OpenConflict: Preventing Real
Time Map Hacks in Online Games
Elie Bursztein, Mike Hamburg, Jocelyn Lagarenne, Dan Boneh
(Stanford University)
IEEE Symposium on Security and Privacy 2011
1
OUTLINE
Introduction and Related Work
 A Generic Tool for Map Hacking
 Game Hacking with Kartograph
 Preventing Passive Map Hack

◦ Case Study Starcraft II
Defending against Map Hacking
 OpenConflict
 Discussion and Conclusion

2
OUTLINE
Introduction and Related Work
 A Generic Tool for Map Hacking
 Game Hacking with Kartograph
 Preventing Passive Map Hack

◦ Case Study Starcraft II
Defending against Map Hacking
 OpenConflict
 Discussion and Conclusion

3
Real-Time Strategy(RTS)

Online gaming includes 64% of gamers
◦ RTS - 35.5%
◦ First person shooter – 10.1%

RTS games
◦ Player compete on a two-dimensional map
divided in to cells
◦ Starcraft II: normally 24000 – 36000 cells
4
RTS Game
5
Cheating in RTS games

Abusing the resource system
◦ Find the location of resource value in memory
Hacking the unit list
 Tampering with the map visibility

◦ Map hacking
◦ Hardest to perform
◦ Fully passive
Note: push approach v.s. pull approach
6
Map Hacking
7
Related Work

Battle of Botcraft fighting bots in online
games with human observational proofs.
◦ ACMCCS (Nov, 2009)

Hacking world of warcraft: An exercise in
advanced rootkit design.
◦ Black Hat (2006)

Visual reverse engineering of binary and
data files.
◦ Visualization for Computer Security (2008)
8
Contribution

Presenting a generic attack tool
◦ Kartograph

A generic defense against passive attacks
in RTS games
◦ OpenConflict

Analyzed 1000 Starcraft II games
9
OUTLINE
Introduction and Related Work
 A Generic Tool for Map Hacking
 Game Hacking with Kartograph
 Preventing Passive Map Hack

◦ Case Study Starcraft II
Defending against Map Hacking
 OpenConflict
 Discussion and Conclusion

10
Adversarial Game
Instrumentation(AGI)

Past approaches: debugger/decompiler

Memory attacks on virtually every game
11
Map Data

Easiest
12
Map Hacking

Based on memory changes
◦ The memory that contains unit positions only
changes when units move
Reducing Memory Space
 Finding the visibility map
 Understanding the visibility map

13
Reducing Memory Space

Step1
◦ Launch the game
◦ Read all memory pages of the process’s main
module which are marked as
 ReadWrite, Commit and Private

Step2
◦ Move the camera, trigger actions
 Without discovering any new parts of the map!
◦ Eliminate all the memory blocks that changed
14
Reducing Memory Space(cont.)

Step3
◦ “Scout” an unknown area in game
◦ Keep only the memory blocks that changed

Step4
◦ Same as Step2
15
Finding the Visibility Map

Use visualization techniques
◦ Create a “nonlinear” scouting pattern
◦ Heat map representation

Difficulty:
◦ Data types, Align
16
Visualization
17
Visualization(cont.)
18
Understanding the Visibility Map
How the structure works?
 Diff-map analysis

◦ Snapshot & do something
19
Diff-Map with Heat Map
20
Unit Hacking and Network Analysis

Unit: Smaller and more complex structure
◦ Produce units and observe memory
Network Analysis
D: Diff map
F: Fixed value
C: Counter value
D: Random value

D
F
C
R
21
OUTLINE
Introduction and Related Work
 A Generic Tool for Map Hacking
 Game Hacking with Kartograph
 Preventing Passive Map Hack

◦ Case Study Starcraft II
Defending against Map Hacking
 OpenConflict
 Discussion and Conclusion

22
Game Hacking with Kartograph

Take lots of memory:
◦ Twice game’s memory size
◦ Work on 64-bit windows only

Test 15 games
◦ Data structures changed radically
23
Map information

Bitmap

Composite
24
Using the Game as a Map Hack
25
OUTLINE
Introduction and Related Work
 A Generic Tool for Map Hacking
 Game Hacking with Kartograph
 Preventing Passive Map Hack

◦ Case Study Starcraft II
Defending against Map Hacking
 OpenConflict
 Discussion and Conclusion

26
Preventing Passive Map Hacks

Threat model: passive eavesdropping
adversaries

Assume: P2p architecture

Pull approach
◦ Cryptographic protocols?
◦ Challenge: imperceptible latency!
27
Cast Study Starcraft II
Wrote a crude “game engine”
 Analyzed 1000 Starcraft II replays(Top
players)

◦
◦
◦
◦
High number of actions per minute(APM)
Map size: 24320 ~ 36864 cells
Playable size: 15180 ~ 24640 cells
Game duration
28
Cast Study Starcraft II(cont.)

Analyzed 1000 Starcraft II replays(Top
players)
◦ Visibility
29
OUTLINE
Introduction and Related Work
 A Generic Tool for Map Hacking
 Game Hacking with Kartograph
 Preventing Passive Map Hack

◦ Case Study Starcraft II
Defending against Map Hacking
 OpenConflict
 Discussion and Conclusion

30
Our Approach
Prevent the passive map hack
 Pull approach

◦ Each player’s machine only stores information
that the player is authorized to see

Use an oblivious intersection protocol
31
Intersection Protocol

Def:
◦ M be the set of all cells on the map
◦ Each cell may contain units(including builds
and other objects)
◦ Each unit has a visibility radius
◦ Union of all of Alice’s visibility regions gives
the set VA  M of cells that Alice can see
◦ U B  M denote the set of map cells containing
Bob’s unit
◦ f B : U B  D for some data domain D
32
Intersection Protocol(cont.)
cell
cell
UA
A1
B2
B1
VA
UB1, also VA∩UB
33
Intersection Protocol(cont.)
1. Bob should learn nothing about VA
2. Alice should learn nothing about Ub
other than VA∩UB
3. Alice learns the value of fB on VA∩UB but
nothing about UB\VA
34
Oblivious Function
G: A group of prime order q
Bob chooses a secret key k in [1,q-1]

,
Alice chooses a random integer r in [1,q-1]
Start:
 Alice send H1(v)r
 Bob responds with H1(v)rk
-1
k
rkr
 Alice computes H1(v) = H1(v)
Computational Diffie-Hellman assumption tells that it is secure!
35
Compute VA∩UB
36
Compute VA∩UB (cont.)
(Bob)
For each u in UB : a key ku = H2(H1(u)k)
Encrypt fB(u) using the key ku (authenticated
encryption, AE)
(Alice)
Alice obtain H1(v)k for all v in Va
Computes kv = H2(H1(v)k) for all v in Va
Test if one of the ciphertexts received from Bob
decrypts correctly with kv
37
Hypergrids
cell
cell
UA
A1
B2
B1
VA
UB1, also VA∩UB
38
Hypergrids(cont.)
39
Chaff and Multiplayer

Basic protocol
◦ leaks to Bob the number cells in Alice’s
visibility set VA
◦ Leaks to Alice the sum of the lengths of fB(u)
for u in Ub
The queries H1(v)r are independent of the
player being queried: broadcast
 Compute H1(v)k is the only per-opponent
work

40
OUTLINE
Introduction and Related Work
 A Generic Tool for Map Hacking
 Game Hacking with Kartograph
 Preventing Passive Map Hack

◦ Case Study Starcraft II
Defending against Map Hacking
 OpenConflict
 Discussion and Conclusion

41
Basic protocol
Core i5 660 dual-core hyperthreaded
processor running at 3.33 GHz
 Standard NIST elliptic curves
 200 visibility hypertiles and 150 units per
player

A single exponentiation = a millisecond
=> 750 milliseconds per play
Unacceptable!
42
Elliptic Curve

Montgomery curve

Because p is a Mersenne prime
◦ Very efficient implementation, 11-12us for
exponentiations on this curve
43
Security
Need to remain secure for an hour
 Best known algorithms take O( q ) time to
solve discrete logarithms


p = 261-1
◦ 12 sec

p = 289-1 (speed up OpenConflict by 33%)
◦ 72 machine-days

p = 2127-1 (OpenConflict)
◦ 3,200 machine-years
44
Measurements
v: visible grid hypertiles (about 30us)
 u: units (about 15us)

45
OUTLINE
Introduction and Related Work
 A Generic Tool for Map Hacking
 Game Hacking with Kartograph
 Preventing Passive Map Hack

◦ Case Study Starcraft II
Defending against Map Hacking
 OpenConflict
 Discussion and Conclusion

46
Preventing Active Attacks

Detecting active attacks after the game
◦ Every client logs network traffic/actions and
then sends to other players periodically
◦ Upload to a central server to verify

Random number generator?
◦ Commit a seed for a pseudorandom generator
at the beginning of the game
◦ A central server to verify
47
Conclusion

Map hacking and a defense system for
RTS games
◦ Kartograph and OpenConflict

Security in online games is a fruitful area
of research!
48