Upload
dina-mckenzie
View
214
Download
1
Embed Size (px)
Citation preview
OpenConflict: Preventing OpenConflict: Preventing Real Time Map Hacks in Real Time Map Hacks in Online GamesOnline Games
Elie Bursztein, Mike Hamburg, Jocelyn Lagarenne, Dan Boneh(Stanford University)
IEEE Symposium on Security and Privacy 2011
1
OUTLINEOUTLINEIntroduction and Related WorkA Generic Tool for Map HackingGame Hacking with KartographPreventing Passive Map Hack
◦ Case Study Starcraft IIDefending against Map HackingOpenConflictDiscussion and Conclusion
2
OUTLINEOUTLINEIntroduction and Related WorkA Generic Tool for Map HackingGame Hacking with KartographPreventing Passive Map Hack
◦ Case Study Starcraft IIDefending against Map HackingOpenConflictDiscussion and Conclusion
3
Real-Time Strategy(RTS)Real-Time Strategy(RTS)Online gaming includes 64% of
gamers◦ RTS - 35.5%◦ First person shooter – 10.1%
RTS games◦ Player compete on a two-dimensional map
divided in to cells◦ Starcraft II: normally 24000 – 36000 cells
4
RTS GameRTS Game
5
Cheating in RTS gamesCheating in RTS gamesAbusing the resource system
◦ Find the location of resource value in memory
Hacking the unit listTampering with the map visibility
◦ Map hacking◦ Hardest to perform◦ Fully passive
Note: push approach v.s. pull approach6
Map HackingMap Hacking
7
Related WorkRelated WorkBattle of Botcraft fighting bots in
online games with human observational proofs.◦ ACMCCS (Nov, 2009)
Hacking world of warcraft: An exercise in advanced rootkit design.◦ Black Hat (2006)
Visual reverse engineering of binary and data files.◦ Visualization for Computer Security (2008)
8
ContributionContributionPresenting a generic attack tool
◦ KartographA generic defense against passive
attacks in RTS games◦ OpenConflict
Analyzed 1000 Starcraft II games
9
OUTLINEOUTLINEIntroduction and Related WorkA Generic Tool for Map HackingGame Hacking with KartographPreventing Passive Map Hack
◦ Case Study Starcraft IIDefending against Map HackingOpenConflictDiscussion and Conclusion
10
Adversarial Game Adversarial Game Instrumentation(AGI)Instrumentation(AGI)Past approaches:
debugger/decompiler
Memory attacks on virtually every game
11
Map DataMap DataEasiest
12
Map HackingMap HackingBased on memory changes
◦ The memory that contains unit positions only changes when units move
Reducing Memory Space Finding the visibility mapUnderstanding the visibility map
13
Reducing Memory SpaceReducing Memory SpaceStep1
◦ Launch the game◦ Read all memory pages of the process’s
main module which are marked as ReadWrite, Commit and Private
Step2◦ Move the camera, trigger actions
Without discovering any new parts of the map!
◦ Eliminate all the memory blocks that changed
14
Reducing Memory Reducing Memory Space(cont.)Space(cont.)Step3
◦ “Scout” an unknown area in game◦ Keep only the memory blocks that changed
Step4◦ Same as Step2
15
Finding the Visibility MapFinding the Visibility MapUse visualization techniques
◦ Create a “nonlinear” scouting pattern◦ Heat map representation
Difficulty:◦ Data types, Align
16
VisualizationVisualization
17
Visualization(cont.)Visualization(cont.)
18
Understanding the Visibility Understanding the Visibility MapMapHow the structure works?Diff-map analysis
◦ Snapshot & do something
19
Diff-Map with Heat MapDiff-Map with Heat Map
20
Unit Hacking and Network Unit Hacking and Network AnalysisAnalysisUnit: Smaller and more complex
structure◦ Produce units and observe memory
Network AnalysisD: Diff mapF: Fixed valueC: Counter valueD: Random value
21
D F C R
OUTLINEOUTLINEIntroduction and Related WorkA Generic Tool for Map HackingGame Hacking with KartographPreventing Passive Map Hack
◦ Case Study Starcraft IIDefending against Map HackingOpenConflictDiscussion and Conclusion
22
Game Hacking with Game Hacking with KartographKartographTake lots of memory:
◦ Twice game’s memory size◦ Work on 64-bit windows only
Test 15 games◦ Data structures changed radically
23
Map informationMap informationBitmap
Composite
24
Using the Game as a Map Using the Game as a Map HackHack
25
OUTLINEOUTLINEIntroduction and Related WorkA Generic Tool for Map HackingGame Hacking with KartographPreventing Passive Map Hack
◦ Case Study Starcraft IIDefending against Map HackingOpenConflictDiscussion and Conclusion
26
Preventing Passive Map Preventing Passive Map HacksHacksThreat model: passive eavesdropping
adversaries
Assume: P2p architecture
Pull approach◦ Cryptographic protocols?◦ Challenge: imperceptible latency!
27
Cast Study Starcraft IICast Study Starcraft IIWrote a crude “game engine”Analyzed 1000 Starcraft II replays(Top
players)◦ High number of actions per minute(APM)◦ Map size: 24320 ~ 36864 cells◦ Playable size: 15180 ~ 24640 cells◦ Game duration
28
Cast Study Starcraft Cast Study Starcraft II(cont.)II(cont.)Analyzed 1000 Starcraft II replays(Top
players)◦ Visibility
29
OUTLINEOUTLINEIntroduction and Related WorkA Generic Tool for Map HackingGame Hacking with KartographPreventing Passive Map Hack
◦ Case Study Starcraft IIDefending against Map HackingOpenConflictDiscussion and Conclusion
30
Our ApproachOur ApproachPrevent the passive map hackPull approach
◦ Each player’s machine only stores information that the player is authorized to see
Use an oblivious intersection protocol
31
Intersection ProtocolIntersection ProtocolDef:
◦ M be the set of all cells on the map◦ Each cell may contain units(including builds
and other objects)◦ Each unit has a visibility radius
◦ Union of all of Alice’s visibility regions gives the set of cells that Alice can see
◦ denote the set of map cells containing Bob’s unit
◦ for some data domain D
32
MVA
MUB
DUf BB :
A1
Intersection Intersection Protocol(cont.)Protocol(cont.)
33
B2B1
UA
VA
cell cell
UB1, also VA∩UB
Intersection Intersection Protocol(cont.)Protocol(cont.)1. Bob should learn nothing about VA
2. Alice should learn nothing about Ub other than VA∩UB
3. Alice learns the value of fB on VA∩UB but nothing about UB\VA
34
Oblivious FunctionOblivious FunctionG: A group of prime order qBob chooses a secret key k in [1,q-1] ,Alice chooses a random integer r in [1,q-1]Start:Alice send H1(v)r
Bob responds with H1(v)rk
Alice computes H1(v)k = H1(v)rkr-1
Computational Diffie-Hellman assumption tells that it is secure!
35
Compute Compute VVAA∩U∩UBB
36
Compute Compute VVAA∩U∩UBB (cont.) (cont.)(Bob)For each u in UB : a key ku = H2(H1(u)k)
Encrypt fB(u) using the key ku (authenticated encryption, AE)
(Alice)Alice obtain H1(v)k for all v in Va
Computes kv = H2(H1(v)k) for all v in Va
Test if one of the ciphertexts received from Bob decrypts correctly with kv
37
HypergridsHypergrids
38
A1
38
B2B1
UA
VA
cell cell
UB1, also VA∩UB
Hypergrids(cont.)Hypergrids(cont.)
39
Chaff and MultiplayerChaff and MultiplayerBasic protocol
◦ leaks to Bob the number cells in Alice’s visibility set VA
◦ Leaks to Alice the sum of the lengths of fB(u) for u in Ub
The queries H1(v)r are independent of the player being queried: broadcast
Compute H1(v)k is the only per-opponent work
40
OUTLINEOUTLINEIntroduction and Related WorkA Generic Tool for Map HackingGame Hacking with KartographPreventing Passive Map Hack
◦ Case Study Starcraft IIDefending against Map HackingOpenConflictDiscussion and Conclusion
41
Basic protocolBasic protocolCore i5 660 dual-core hyperthreaded
processor running at 3.33 GHzStandard NIST elliptic curves200 visibility hypertiles and 150 units
per player
A single exponentiation = a millisecond=> 750 milliseconds per playUnacceptable!
42
Elliptic CurveElliptic CurveMontgomery curve
Because p is a Mersenne prime◦ Very efficient implementation, 11-12us for
exponentiations on this curve
43
SecuritySecurityNeed to remain secure for an hourBest known algorithms take O( )
time to solve discrete logarithms
p = 261-1◦ 12 sec
p = 289-1 (speed up OpenConflict by 33%)◦ 72 machine-days
p = 2127-1 (OpenConflict)◦ 3,200 machine-years
44
q
MeasurementsMeasurementsv: visible grid hypertiles (about 30us)u: units (about 15us)
45
OUTLINEOUTLINEIntroduction and Related WorkA Generic Tool for Map HackingGame Hacking with KartographPreventing Passive Map Hack
◦ Case Study Starcraft IIDefending against Map HackingOpenConflictDiscussion and Conclusion
46
Preventing Active AttacksPreventing Active AttacksDetecting active attacks after the
game◦ Every client logs network traffic/actions
and then sends to other players periodically
◦ Upload to a central server to verify
Random number generator?◦ Commit a seed for a pseudorandom
generator at the beginning of the game◦ A central server to verify
47
ConclusionConclusionMap hacking and a defense system for
RTS games◦ Kartograph and OpenConflict
Security in online games is a fruitful area of research!
48