OpenConflict: Preventing Real Time Map Hacks in Online Games Elie Bursztein, Mike Hamburg, Jocelyn Lagarenne, Dan Boneh (Stanford University) IEEE Symposium on Security and Privacy 2011 1 OUTLINE Introduction and Related Work A Generic Tool for Map Hacking Game Hacking with Kartograph Preventing Passive Map Hack ◦ Case Study Starcraft II Defending against Map Hacking OpenConflict Discussion and Conclusion 2 OUTLINE Introduction and Related Work A Generic Tool for Map Hacking Game Hacking with Kartograph Preventing Passive Map Hack ◦ Case Study Starcraft II Defending against Map Hacking OpenConflict Discussion and Conclusion 3 Real-Time Strategy(RTS) Online gaming includes 64% of gamers ◦ RTS - 35.5% ◦ First person shooter – 10.1% RTS games ◦ Player compete on a two-dimensional map divided in to cells ◦ Starcraft II: normally 24000 – 36000 cells 4 RTS Game 5 Cheating in RTS games Abusing the resource system ◦ Find the location of resource value in memory Hacking the unit list Tampering with the map visibility ◦ Map hacking ◦ Hardest to perform ◦ Fully passive Note: push approach v.s. pull approach 6 Map Hacking 7 Related Work Battle of Botcraft fighting bots in online games with human observational proofs. ◦ ACMCCS (Nov, 2009) Hacking world of warcraft: An exercise in advanced rootkit design. ◦ Black Hat (2006) Visual reverse engineering of binary and data files. ◦ Visualization for Computer Security (2008) 8 Contribution Presenting a generic attack tool ◦ Kartograph A generic defense against passive attacks in RTS games ◦ OpenConflict Analyzed 1000 Starcraft II games 9 OUTLINE Introduction and Related Work A Generic Tool for Map Hacking Game Hacking with Kartograph Preventing Passive Map Hack ◦ Case Study Starcraft II Defending against Map Hacking OpenConflict Discussion and Conclusion 10 Adversarial Game Instrumentation(AGI) Past approaches: debugger/decompiler Memory attacks on virtually every game 11 Map Data Easiest 12 Map Hacking Based on memory changes ◦ The memory that contains unit positions only changes when units move Reducing Memory Space Finding the visibility map Understanding the visibility map 13 Reducing Memory Space Step1 ◦ Launch the game ◦ Read all memory pages of the process’s main module which are marked as ReadWrite, Commit and Private Step2 ◦ Move the camera, trigger actions Without discovering any new parts of the map! ◦ Eliminate all the memory blocks that changed 14 Reducing Memory Space(cont.) Step3 ◦ “Scout” an unknown area in game ◦ Keep only the memory blocks that changed Step4 ◦ Same as Step2 15 Finding the Visibility Map Use visualization techniques ◦ Create a “nonlinear” scouting pattern ◦ Heat map representation Difficulty: ◦ Data types, Align 16 Visualization 17 Visualization(cont.) 18 Understanding the Visibility Map How the structure works? Diff-map analysis ◦ Snapshot & do something 19 Diff-Map with Heat Map 20 Unit Hacking and Network Analysis Unit: Smaller and more complex structure ◦ Produce units and observe memory Network Analysis D: Diff map F: Fixed value C: Counter value D: Random value D F C R 21 OUTLINE Introduction and Related Work A Generic Tool for Map Hacking Game Hacking with Kartograph Preventing Passive Map Hack ◦ Case Study Starcraft II Defending against Map Hacking OpenConflict Discussion and Conclusion 22 Game Hacking with Kartograph Take lots of memory: ◦ Twice game’s memory size ◦ Work on 64-bit windows only Test 15 games ◦ Data structures changed radically 23 Map information Bitmap Composite 24 Using the Game as a Map Hack 25 OUTLINE Introduction and Related Work A Generic Tool for Map Hacking Game Hacking with Kartograph Preventing Passive Map Hack ◦ Case Study Starcraft II Defending against Map Hacking OpenConflict Discussion and Conclusion 26 Preventing Passive Map Hacks Threat model: passive eavesdropping adversaries Assume: P2p architecture Pull approach ◦ Cryptographic protocols? ◦ Challenge: imperceptible latency! 27 Cast Study Starcraft II Wrote a crude “game engine” Analyzed 1000 Starcraft II replays(Top players) ◦ ◦ ◦ ◦ High number of actions per minute(APM) Map size: 24320 ~ 36864 cells Playable size: 15180 ~ 24640 cells Game duration 28 Cast Study Starcraft II(cont.) Analyzed 1000 Starcraft II replays(Top players) ◦ Visibility 29 OUTLINE Introduction and Related Work A Generic Tool for Map Hacking Game Hacking with Kartograph Preventing Passive Map Hack ◦ Case Study Starcraft II Defending against Map Hacking OpenConflict Discussion and Conclusion 30 Our Approach Prevent the passive map hack Pull approach ◦ Each player’s machine only stores information that the player is authorized to see Use an oblivious intersection protocol 31 Intersection Protocol Def: ◦ M be the set of all cells on the map ◦ Each cell may contain units(including builds and other objects) ◦ Each unit has a visibility radius ◦ Union of all of Alice’s visibility regions gives the set VA M of cells that Alice can see ◦ U B M denote the set of map cells containing Bob’s unit ◦ f B : U B D for some data domain D 32 Intersection Protocol(cont.) cell cell UA A1 B2 B1 VA UB1, also VA∩UB 33 Intersection Protocol(cont.) 1. Bob should learn nothing about VA 2. Alice should learn nothing about Ub other than VA∩UB 3. Alice learns the value of fB on VA∩UB but nothing about UB\VA 34 Oblivious Function G: A group of prime order q Bob chooses a secret key k in [1,q-1] , Alice chooses a random integer r in [1,q-1] Start: Alice send H1(v)r Bob responds with H1(v)rk -1 k rkr Alice computes H1(v) = H1(v) Computational Diffie-Hellman assumption tells that it is secure! 35 Compute VA∩UB 36 Compute VA∩UB (cont.) (Bob) For each u in UB : a key ku = H2(H1(u)k) Encrypt fB(u) using the key ku (authenticated encryption, AE) (Alice) Alice obtain H1(v)k for all v in Va Computes kv = H2(H1(v)k) for all v in Va Test if one of the ciphertexts received from Bob decrypts correctly with kv 37 Hypergrids cell cell UA A1 B2 B1 VA UB1, also VA∩UB 38 Hypergrids(cont.) 39 Chaff and Multiplayer Basic protocol ◦ leaks to Bob the number cells in Alice’s visibility set VA ◦ Leaks to Alice the sum of the lengths of fB(u) for u in Ub The queries H1(v)r are independent of the player being queried: broadcast Compute H1(v)k is the only per-opponent work 40 OUTLINE Introduction and Related Work A Generic Tool for Map Hacking Game Hacking with Kartograph Preventing Passive Map Hack ◦ Case Study Starcraft II Defending against Map Hacking OpenConflict Discussion and Conclusion 41 Basic protocol Core i5 660 dual-core hyperthreaded processor running at 3.33 GHz Standard NIST elliptic curves 200 visibility hypertiles and 150 units per player A single exponentiation = a millisecond => 750 milliseconds per play Unacceptable! 42 Elliptic Curve Montgomery curve Because p is a Mersenne prime ◦ Very efficient implementation, 11-12us for exponentiations on this curve 43 Security Need to remain secure for an hour Best known algorithms take O( q ) time to solve discrete logarithms p = 261-1 ◦ 12 sec p = 289-1 (speed up OpenConflict by 33%) ◦ 72 machine-days p = 2127-1 (OpenConflict) ◦ 3,200 machine-years 44 Measurements v: visible grid hypertiles (about 30us) u: units (about 15us) 45 OUTLINE Introduction and Related Work A Generic Tool for Map Hacking Game Hacking with Kartograph Preventing Passive Map Hack ◦ Case Study Starcraft II Defending against Map Hacking OpenConflict Discussion and Conclusion 46 Preventing Active Attacks Detecting active attacks after the game ◦ Every client logs network traffic/actions and then sends to other players periodically ◦ Upload to a central server to verify Random number generator? ◦ Commit a seed for a pseudorandom generator at the beginning of the game ◦ A central server to verify 47 Conclusion Map hacking and a defense system for RTS games ◦ Kartograph and OpenConflict Security in online games is a fruitful area of research! 48