OpenConflict: Preventing Real Time Map Hacks in Online Games Elie Bursztein, Mike Hamburg, Jocelyn Lagarenne, Dan Boneh (Stanford University) IEEE Symposium

OpenConflict: Preventing OpenConflict: Preventing Real Time Map Hacks in Real Time Map Hacks in Online GamesOnline Games

Elie Bursztein, Mike Hamburg, Jocelyn Lagarenne, Dan Boneh(Stanford University)

IEEE Symposium on Security and Privacy 2011

1

OUTLINEOUTLINEIntroduction and Related WorkA Generic Tool for Map HackingGame Hacking with KartographPreventing Passive Map Hack

◦ Case Study Starcraft IIDefending against Map HackingOpenConflictDiscussion and Conclusion

2



3

Real-Time Strategy(RTS)Real-Time Strategy(RTS)Online gaming includes 64% of

gamers◦ RTS - 35.5%◦ First person shooter – 10.1%

RTS games◦ Player compete on a two-dimensional map

divided in to cells◦ Starcraft II: normally 24000 – 36000 cells

4

RTS GameRTS Game

5

Cheating in RTS gamesCheating in RTS gamesAbusing the resource system

◦ Find the location of resource value in memory

Hacking the unit listTampering with the map visibility

◦ Map hacking◦ Hardest to perform◦ Fully passive

Note: push approach v.s. pull approach6

Map HackingMap Hacking

7

Related WorkRelated WorkBattle of Botcraft fighting bots in

online games with human observational proofs.◦ ACMCCS (Nov, 2009)

Hacking world of warcraft: An exercise in advanced rootkit design.◦ Black Hat (2006)

Visual reverse engineering of binary and data files.◦ Visualization for Computer Security (2008)

8

ContributionContributionPresenting a generic attack tool

◦ KartographA generic defense against passive

attacks in RTS games◦ OpenConflict

Analyzed 1000 Starcraft II games

9



10

Adversarial Game Adversarial Game Instrumentation(AGI)Instrumentation(AGI)Past approaches:

debugger/decompiler

Memory attacks on virtually every game

11

Map DataMap DataEasiest

12

Map HackingMap HackingBased on memory changes

◦ The memory that contains unit positions only changes when units move

Reducing Memory Space Finding the visibility mapUnderstanding the visibility map

13

Reducing Memory SpaceReducing Memory SpaceStep1

◦ Launch the game◦ Read all memory pages of the process’s

main module which are marked as ReadWrite, Commit and Private

Step2◦ Move the camera, trigger actions

Without discovering any new parts of the map!

◦ Eliminate all the memory blocks that changed

14

Reducing Memory Reducing Memory Space(cont.)Space(cont.)Step3

◦ “Scout” an unknown area in game◦ Keep only the memory blocks that changed

Step4◦ Same as Step2

15

Finding the Visibility MapFinding the Visibility MapUse visualization techniques

◦ Create a “nonlinear” scouting pattern◦ Heat map representation

Difficulty:◦ Data types, Align

16

VisualizationVisualization

17

Visualization(cont.)Visualization(cont.)

18

Understanding the Visibility Understanding the Visibility MapMapHow the structure works?Diff-map analysis

◦ Snapshot & do something

19

Diff-Map with Heat MapDiff-Map with Heat Map

20

Unit Hacking and Network Unit Hacking and Network AnalysisAnalysisUnit: Smaller and more complex

structure◦ Produce units and observe memory

Network AnalysisD: Diff mapF: Fixed valueC: Counter valueD: Random value

21

D F C R



22

Game Hacking with Game Hacking with KartographKartographTake lots of memory:

◦ Twice game’s memory size◦ Work on 64-bit windows only

Test 15 games◦ Data structures changed radically

23

Map informationMap informationBitmap

Composite

24

Using the Game as a Map Using the Game as a Map HackHack

25



26

Preventing Passive Map Preventing Passive Map HacksHacksThreat model: passive eavesdropping

adversaries

Assume: P2p architecture

Pull approach◦ Cryptographic protocols?◦ Challenge: imperceptible latency!

27

Cast Study Starcraft IICast Study Starcraft IIWrote a crude “game engine”Analyzed 1000 Starcraft II replays(Top

players)◦ High number of actions per minute(APM)◦ Map size: 24320 ~ 36864 cells◦ Playable size: 15180 ~ 24640 cells◦ Game duration

28

Cast Study Starcraft Cast Study Starcraft II(cont.)II(cont.)Analyzed 1000 Starcraft II replays(Top

players)◦ Visibility

29



30

Our ApproachOur ApproachPrevent the passive map hackPull approach

◦ Each player’s machine only stores information that the player is authorized to see

Use an oblivious intersection protocol

31

Intersection ProtocolIntersection ProtocolDef:

◦ M be the set of all cells on the map◦ Each cell may contain units(including builds

and other objects)◦ Each unit has a visibility radius

◦ Union of all of Alice’s visibility regions gives the set of cells that Alice can see

◦ denote the set of map cells containing Bob’s unit

◦ for some data domain D

32

MVA

MUB

DUf BB :

A1

Intersection Intersection Protocol(cont.)Protocol(cont.)

33

B2B1

UA

VA

cell cell

UB1, also VA∩UB

Intersection Intersection Protocol(cont.)Protocol(cont.)1. Bob should learn nothing about VA

2. Alice should learn nothing about Ub other than VA∩UB

3. Alice learns the value of fB on VA∩UB but nothing about UB\VA

34

Oblivious FunctionOblivious FunctionG: A group of prime order qBob chooses a secret key k in [1,q-1] ,Alice chooses a random integer r in [1,q-1]Start:Alice send H1(v)r

Bob responds with H1(v)rk

Alice computes H1(v)k = H1(v)rkr-1

Computational Diffie-Hellman assumption tells that it is secure!

35

Compute Compute VVAA∩U∩UBB

36

Compute Compute VVAA∩U∩UBB (cont.) (cont.)(Bob)For each u in UB : a key ku = H2(H1(u)k)

Encrypt fB(u) using the key ku (authenticated encryption, AE)

(Alice)Alice obtain H1(v)k for all v in Va

Computes kv = H2(H1(v)k) for all v in Va

Test if one of the ciphertexts received from Bob decrypts correctly with kv

37

HypergridsHypergrids

38

A1

38

B2B1

UA

VA

cell cell

UB1, also VA∩UB

Hypergrids(cont.)Hypergrids(cont.)

39

Chaff and MultiplayerChaff and MultiplayerBasic protocol

◦ leaks to Bob the number cells in Alice’s visibility set VA

◦ Leaks to Alice the sum of the lengths of fB(u) for u in Ub

The queries H1(v)r are independent of the player being queried: broadcast

Compute H1(v)k is the only per-opponent work

40



41

Basic protocolBasic protocolCore i5 660 dual-core hyperthreaded

processor running at 3.33 GHzStandard NIST elliptic curves200 visibility hypertiles and 150 units

per player

A single exponentiation = a millisecond=> 750 milliseconds per playUnacceptable!

42

Elliptic CurveElliptic CurveMontgomery curve

Because p is a Mersenne prime◦ Very efficient implementation, 11-12us for

exponentiations on this curve

43

SecuritySecurityNeed to remain secure for an hourBest known algorithms take O( )

time to solve discrete logarithms

p = 261-1◦ 12 sec

p = 289-1 (speed up OpenConflict by 33%)◦ 72 machine-days

p = 2127-1 (OpenConflict)◦ 3,200 machine-years

44

q

MeasurementsMeasurementsv: visible grid hypertiles (about 30us)u: units (about 15us)

45



46

Preventing Active AttacksPreventing Active AttacksDetecting active attacks after the

game◦ Every client logs network traffic/actions

and then sends to other players periodically

◦ Upload to a central server to verify

Random number generator?◦ Commit a seed for a pseudorandom

generator at the beginning of the game◦ A central server to verify

47

ConclusionConclusionMap hacking and a defense system for

RTS games◦ Kartograph and OpenConflict

Security in online games is a fruitful area of research!

48

Documents

OpenConflict: Preventing Real Time Map Hacks in Online Games Elie Bursztein, Mike Hamburg, Jocelyn Lagarenne, Dan Boneh (Stanford University) IEEE Symposium