Security APIs andMassively Multiplayer Games

Mike Bond, Cryptomathic Ltd.

ASA 2008, Pittsburgh, 26th June

This Talk

• Why?– why study games?

• Where?– what sort of games need help

• What?– what’s a security API got to do with gaming?– what goes wrong? Example attacks

• How?– how can the analysis community help?

Why?

• Massively Multipler Online Games (MMOGs) are big money

• Cheating/Exploiting/Unbalancing damages a game’s subscriber base– undermines player achivement

– damages player econonmy– can facilitate “griefing”

– makes generated content less satisfying

Where?

• World of Warcraft– Size (7 million+), demand for items. WoW – Interesting

tradeability/instancing model keeps economic demand up. Items can be unbound / bind-on-equip / bind-on-pickup , unique/non-unique/quest – It’s DRM on physical goods.

• Second Life– In-game scripting, “not a game”, user-generated content. Socially

oriented.

• Lineage series– a national pastime in S.Korea, tens of millions of players

(need local knowledge to analyse, my recollection sketchy)

• EVE Online– case-study

EVE Online• The largest, maturest economy of any game

– 200,000 users in one shard (~5000 per shard in Wow)– Conquest oriented– Typical group size 60-100, alliance 300-5,000

• Sink-or-swim game.– If you arent skilled, you can’t progress. If you can do politics you

can get rich. If you can fight well (fighter pilots skills and much research required), you get rich. If you have no skills you’ll find a dull job you can handle (hauling goods, mining). In other games,lack of skill can be countered by money.

• Most virtual economies have realistic faucets… human effort to extract natural resources

• EVE Economy has a natural economic sink… warfare– Warfare for territorial conquest, to settle long standing disputes– Territory held permits (with effort) harvesting of resources.– Most wars are won or lost by the economic health of the

combatants.

Territorial Disputes

What?

• Just to recap… what is a security API?

“An API which enforces apolicy on the user.”

MMOG APIs

GUI

Low-level

Scripting

Local State

Protocol

Packets

High-level Tactic

Exploit

HackMainly public

Mainly private

What’s the Policy?

• You must not be able to…

gain an unfair advantage

cause grief to other players

GUI

make money from nowhere duplicate resources

travel faster than top speed

see through wallsbecome invulnerable

Protocol

become turing powerfulaccess forbidden I/O

Scripting

Game Server APIs

ConnectionHandlerNode

ConnectionHandlerNode

ConnectionHandlerNode

GameClientEngine

Scripting

3D Graphics

SimulatorNode

SimulatorNode

DatabaseCluster

SecureDB

(Money etc)

SpecalisedFunctions

These APIsof direct concern

These APIsindirectly accessible

Some Example Attacks

• Dogs Days of Duping• The Stochastic Breastplate• The Maypole Totem• Daley Thompson’s Wow Mod

Dog Days of Duping

• Everquest 2: Guy called “Methical” discovers duping exploit by accident…– Put a “gnomish thinking chair” on the market, it is then flagged as

in escrow for sale– Options remain… examine/destroy/place , he decides to place it

down on the floor. It remains– Third party buys it off market -> gets fresh copy

• Methical industrialises his exploit, making thousands of dollars from gold sales (actually platinum in EQ2).

• Upgrades to duping the most valuable item, pet dogs called “haulaisian maulers” (best sell to NPC price)

• Soon the size of the industry gives it away…

Dog Days of Duping (2)

How to destroy the evidence?

Dog Days Decomposed

• Why didn’t the API preserve non-duplication properties? – non-duplication is an obvious policy to implement

– Clark/Wilson model has explicit invariants which are preserved by all transactions. Why not this too?

• A hypothetical explanation…

SimulatorNode

DatabaseCluster

SecureDB

(Money etc)

Auction/MarketEngine

transact(from,to,amount)

id=register(itemName,amount)

abort(id)

buy(id)

oid=create(object, location)

destroy(oid)

buy, sell, place,examine, move, eat etc…

contains only textual representationsof objects (for performance)

holds master informationabout 3D objects

The Stochastic Breastplate

• Stat Boosting + PvP + Unfair + Rewards/Betting = Economic Risk

• “Magic Breastplates of Cryptography” vary in strength, having a intelligence boost of from 10-20.

• Cock up in the implementation…

event BREASTPLATE_equip{intellect += 10 + rand() % 10;}

event BREASTPLATE_unequip{intellect -= 10 + rand() % 10;}

The Maypole Totem

• Flaws can be more sophisticated…

Totem

Area ofeffect

The Maypole Totem (2)

• World of Warcraft zone boundaries are normally small bottlenecks where combat doesn’t take place. But in one area, two large plains join.

• Each plain handled by separate server, with hand-over protocol

Simulator A

Totem

Simulator B

Path B

Path A

+5

+5

-5

Daley Thompson’s Wow Mod

• In the days of the ZX Spectrum, hammering the keys as fast as possible was a real test of skill!

• Meanwhile, in World of Warcraft, UI-Mods have gotten so good that all the skill is taken out…

Daley Thompson’s Wow Mod (2)• UI actions should be a single click away… Left click to heal

Right click to dispeletc…

Daley Thomson’s Wow Mod (3)• Wow’s LUA scripting language allows all sorts of interesting and

useful stuff to be displayed– show my target’s health– show my target’s target– show the health of my target’s target– etc

• Loads of functions– ActionButtonUp(), GetActionBarPage(), GetMouseButt onClicked(),

IsEquippedAction() , PickupAction(), AcceptDuel(), TogglePVP(), LoadAddon(), CalculateAuctionDeposit(), PurchaseSlo t(), SetBindingMacro(), GetPlayerBuff(), GetBlockChance( ), GetContainerNumFreeSlots(), SplitContainerItem(), G etLootMethod(), GuildPromote(), EquipPendingItem() , etc..

• http://www.wowwiki.com/World_of_Warcraft_API• Problem arose: it was easy to customise UI to assist player, but

player could be over assisted, for instance automatic selection of target with lowest health, automatic healing using most efficient spell for the level of damage taken and the mana remaining.

Daley Thomson’s Wow Mod (4)

• Solution: mark variables and code with metadata• Make some variables only displayable to user,

but cannot be used as a conditional– prevents sophisticated post-processing

• Make some actions only launchable if triggered by code traceable to a real human action (i.e. keypress or mouse click)– prevents “bot” autotmatically launching actions

http://www.wowwiki.com/Secure_Execution_and_Tainting

Daley Thomson’s Wow Mod (5)

• But there are still ways to read variables…

// heal player if health goes too low

for ( int i=0;i<100;i++)

{

try

{

health=ProtectedGetHealth(“player”);

int foo = 10 / (health-i);

}

catch ( DivideByZeroError )

{

break ;

}

}

if ( i < 50 )

{

nextAction=[“heal”,”player”];

triggerAction(nextAction);

}

// draw player health bar

int health=ProtectedGetHealth(“player”);

int max=GetMaxHealth(“player”);

writeName(x,y,”player”);

drawBar(x,y, (health/max)*width , height);

// heal player if health goes too low

if ( ProtectedGetHealth(“player”) < 50 )

{

nextAction=[“heal”,”player”];

triggerAction(nextAction);

}

Exception raised by this conditional,for using protected variable

Daley Thomson’s Wow Mod (6)

• And still ways to autonomously launch actions…

// drink potion if health goes too low

if ( ProtectedGetKeyPress() == ‘X’ )

{

if ( timeSinceLastBonus > 5*60 )

{

nextAction=[“drinkPotion”,”player ”];

triggerAction(nextAction);

}

if ( condition2 )

{

etc...

}

}

// cast spell when user hits ‘X’

if ( ProtectedGetKeyPress() == ‘X’ )

{

nextAction=[“drinkPotion”,”player”];

triggerAction(nextAction);

}

// drink potion every 5 mins

if ( timeSinceLastBonus > 5*60 )

{

nextAction=[“drinkPotion”,”player”];

triggerAction(nextAction);

}

Exception raised by this action,for not being linkable to keypress

and the user hammers awayat X all night long(or sets a keyboard macro)…

Where Next?

• Second Life UI has gone open source– http://secondlifegrid.net/programs/open_source– In-game scripting language already integral part of

everyday activity in the game (creating stuff)– Network API is now there in the code to review– Interesting consequences if Second Life server side

goes open (community hosted worlds, new physics laws, SL money implementation)

• EVE-Online’s GUI is pretty much entirely stackless python … ripe for analysis.

Further Reading

• Dozens of academics researching virtual worlds

• Terra Nova Blog– Castronova, Dibble, Hunter, Lastowka, Bartle, Burke– http://terranova.blogs.com

• IBM Netgames 2005– CCP, Eve Online Developers, Rekjavik

• Me– http://www.cl.cam.ac.uk/~mkb23/– Mike.Bond@cl.cam.ac.uk