OpenConflict: Preventing Real Time Map Hacks in Online Games

1
OpenConflict Preventing Real Time Map Hacks in
Online Games

• Elie Bursztein, Mike Hamburg, Jocelyn Lagarenne,
  Dan Boneh
• (Stanford University)
• IEEE Symposium on Security and Privacy 2011

2
OUTLINE

• Introduction and Related Work
• A Generic Tool for Map Hacking
• Game Hacking with Kartograph
• Preventing Passive Map Hack
• Case Study Starcraft II
• Defending against Map Hacking
• OpenConflict
• Discussion and Conclusion

3
OUTLINE

• Introduction and Related Work
• A Generic Tool for Map Hacking
• Game Hacking with Kartograph
• Preventing Passive Map Hack
• Case Study Starcraft II
• Defending against Map Hacking
• OpenConflict
• Discussion and Conclusion

4
Real-Time Strategy(RTS)

• Online gaming includes 64 of gamers
• RTS - 35.5
• First person shooter 10.1
• RTS games
• Player compete on a two-dimensional map divided
  in to cells
• Starcraft II normally 24000 36000 cells

5
RTS Game
6
Cheating in RTS games

• Abusing the resource system
• Find the location of resource value in memory
• Hacking the unit list
• Tampering with the map visibility
• Map hacking
• Hardest to perform
• Fully passive
• Note push approach v.s. pull approach

7
Map Hacking
8
Related Work

• Battle of Botcraft fighting bots in online games
  with human observational proofs.
• ACMCCS (Nov, 2009)
• Hacking world of warcraft An exercise in
  advanced rootkit design.
• Black Hat (2006)
• Visual reverse engineering of binary and data
  files.
• Visualization for Computer Security (2008)

9
Contribution

• Presenting a generic attack tool
• Kartograph
• A generic defense against passive attacks in RTS
  games
• OpenConflict
• Analyzed 1000 Starcraft II games

10
OUTLINE

• Introduction and Related Work
• A Generic Tool for Map Hacking
• Game Hacking with Kartograph
• Preventing Passive Map Hack
• Case Study Starcraft II
• Defending against Map Hacking
• OpenConflict
• Discussion and Conclusion

11
Adversarial Game Instrumentation(AGI)

• Past approaches debugger/decompiler
• Memory attacks on virtually every game

12
Map Data

• Easiest

13
Map Hacking

• Based on memory changes
• The memory that contains unit positions only
  changes when units move
• Reducing Memory Space
• Finding the visibility map
• Understanding the visibility map

14
Reducing Memory Space

• Step1
• Launch the game
• Read all memory pages of the processs main
  module which are marked as
• ReadWrite, Commit and Private
• Step2
• Move the camera, trigger actions
• Without discovering any new parts of the map!
• Eliminate all the memory blocks that changed

15
Reducing Memory Space(cont.)

• Step3
• Scout an unknown area in game
• Keep only the memory blocks that changed
• Step4
• Same as Step2

16
Finding the Visibility Map

• Use visualization techniques
• Create a nonlinear scouting pattern
• Heat map representation
• Difficulty
• Data types, Align

17
Visualization
18
Visualization(cont.)
19
Understanding the Visibility Map

• How the structure works?
• Diff-map analysis
• Snapshot do something

20
Diff-Map with Heat Map
21
Unit Hacking and Network Analysis

• Unit Smaller and more complex structure
• Produce units and observe memory
• Network Analysis
• D Diff map
• F Fixed value
• C Counter value
• D Random value

D
F
C
R
22
OUTLINE

• Introduction and Related Work
• A Generic Tool for Map Hacking
• Game Hacking with Kartograph
• Preventing Passive Map Hack
• Case Study Starcraft II
• Defending against Map Hacking
• OpenConflict
• Discussion and Conclusion

23
Game Hacking with Kartograph

• Take lots of memory
• Twice games memory size
• Work on 64-bit windows only
• Test 15 games
• Data structures changed radically

24
Map information

• Bitmap
• Composite

25
Using the Game as a Map Hack
26
OUTLINE

• Introduction and Related Work
• A Generic Tool for Map Hacking
• Game Hacking with Kartograph
• Preventing Passive Map Hack
• Case Study Starcraft II
• Defending against Map Hacking
• OpenConflict
• Discussion and Conclusion

27
Preventing Passive Map Hacks

• Threat model passive eavesdropping adversaries
• Assume P2p architecture
• Pull approach
• Cryptographic protocols?
• Challenge imperceptible latency!

28
Cast Study Starcraft II

• Wrote a crude game engine
• Analyzed 1000 Starcraft II replays(Top players)
• High number of actions per minute(APM)
• Map size 24320 36864 cells
• Playable size 15180 24640 cells
• Game duration

29
Cast Study Starcraft II(cont.)

• Analyzed 1000 Starcraft II replays(Top players)
• Visibility

30
OUTLINE

• Introduction and Related Work
• A Generic Tool for Map Hacking
• Game Hacking with Kartograph
• Preventing Passive Map Hack
• Case Study Starcraft II
• Defending against Map Hacking
• OpenConflict
• Discussion and Conclusion

31
Our Approach

• Prevent the passive map hack
• Pull approach
• Each players machine only stores information
  that the player is authorized to see
• Use an oblivious intersection protocol

32
Intersection Protocol

• Def
• M be the set of all cells on the map
• Each cell may contain units(including builds and
  other objects)
• Each unit has a visibility radius
• Union of all of Alices visibility regions gives
  the set of cells that Alice can see
• denote the set of map cells containing Bobs
  unit
• for some data domain D

33
Intersection Protocol(cont.)
cell
cell
UA
B2
A1
B1
VA
UB1, also VAnUB
34
Intersection Protocol(cont.)

• 1. Bob should learn nothing about VA
• 2. Alice should learn nothing about Ub other than
  VAnUB
• 3. Alice learns the value of fB on VAnUB but
  nothing about UB\VA

35
Oblivious Function

• G A group of prime order q
• Bob chooses a secret key k in 1,q-1
• ,
• Alice chooses a random integer r in 1,q-1
• Start
• Alice send H1(v)r
• Bob responds with H1(v)rk
• Alice computes H1(v)k H1(v)rkr-1
• Computational Diffie-Hellman assumption tells
  that it is secure!

36
Compute VAnUB
37
Compute VAnUB (cont.)

• (Bob)
• For each u in UB a key ku H2(H1(u)k)
• Encrypt fB(u) using the key ku (authenticated
  encryption, AE)
• (Alice)
• Alice obtain H1(v)k for all v in Va
• Computes kv H2(H1(v)k) for all v in Va
• Test if one of the ciphertexts received from Bob
  decrypts correctly with kv

38
Hypergrids
cell
cell
UA
B2
A1
B1
VA
UB1, also VAnUB
38
39
Hypergrids(cont.)
40
Chaff and Multiplayer

• Basic protocol
• leaks to Bob the number cells in Alices
  visibility set VA
• Leaks to Alice the sum of the lengths of fB(u)
  for u in Ub
• The queries H1(v)r are independent of the player
  being queried broadcast
• Compute H1(v)k is the only per-opponent work

41
OUTLINE

• Introduction and Related Work
• A Generic Tool for Map Hacking
• Game Hacking with Kartograph
• Preventing Passive Map Hack
• Case Study Starcraft II
• Defending against Map Hacking
• OpenConflict
• Discussion and Conclusion

42
Basic protocol

• Core i5 660 dual-core hyperthreaded processor
  running at 3.33 GHz
• Standard NIST elliptic curves
• 200 visibility hypertiles and 150 units per
  player
• A single exponentiation a millisecond
• gt 750 milliseconds per play
• Unacceptable!

43
Elliptic Curve

• Montgomery curve
• Because p is a Mersenne prime
• Very efficient implementation, 11-12us for
  exponentiations on this curve

44
Security

• Need to remain secure for an hour
• Best known algorithms take O( ) time to solve
  discrete logarithms
• p 261-1
• 12 sec
• p 289-1 (speed up OpenConflict by 33)
• 72 machine-days
• p 2127-1 (OpenConflict)
• 3,200 machine-years

45
Measurements

• v visible grid hypertiles (about 30us)
• u units (about 15us)

46
OUTLINE

• Introduction and Related Work
• A Generic Tool for Map Hacking
• Game Hacking with Kartograph
• Preventing Passive Map Hack
• Case Study Starcraft II
• Defending against Map Hacking
• OpenConflict
• Discussion and Conclusion

47
Preventing Active Attacks

• Detecting active attacks after the game
• Every client logs network traffic/actions and
  then sends to other players periodically
• Upload to a central server to verify
• Random number generator?
• Commit a seed for a pseudorandom generator at the
  beginning of the game
• A central server to verify

48
Conclusion

• Map hacking and a defense system for RTS games
• Kartograph and OpenConflict
• Security in online games is a fruitful area of
  research!