security apis and massively multiplayer games
TRANSCRIPT
Security APIs andMassively Multiplayer Games
Mike Bond, Cryptomathic Ltd.
ASA 2008, Pittsburgh, 26th June
This Talk
• Why?– why study games?
• Where?– what sort of games need help
• What?– what’s a security API got to do with gaming?– what goes wrong? Example attacks
• How?– how can the analysis community help?
Why?
• Massively Multipler Online Games (MMOGs) are big money
• Cheating/Exploiting/Unbalancing damages a game’s subscriber base– undermines player achivement
– damages player econonmy– can facilitate “griefing”
– makes generated content less satisfying
Where?
• World of Warcraft– Size (7 million+), demand for items. WoW – Interesting
tradeability/instancing model keeps economic demand up. Items can be unbound / bind-on-equip / bind-on-pickup , unique/non-unique/quest – It’s DRM on physical goods.
• Second Life– In-game scripting, “not a game”, user-generated content. Socially
oriented.
• Lineage series– a national pastime in S.Korea, tens of millions of players
(need local knowledge to analyse, my recollection sketchy)
• EVE Online– case-study
EVE Online• The largest, maturest economy of any game
– 200,000 users in one shard (~5000 per shard in Wow)– Conquest oriented– Typical group size 60-100, alliance 300-5,000
• Sink-or-swim game.– If you arent skilled, you can’t progress. If you can do politics you
can get rich. If you can fight well (fighter pilots skills and much research required), you get rich. If you have no skills you’ll find a dull job you can handle (hauling goods, mining). In other games,lack of skill can be countered by money.
• Most virtual economies have realistic faucets… human effort to extract natural resources
• EVE Economy has a natural economic sink… warfare– Warfare for territorial conquest, to settle long standing disputes– Territory held permits (with effort) harvesting of resources.– Most wars are won or lost by the economic health of the
combatants.
Territorial Disputes
What?
• Just to recap… what is a security API?
“An API which enforces apolicy on the user.”
MMOG APIs
GUI
Low-level
Scripting
Local State
Protocol
Packets
High-level Tactic
Exploit
HackMainly public
Mainly private
What’s the Policy?
• You must not be able to…
gain an unfair advantage
cause grief to other players
GUI
make money from nowhere duplicate resources
travel faster than top speed
see through wallsbecome invulnerable
Protocol
become turing powerfulaccess forbidden I/O
Scripting
Game Server APIs
ConnectionHandlerNode
ConnectionHandlerNode
ConnectionHandlerNode
GameClientEngine
Scripting
3D Graphics
SimulatorNode
SimulatorNode
DatabaseCluster
SecureDB
(Money etc)
SpecalisedFunctions
These APIsof direct concern
These APIsindirectly accessible
Some Example Attacks
• Dogs Days of Duping• The Stochastic Breastplate• The Maypole Totem• Daley Thompson’s Wow Mod
Dog Days of Duping
• Everquest 2: Guy called “Methical” discovers duping exploit by accident…– Put a “gnomish thinking chair” on the market, it is then flagged as
in escrow for sale– Options remain… examine/destroy/place , he decides to place it
down on the floor. It remains– Third party buys it off market -> gets fresh copy
• Methical industrialises his exploit, making thousands of dollars from gold sales (actually platinum in EQ2).
• Upgrades to duping the most valuable item, pet dogs called “haulaisian maulers” (best sell to NPC price)
• Soon the size of the industry gives it away…
Dog Days of Duping (2)
How to destroy the evidence?
Dog Days Decomposed
• Why didn’t the API preserve non-duplication properties? – non-duplication is an obvious policy to implement
– Clark/Wilson model has explicit invariants which are preserved by all transactions. Why not this too?
• A hypothetical explanation…
SimulatorNode
DatabaseCluster
SecureDB
(Money etc)
Auction/MarketEngine
transact(from,to,amount)
id=register(itemName,amount)
abort(id)
buy(id)
oid=create(object, location)
destroy(oid)
buy, sell, place,examine, move, eat etc…
contains only textual representationsof objects (for performance)
holds master informationabout 3D objects
The Stochastic Breastplate
• Stat Boosting + PvP + Unfair + Rewards/Betting = Economic Risk
• “Magic Breastplates of Cryptography” vary in strength, having a intelligence boost of from 10-20.
• Cock up in the implementation…
event BREASTPLATE_equip{intellect += 10 + rand() % 10;}
event BREASTPLATE_unequip{intellect -= 10 + rand() % 10;}
The Maypole Totem
• Flaws can be more sophisticated…
Totem
Area ofeffect
The Maypole Totem (2)
• World of Warcraft zone boundaries are normally small bottlenecks where combat doesn’t take place. But in one area, two large plains join.
• Each plain handled by separate server, with hand-over protocol
Simulator A
Totem
Simulator B
Path B
Path A
+5
+5
-5
Daley Thompson’s Wow Mod
• In the days of the ZX Spectrum, hammering the keys as fast as possible was a real test of skill!
• Meanwhile, in World of Warcraft, UI-Mods have gotten so good that all the skill is taken out…
Daley Thompson’s Wow Mod (2)• UI actions should be a single click away… Left click to heal
Right click to dispeletc…
Daley Thomson’s Wow Mod (3)• Wow’s LUA scripting language allows all sorts of interesting and
useful stuff to be displayed– show my target’s health– show my target’s target– show the health of my target’s target– etc
• Loads of functions– ActionButtonUp(), GetActionBarPage(), GetMouseButt onClicked(),
IsEquippedAction() , PickupAction(), AcceptDuel(), TogglePVP(), LoadAddon(), CalculateAuctionDeposit(), PurchaseSlo t(), SetBindingMacro(), GetPlayerBuff(), GetBlockChance( ), GetContainerNumFreeSlots(), SplitContainerItem(), G etLootMethod(), GuildPromote(), EquipPendingItem() , etc..
• http://www.wowwiki.com/World_of_Warcraft_API• Problem arose: it was easy to customise UI to assist player, but
player could be over assisted, for instance automatic selection of target with lowest health, automatic healing using most efficient spell for the level of damage taken and the mana remaining.
Daley Thomson’s Wow Mod (4)
• Solution: mark variables and code with metadata• Make some variables only displayable to user,
but cannot be used as a conditional– prevents sophisticated post-processing
• Make some actions only launchable if triggered by code traceable to a real human action (i.e. keypress or mouse click)– prevents “bot” autotmatically launching actions
http://www.wowwiki.com/Secure_Execution_and_Tainting
Daley Thomson’s Wow Mod (5)
• But there are still ways to read variables…
// heal player if health goes too low
for ( int i=0;i<100;i++)
{
try
{
health=ProtectedGetHealth(“player”);
int foo = 10 / (health-i);
}
catch ( DivideByZeroError )
{
break ;
}
}
if ( i < 50 )
{
nextAction=[“heal”,”player”];
triggerAction(nextAction);
}
// draw player health bar
int health=ProtectedGetHealth(“player”);
int max=GetMaxHealth(“player”);
writeName(x,y,”player”);
drawBar(x,y, (health/max)*width , height);
// heal player if health goes too low
if ( ProtectedGetHealth(“player”) < 50 )
{
nextAction=[“heal”,”player”];
triggerAction(nextAction);
}
Exception raised by this conditional,for using protected variable
Daley Thomson’s Wow Mod (6)
• And still ways to autonomously launch actions…
// drink potion if health goes too low
if ( ProtectedGetKeyPress() == ‘X’ )
{
if ( timeSinceLastBonus > 5*60 )
{
nextAction=[“drinkPotion”,”player ”];
triggerAction(nextAction);
}
if ( condition2 )
{
etc...
}
}
// cast spell when user hits ‘X’
if ( ProtectedGetKeyPress() == ‘X’ )
{
nextAction=[“drinkPotion”,”player”];
triggerAction(nextAction);
}
// drink potion every 5 mins
if ( timeSinceLastBonus > 5*60 )
{
nextAction=[“drinkPotion”,”player”];
triggerAction(nextAction);
}
Exception raised by this action,for not being linkable to keypress
and the user hammers awayat X all night long(or sets a keyboard macro)…
Where Next?
• Second Life UI has gone open source– http://secondlifegrid.net/programs/open_source– In-game scripting language already integral part of
everyday activity in the game (creating stuff)– Network API is now there in the code to review– Interesting consequences if Second Life server side
goes open (community hosted worlds, new physics laws, SL money implementation)
• EVE-Online’s GUI is pretty much entirely stackless python … ripe for analysis.
Further Reading
• Dozens of academics researching virtual worlds
• Terra Nova Blog– Castronova, Dibble, Hunter, Lastowka, Bartle, Burke– http://terranova.blogs.com
• IBM Netgames 2005– CCP, Eve Online Developers, Rekjavik
• Me– http://www.cl.cam.ac.uk/~mkb23/– [email protected]