Ethics, MMORPGs, and Securing Online Games

Ethics in Gaming

• Why do we cheat?
• Why do we break things?
• How do game companies protect their intellectual property?
• The stakes are extraordinarily high, especially with MMORPGs. Why?
  • MMORPGs have pushed the limits computing and gaming
  • Over 12,000,000 players worldwide; 500,000 users simultaneously on 6 continents
  • Over 8,000,000 players for World of Warcraft alone. Do the math: $14 (subscription) * 8M = 112M * 12 (annually) = $1.344B / year. This does not include the client or add-ons!

What We Will Not Talk About

• Consoles and console games

Requirements of an Online Game

• Basic software architecture
  1. Create a new character
  2. Save that character (server side)
  3. Log in with the character
  4. Be able to chat with others
  5. Be able to navigate around in 3D
• Database: revisit flat file vs. RDBMS
• Some protocol for data transmission
• The game server and the game client
• Security --what did we learn today?
• Bandwidth
• $$$$

Designing an MMORPG

• One (fantasy) world with many (fantasy) characters
• Deployed on a client-server architecture
• Need to use all computing resources to the fullest
• Computing power (including bandwidth) is NOT unlimited. You CANNOT have a dynamic world

What Has Changed Over the Years

• Fewer custom graphics and game engine
• Middleware standardization
• Online presence required for most games
• Content distribution platforms such as Steam
• More content protection necessary
• Patch / update-hell
• Custom content automatically downloaded into game
• "I know what you did..." / "I can see what you play!"
• A lot more personal information stored on computers
• Plethora of online communities

What Has Not Changed Over the Years

• "Pretty sells"
• Piracy
• Players still look for hacks and cracks
• Game developers, especially at major studios, are constantly under severe time pressure. The worst time of the year?
• Testing is still "a low-hanging fruit"

Game Hacking 101

• Shady? It can be.
• ROM hacking
• Console modding
• Modding characters and levels (this can be perfectly legal)
• Game server manipulation
• Lurking: predictability and randomness

Why Are Online Games So Vulnerable?

• Lot of money to be made!
• The "trinity of trouble:" connectivity, complexity, and extensibility
  • Networking
  • Game engines (building games on top of other people's work, can you trust other people's work)
  • Scripting engines
• Legal issues are uncharted territory
• Mass-market appeal
• Homogenization
• Typically, games are patched, not the game engines!
• One exploit can potentially give bad guy access to your entire PC
  • Personal information
  • Payment information
  • Virtual assets
• Social engineering

Random Numbers

• Critical for games that require randomness (e.g., any gambling games including Poker and Blackjack)
• Example: java.util.Random (Java) and random (Python) are insecure => predictable based on time
• Generating secure random numbers in Java: java.security.SecureRandom - provides a cryptographically strong pseudo-random number generator (PRNG)
• An analysis on how to cheat in online poker (from Cigital, Inc.): http://www.cigital.com/papers/download/developer_gambling.php
• More reading:
  • Proper Use of Java's SecureRandom (from Cigital, Inc.)
  • PokerStars Random Number Generator (RNG)

Lawyers

• Piracy and privacy
• End Use License Agreements (EULA) hell. Do you know what you are agreeing to? Are you waiving some individual rights way?
• EULAs also govern your virtual-property rights
• The terms of use hell (a.k.a., how to get banned)
• Please note, advertising of commercial services and the sale or purchase of in-game items is specifically prohibited by the WoW EULA, similar to the restriction on using bot programs.
• Lawsuits have been filed by Blizzard (and they have won)
• Companies that advertise and sell virtual goods can also be sued for illegal spamming under the US Computer Fraud and Abuse Act. See "Blizzard vs. In Game Dollar"
• Digital Millennium Copyright Act of 1998 and the Induce Act (prohibits reverse engineering of software)
• Spyware and rootkits (now we are getting really "low")
  • Example: "The Warden" in World of Warcraft
    • The point: combat cheating
    • Reads all sorts of data from the gamer's PC, including the title bar of every window open, running processes, URLs, etc.
    • Runs about every 15 seconds; sends information back to Blizzard
    • The Governor, written by Greg Hoglund - A program that identifies what exactly the Warden is doing.
• Are virtual properties taxable?

Virtual Economies

• Exchange rates exist between in-game currency and real money. Visit Internet Gaming Entertainment (IGE)
• Currently, the market is over $6B
• In October 2005 a player paid $100,000 for the "Asteroid Space Resort" in Project Entropia (now Entropia Universe)
• Gold farming, particularly in China:
  • Sweatshops
  • Laborers work extremely long hours doing mundane game tasks, and sometimes even run bots
  • Better than working on a state-owned farm, and easier than making shoes!
  • Video: http://youtube.com/watch?v=ho5Yxe6UVv4
• Revenue is in real money!
• User base is huge target for malware

Malware and Exploits

• Account stealers such as Win32/Taterf
• Browser exploits through community sites
• Unofficial patches and tools (e.g., no-CD cracks, trainers, nude patches)
• Example (custom content):
  1. New character with script code. WTF?
  2. The script is executed with game permissions, i.e., as administrator or root
  3. What the script does: use your wildest imagination because the administrator can do anything to the system!
• Adobe Flash exploits via community websites and message boards. All your base are belong to us.

Advanced Gaming Hack-Fu

• Taking advantage of time-and-state errors galore => respawning
• Gold duplication
• Macros
• Scripting (for better or worse)
• Bots
• Reverse engineering the client: break it apart => find any software bugs and flaws => perhaps even fix the user interface => take advantage of what you find
• Manipulating memory
• Manipulating graphical rendering information
• Injecting new code into the client via DLL injection
• For online games, read all the packets via sniffer or proxy

Example 1: Full Compromise via QuickTime Vulnerability and Second Life

• Developed by researchers Charlie Miller and Dino Dai Zovi
• Compromise the host machine of any player whose avatar approaches an in-game object embedded with malicious multimedia content
• First, attacker creates a virtual object somewhere on his or her property and then associates a URL with the virtual object, indicating that a multimedia file is to be presented when this object is encountered.
• When a vulnerable player's avatar encounters this object in the virtual world, the malicious payload (from the multimedia content) is automatically downloaded, processed by the underlying QuickTime library, and the host machine is completely compromised.

Example 2: Exploiting In-Game Communication in Anarchy Online

• /../../../../Users/<user>/Desktop/ fun_script

Conclusion and Questions

• Online games are ripe and juicy targets for good reasons
• Games now have mass-market appeal
• The architecture of online games is very complex
• Too many dependencies in online games and also in the communities supporting the games
• A lot at stake
• Lots of uncharted territories and even no man's lands
• Cheating isn't going away, and methods are becoming more sophisticated
• Game developers and players need to be more security-conscious and educated
• Risk assessments necessary
• Very viable area of research
• What is your favorite game hack?
• What is your solution to reduce the vulnerabilities and exploits in online games?