AOI)
AOIs
– Players within local area or field
of view
• Idea:
– Restrict communication updates
to other players within AOI
– Reduces bandwidth/computation
overheads
– Problem: might not scale to large
battles
11
Idea #2: Reduce update rate
with Dopplegangers
• Observation: some players are
more interesting than other
players
Doppelgangers
Interest Sets
– More important to get updates
about guy about to shoot me than
some guy I’m not even looking at
– Limitation of human cognition
• Humans focus on small set of
players
• Idea: do lower-bandwidth
updates for non-interesting
players
– High-fidelity updates only for
interesting players
12
How to measure player interest?
• Lots of ways to do this
• One example approach (Donnybrook):
• Aij = Player i’s Attention value to Player j
aij
– Weighted function of
• Proximity: dist(i,j)
• Aim : aij
• Recency of interaction: tij
• Render top-5 most
interesting players with
high fidelity
Sniping
dist(i,j)
13
Idea #3: Avoid imbalanced load
by multicasting updates
“Very”
interesting
player
• Interest sets significantly reduce
bandwidth requirements
– But have heterogeneity in
interest
• Problem: player “very
interesting”
Forwarding pool
– Upload bandwidth limitations
• Solution:
– Forward through a subset of
players
• E.g., randomly chosen from
forwarding pool
– Can advertise membership
information through control
messages
Interested
players
Capture The Flag
14
Idea #4: Client-side lag
compensation
• Observation: we can’t let clients decide their
own position
– They could cheat
– Hence, server should be responsible for computing
position
• Problem: delay between server updates
– Makes movement jumpy
• Idea: Client compensates via interpolation
– Client computes a smooth change in position
between updates
15
Idea #5: Dead reckoning
• Problem: updates may get delayed or lost
in the network
• Observation: we can predict the player’s
position based on current position and
velocity
• Idea: Dead reckoning
– Calculating player’s position based on
previously observed position, estimated
speed and course, and time since last
update
– Client project into future , or server rewinds
into past, using linear physics
– Advantage: can hide delay/loss
– Disadvantage: errors/uncertainties are
cumulative, grow with time
16
Cheating in Networked Games
17
Cheating
• Achilles heel of the PC gaming platform
– Must be fixed to compete with consoles
– Causes legitimate, paying players to quit
– Creates bad word-of-mouth to discourage
new players
– Wrecks virtual economies in MMORPGs
• Why study cheating?
– Important problem in gaming
– Gives insights on how to secure large
distributed systems
18
Types of cheats
• Information exposure
– Wallhacks (OGC), Maphacks (Warcraft 3), Chest
hacks (showEQ)
• Automation
– Aimbot (OGC), Troop command macros (Warcraft
3), Auto-looting (WoW QuickLoot), AFK bots
• Protocol
– Reset cheat (Half-Life), Unit fabrication (Warcraft
3), Item duping (MMO), Speed hack (Half-Life),
Hit point hack (Diablo), Disconnect cheat
• Game bugs
– Game-specific coding errors that lead to
unintended behavior
Information exposure cheats
• Server or peer sends complete information to other client
– Cheat reveals information that should be hidden
• Wallhack
– Quake 4 – released 10/18/2005
– Call of Duty 2 – released 10/25/2005 (Server boycott due to
cheats)
Information exposure cheats
• Maphack (reveal map and enemy units)
– Warcraft3 without Maphack
Information exposure cheats
• Maphack (reveal map and enemy units)
– Warcraft3 with Maphack
Information exposure cheats
• Chest hacks
– Information about what loot is available in
map exposed
– Player goes straight to the locations with
the best loot
Automation cheats
• Automate game activities via Bots
• Aimbots
– OGC
– Automate aiming in FPS
• Macros and game bot farming
– MacroQuest for EQ2
– Automate wealth acquisition via
programs
Protocol cheats
• Hit point cheating
– Diablo protocol messages indicating
damage done to enemy
– Inject messages with inflated damage to
instantly kill opponent
• Item duping
– Disconnect while dropping item
– Ambiguity in whether event happened
globally
• Speed hack
– Inject movement messages to make your
character move or fire “faster” than normal
Types of cheats
• Information exposure
– Wallhacks: lets player see through opaque objects
– Maphacks: lets player see more of a level than
intended by developer
– Chesthacks: information about what loot is
available on map is exposed
• Automation
– Aimbot: helps target acquisition and automatically
shoots opponent
– Troop command macros: replicates commands
across units
– Auto-looting: helps grab items in area
26
– AFK bot: keeps session active or repeats task
while “away from keyboard”
Types of cheats
• Protocol
–
–
–
–
Reset cheat: return character to earlier state
Unit fabrication: create new units/weapons
Item duping: create a copy of an existing item
Speed hack: adjust speed of game (eg slow down,
run faster)
– Hit point hack: prevent HP from decrementing
– Disconnect cheat: guy about to lose can
disconnect
• Game bugs
– Game-specific coding errors that lead to
unintended behavior
27
Software methodology of cheats
• How they do it
– Proxy
• Use separate machine to modify network
packets (aimproxies)
– Program external to game
• Separate process running at higher privilege
level
• In-kernel modules
• Graphics/IO drivers (see-through drivers)
• Additional layer between game and
Windows/DirectX
– Library that hijacks game calls
• Runs in address space of game
Software methodology of cheats
• How they hide from anti-cheats
– Ability to disassemble signatures being
checked
• Polymorphism to thwart file and memory
signatures
– Run in privileged mode or in-kernel to
prevent anti-cheat from accessing it
– Automatic disable when anti-cheat code is
about to run
– Automatic disable when new anti-cheat
distributed
Anti-cheats
•
•
•
•
•
HLGuard (United admins)
Cheating Death (United admins)
PunkBuster
Warden
Intel AMT
Anti-cheats
• Scanners
– Continuously scan memory and filesystem for
foreign libraries and cheats
• Randomize to keep cheats honest
• Steam and VAC, PunkBuster
• Heuristics not perfect: Steam and modified OpenGL
drivers
• Remote screenshot
– Provide a facility for dumping
a player’s screen remotely
• PunkBuster
Anti-cheats
• Authentic peripherals
– Trusted keyboard/mouse clicks
• Hardware signing its movement and clicks
– Trusted network output
• Cryptographic timestamping/ordering
• Prevent look-ahead cheats
• Continuous player performance monitoring
– HLGuard
• Machine learning of reasonable human reaction time
• Ban those who react too fast
• Prone to false positives
– Cal-I (Cyberathlete league) players
Cheating links
• General
– http://rpgexploits.com
– http://msxsecurity.com
– http://zerogamers.com
• WoW
– WoW Glider
• http://wowglider.com
– WoW radar, WoW Sharp, ByteBot, GALB
– WardenNet, ISXWarden (anti-anti-cheats)
• http://ismods.com/warden
• http://edgeofnowhere.cc/viewtopic.php?t=311208
• http://www.rootkit.com/newsread.php?newsid==360
– ISXWoW
• http://ismods.com/downloads.php
Cheating links
• Half-Life
– OGC
• http://mpcdownloads.com
• http://www.mpcforum.com/showthread.php?t=
31409
• EverQuest 2
– MacroQuest
• http://sourceforge.net/projects/macroquest
Anti-cheat links
• WoW Warden
– http://www.ismods.com/warden
• PunkBuster
– http://punkbuster.com
• Valve Anti-Cheat (VAC)
– http://server.counterstrike.net/server.php?cmd=VAC
• HLGuard, Cheating-Death
– http://unitedadmins.com
• Intel’s AMT
– http://www.intel.com/go/iamt/