Security Issues in Online Games - Kent State University

Security Issues in Online Games - Kent State University

Security Issues in Online Games Ref: Jianxinn Jeff Yan and Hyun-Jin Choi, http://www.cigital.com/presentations/eog07/ -Gary McGraw Presenter: Sagar Panchariya 1 Introduction Game development often utilizes the cutting edge technology in computer graphics, artificial intelligence, human computer interaction and programming, game

providers do not pay much attention to security techniques. The traditional target of computer game security was mainly copy protection, however in modern games the focus should also be to discourage cheating to protect legitimate customer base. 2 Overview Online games (like World of Warcraft) have 500,000 simultaneous users on six continents

8,000,000 people play WoW 12,000,000+ play MMORPGs Clients and servers are massively distributed

MMORPGs push the limits of software technology Modern distributed systems in other domains are evolving toward similar models SOA, Web 2.0 3 USD to wow Gold Conversion 4

Money One game (WoW) like massively multiplayer online role-playin g game has over 8,000,000 subscribers $14 * 8M = 112M * 12 = $1.344B A healthy middle market exists for pretend stuff Cheating pays off 5

Trinity State Synchronization Fat client Extensibility 6 What is Cheating There is not a generally accepted definition on what a cheat is. Different games use different criteria to define cheating.

Difficult to distinguish between smart play using strategies or using some unfair advantage. Example camping(sniping) behavior is fair however using macros to give a sniping gun rate of fire as of a machine gun is unfair. Any behavior that a player may use to get an unfair advantage, or achieve a target that he is not supposed to is cheating. 7 A Taxonomy of online cheatingby Pritchard Reflex Augmentation: exploiting a computer program to

replace human reaction to produce superior results Authoritative Clients: exploiting compromised clients to send modified commands to the other honest clients who blindly accept them Information Exposure: exploiting access or visibility to hidden information by compromising client software Compromised Servers: modifying server configurations to get unfair advantages Bugs and Design Loopholes: exploiting bugs or design flaws in game software Environmental Weaknesses: exploiting particular hardware 8

or operating conditions Other techniques of cheating Cheating by Collusion: using a group of two or more to cheat others. Cheating by abusing procedure or policy: Eg: escaping in ranking games whenever he/she is about to loose. Cheating related with virtual Assets: noticed recently trade cheating have been

Cheating by compromising passwords: Cheating related to internal misuse: eg: an insider was fired in Korea because he abused his privilege to generate a supercharacter by modifying the game database. 9 Cheating Contd. Cheating by modifying game software or data: Many tools are available for cheaters to modify either program file or memory. Cheaters may use debuggers to reverse engineer game

programs and customize them to get various unfair advantages. Ex: they may remove validation routines, modify configuration parameters, or change the weapons' loading time. 10 Cheating contd. Memory scanning tools such as Game buster are developed to help cheaters look for critical variables in the memory. With the help of this the cheater do have to modify game file however they just have to modify the memory values at

runtime. Sol: could be to encrypt files and memory values all the time. Modifying design such that some variable could be kept on the server. Modifying security protocols to be designed to validate software and critical data in an encrypted way. 11 Cheating and Hacking Opportunities Summarized 12

Cheating mitigation Mechanisms such as encryption, authentication, integrity checking, digital signature and cryptographic protocol all can find plenty of applications in online games. A systematic approach is needed to mitigate online cheating. Some means are required to preventing cheating from happening in the first place, and others needed for detecting cheating after it happens. Pure technical mechanisms cannot provide a complete solution; management and policy means are also needed. 13

Cheating mitigation contd. Some game providers proposed to use experienced game developers to police their online games by randomly monitoring player behaviors. A cheating detection engine can be designed and implemented as one built-in component of each game software. A carefully designed built-in cheating detection engine will provide a cheap alternative. Automatically detect and prevent many cheating behaviors by monitoring critical game events and variables. This engine can be shared by different games, though triggering

events may be specific to each game. 14 Cheating mitigation contd. Making players be security aware: Game providers need to educate players about security, e.g., what potential security threats exist, and what to do when they face a potential security threat. Fair Trading: This fair-trading of virtual assets can be achieved by introducing a trusted third party (TTP). Players may negotiate deals by themselves, and then pass their items to the TTP

15 Cheating mitigation contd. Bug patching approach: The traditional bug patching approach in security still works here. An active complain-response channel: A complain channel should be maintained, so that players can report new bugs, potential cheatings or cheaters. Game providers should provide prompt responses to complaints from players. Otherwise, the enthusiasms of players will be hurt.

16 Cheating mitigation contd. Logging and audit trails: Logging and audit trails provide not only good protection against insider cheating, but also a unique solution for dealing with some cheats. Eg: scoring cheat. Post-detection mechanisms: Cheaters should be punished by disciplinary means, and victim's damage unfairly caused by cheating should be restored. A checkpoint mechanism can be used for this recovery.

All DDos attacks discussed before also apply here so those solutions also apply here. 17 Conclusion The emergence of online games fundamentally changed the security requirement for computer games. new context, copy protection is not, at least not the only, security issue any more. Games are commonly regarded as one of distributed ECommerce applications, they have their own unique security challenges. All security mechanisms should be given serious thoughts,

also solution's developed in this domain also apply to other e-commerce applications. 18 Additional References: http://www.cigital.com/papers/download/attack-trends-E OG.pdf http://www.computer.org/portal/site/security/menuitem.6f 7b2414551cb84651286b108bcd45f3/index.jsp?&pName =security_level1_article&TheCat=1001&path=security/20 07/n5&file=attack.xml&;jsessionid=J10JVBr8695GL1Gsj 5nGy5dSwSgQqYWQm1Kg8MdjVvNyT47BJjSV!120175

1879 http://cubist.cs.washington.edu/Security/2008/01/20/onlin e-game-security/ 19 20 Thank you 21

Recently Viewed Presentations

  • Statistics for Managers Using Microsoft Excel 5th Edition

    Statistics for Managers Using Microsoft Excel 5th Edition

    Choose X1,X2,…,Xk Run regression to find VIFs Remove variable with highest VIF Any VIF>5? Run best subsets regression to obtain "best" models in terms of Cp Do complete analysis Add quadratic term and/or transform variables as indicated Perform predictions No...
  • AASLD The Liver Meeting 2016 HBV Abstracts

    AASLD The Liver Meeting 2016 HBV Abstracts

    - No clinically significant interactions expected with inhibitors of P-gp, BCRP, and/or CYPs SOF/VEL/VOX DDI profile was evaluated in Phase 1 clinicalstudies in healthy subjects - Evaluated mechanism and extent of potential interactions usingprobe drugs
  • The Clinical Pharmacogenetics Implementation Consortium: Incorporating Pharmacogenetics into

    The Clinical Pharmacogenetics Implementation Consortium: Incorporating Pharmacogenetics into

    PGRN Vision and Mission. The mission of the Pharmacogenomics Research Network (PGRN) is to catalyze and lead research in precision medicine for the discovery and translation of genomic variation influencing therapeutic and adverse drug effects.
  • How To Write A Research Paper - Britton-Hecla School

    How To Write A Research Paper - Britton-Hecla School

    Passive Voice. The passive voice can create awkward sentences. It is more readily accepted in scientific writing. The verb phrase will always include a form of be, such as am, is, was, were, are, or been, but presence of a...
  • Visual Cryptography Schemes with Plural Secret Images Based ...

    Visual Cryptography Schemes with Plural Secret Images Based ...

    for Plural Secret Images Allowing the Rotation of Shares Kazuki Yoneyama Wang Lei Mitsugu Iwamoto ... Secret images A set of shares A combination of pixels in secret images B p A code set V1 V2 Vn A matrix representing...
  • 4.0 Technologies including AI - ipthree.org

    4.0 Technologies including AI - ipthree.org

    EU General Data Protection Regulation (GDPR) gives individuals the right not to be subject to a decision based solely by automated decision-making, except in certain situations including explicit consent and necessity for the performance of or entering into a contract...
  • Review of exponential charging and discharging in RC Circuits

    Review of exponential charging and discharging in RC Circuits

    So, the ID vs. VDS curves get higher with heat. ID VDS VGS = 3V, T = 150° VGS = 3V, T = 50° VGS = 2V, T = 150° VGS = 2V, T = 50° EXAMPLE OF NEGATIVE FEEDBACK...
  • Le genou - sfrnet.org

    Le genou - sfrnet.org

    Imagerie du genou de l'enfant spécificité et pièges Valérie Merzoug Paris, Solène Ferey Genève Classification de Mc Keever I : fragment osseux presque pas déplacé II : déplacement plus important, élévation du tiers ou de la moitié antérieure du fragment...