multiplayer online games
play

Multiplayer Online Games Insecurity [Re]Vuln Luigi Auriemma & - PowerPoint PPT Presentation

Nov 24, 2023 •527 likes •1.22k views

Multiplayer Online Games Insecurity [Re]Vuln Luigi Auriemma & Donato Ferrante Who? Donato Ferrante Luigi Auriemma @dntbug @luigi_auriemma ReVuln Ltd. revuln.com twitter.com/revuln info@revuln.com 2 Agenda Introduction

  1. Multiplayer Online Games Insecurity [Re]Vuln Luigi Auriemma & Donato Ferrante

  2. Who? Donato Ferrante Luigi Auriemma @dntbug @luigi_auriemma ReVuln Ltd. – revuln.com – twitter.com/revuln – info@revuln.com 2

  3. Agenda Introduction  Why games?  Possible scenarios  The market  Game vulnerabilities  Welcome to the real world  What about the future?  Conclusion  ReVuln Ltd. 3

  4. Introduction Games are an underestimated field for security  Huge amount of players  Number of online players :  1,3,6,10,55,66,120,153,171,190,300,351,595,630,666,820,3003,5995,8778..  Number of online games  1, 2, 3, 5, 8, 13, 21, 34, 55, 89, 144, 233, 377, 610, 987..  Excellent and stealth attack vector  Oh! Many games require Admin privs to run  Often because of anti-cheating solutions..  Thanks anti-cheating! :]  ReVuln Ltd. 4

  5. Why games? ReVuln Ltd. 5

  6. Why games?  Two main entities/targets: Players Companies Each of these targets has a different “ attacker subset ”  Mostly defined by interests..  ReVuln Ltd. 6

  7. Why games?  Two main entities/targets: 1) Players 2) Companies Who wants to attack your game? Your roommate… Others… Script Kiddies.. He told you to stop wasting bandwidth! ReVuln Ltd. 7

  8. Why games?  Two main entities/targets: 1) Players 2) Companies Who wants to attack your company? Others… Script Kiddies.. Your competitors.. They are everywhere ReVuln Ltd. 8

  9. Why games?  Two main entities/targets: 1) Players 2) Companies Competitors • “the more you are bad, The Company VS Company logic:  the more they are good” 1) Company A attacks Company B servers/clients 2) Players get pwned 3) Servers will go down 4) Will players of B still pay for a product they can’t play (safely)? - Maybe they will think about moving to A ’s products ReVuln Ltd. 9

  10. Possible Scenarios Never feel safe while playing online... ReVuln Ltd. 10

  11. Possible Scenarios Client-side and Server-side  Supposed to be a happy world.. Victim Server Player 1. Get player/victim IP 3. Pr0fit Attacker 2. Exploit a client-side bug ReVuln Ltd. 11

  12. Possible Scenarios Client-side and Server-side  Privacy Credentials Option 2 Option 1 Player 1 User DB Next level.. Player .. Server Internal Infrastructure Player n Store DB Attacker Tran$action$ Exploit a Credit card$ server-side vulnerability ReVuln Ltd. 12

  13. Quick Recap We know the possible victims  We know the possible attackers  We know how victims and attackers can interact  We know about possible scenarios  But something is still missing…  ReVuln Ltd. 13

  14. Quick Recap  How attackers get vulnerabilities… They buy Or.. They hunt ReVuln Ltd. 14

  15. The market ReVuln Ltd. 15

  16. The market There is a market for 0-day vulnerabilities in online games  Server-side and client-side bugs  In this market even Denial of Service bugs are valuable  Taking down clients or servers is one of the possible goals  ReVuln Ltd. 16

  17. The market  Who is on this market? Server Admins Others Players Companies ReVuln Ltd. 17

  18. Game vulnerabilities ReVuln Ltd. 18

  19. Game vulnerabilities Main things we need to start hunting for vulnerabilities in games:  A Game  No games no party..  A Debugger/Disassembler  Some network monitor tools  Wireshark  Custom scriptable tools (DLL proxy or others approach)  Scriptable via Ruby or Python (+1)  Can be used on-the-fly (+1)  Able to inject custom packets..  Some brainwork  ReVuln Ltd. 19

  20. Game vulnerabilities  Game & Game engine & bugs math 1 Game => 1 Game Engine  1 Game Engine => n Games  Which can be seen as:  1 bug in Game => 1 Game pwned  1 bug in Game Engine => n Games pwned  Game logic Network Customization Game Engine Graphic / Sound Etc. ReVuln Ltd. 20

  21. Game vulnerabilities  Are games an easy target? Custom protocols Cryptography Anti-debugging Game Anti-cheating Compression Engine ReVuln Ltd. 21

  22. Game vulnerabilities  Custom Protocols, or the reason why we need custom “ sniffers ” TCP over UDP Players don’t like Usually the most lagging interesting part TCP_STUFF ANTI_LAG ??? DATA Typical game UDP packet format ReVuln Ltd. 22

  23. Game vulnerabilities  A fragmented packet is: An interesting child of custom protocols using TCP over UDP concepts  A UDP packet  The base unit of a TCP over UDP implementation  Composed by:  1) POS , the position of the current packet in the given stream 1) LEN , current data len 2) DATA , the current data 3) OTHER , implementation dependent stuff ReVuln Ltd. 23

  24. Game vulnerabilities  Fragmented packets logic Original packet pkt>1:6:Hello pkt>2:4:Game Hello Game! pkt>3:1:! Fragmented packets ReVuln Ltd. 24

  25. Game vulnerabilities  Fragmented packets (supposed) logic Hello Game ! Game Engine Allocated Buffer pkt> 2 : 4 : Game Game Engine 1) Receive fragmented packet 2) Process header: POS, LEN • 3) Place DATA in its position 4) Process next packet.. ReVuln Ltd. 25

  26. Game vulnerabilities  Fragmented packets (actual) logic AAAAAAAAAAAAAAAAAAAAAAAAAAA..AAAAAAAAAAAAAAAAAAAAA ! Hello Game Engine Allocated Buffer Server Memory Game Engine 1) Receive fragmented packet 2) Process header: POS, LEN • 3) Trust POS and LEN 4) Place DATA in its position pkt> X : Y : AA..A 5) Game over :] ReVuln Ltd. 26

  27. Game vulnerabilities  Fragmented packets vs Real World Source Engine Memory Corruption via Fragmented Packets  Engine level bug  10.000+ online servers  Yo Valve! Did you? All the game based on Source engine affected  Half-Life 2  Counter Strike Source  Team Fortress 2  Left 4 Dead  More…  ReVuln Ltd. 27

  28. Game vulnerabilities  Source Engine Memory Corruption via Fragmented Packets A small heap buffer is assigned to contain the entire packet  The client can decide arbitrarily POS , LEN for new fragments  The game engine has anyway some limitations on POS , LEN :  POS must be in range [0, 0x3ffff00]  LEN must be at most: 0x700 .  Is this a problem? No :]  Not difficult to exploit:  1) Locate a function pointer (tons of pointers around <-> C++ code) 2) Overwrite the pointer 3) Pr0fit ReVuln Ltd. 28

  29. Game vulnerabilities  Fragmented packets affected Games/Game Engines : America's Army 3  Enet library  Source engine  Half-Life 2  Counter Strike Source  Team Fortress 2  Left 4 Dead  More …  Others..  Need more vulnerable games?  Hello Master Servers :]  A public list of all the games available online at a given moment  Easy to query..  ReVuln Ltd. 29

  30. Game vulnerabilities  Master Servers  Hold the information of all the available online games Server IP  Clients IP  Game info  Etc.   Two main functionalities:  Heartbeat handling (from Servers): handle requests coming from new Servers that want to be included on the Master Server.  Queries handling (from Clients) : handle queries from clients asking for games. It usually contains filters like exclude full/empty server and so on. ReVuln Ltd. 30

  31. Game vulnerabilities  Are games an easy target? Custom protocols Cryptography Anti-debugging Game Anti-cheating Compression Engine ReVuln Ltd. 31

  32. Game vulnerabilities  Cryptography & Compression Related to packets  We don’t want to spend hours reversing already known algo such as AES, DES,  ZLIB, etc., do you? In many cases we just need to know what the algorithm in use is  And (in some cases) be able to obtain the “secret”  We need something to help our task  Look for known constants  Look for known patterns  In other words we can use a crypto/compression scanner  The one we usually use is signSearch  Standalone  Plugin for Immunity Dbg  Plugin for IDA Pro  ReVuln Ltd. 32

  33. Game vulnerabilities  Cryptography & Compression Loop : > SH*, XOR, ADD, INC, SUB, DEC, .. J* Loop ReVuln Ltd. 33

  34. Game vulnerabilities  Cryptography & Compression Most common Crypto :  Blowfish  RC4  Customized version ( 1 st place * )  Very common for game-related software.  AES  Tea  Customized version ( 1 st place * )  Very common in games.  XOR  Not exactly a crypto algo, but.. Very common!  ReVuln Ltd. 34

  35. Game vulnerabilities  Cryptography & Compression Most common Compression :  Zlib ( 1 st place )  Lzss  Lzma  Lzo  Huffman  Several proprietary custom algos  ReVuln Ltd. 35

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

AI in Multiplayer Games Alex Zook @zookae AI in Multiplayer Games AI so Playing Online

AI in Multiplayer Games Alex Zook @zookae AI in Multiplayer Games AI so Playing Online

AI in Multiplayer Games Alex Zook @zookae AI in Multiplayer Games AI so Playing Online Doesnt Suck Alex Zook @zookae A Hammer What does AI do? Play against people (1 v 1) What have we learned about games by doing this? What

461 views • 10 slides
Multiplayer Online Games An-Cheng Huang Network Reading Group Meeting Nov. 14, 2003 Outline

Multiplayer Online Games An-Cheng Huang Network Reading Group Meeting Nov. 14, 2003 Outline

Multiplayer Online Games An-Cheng Huang Network Reading Group Meeting Nov. 14, 2003 Outline Overview of multiplayer online games (MOGs) Research issues Sample of recent papers A few observations Types of MOG: Categorization

662 views • 47 slides
Online Gaming Video games played over some sort of computer network Massively Multiplayer Online

Online Gaming Video games played over some sort of computer network Massively Multiplayer Online

Online Gaming Video games played over some sort of computer network Massively Multiplayer Online Games (MMOGs) Aspects unique to MMOGs: -persistent universe that contin- ues regardless of interaction -can fit up to a few thousand players on

416 views • 20 slides
When a video game is more than a game Giovanni Viviani MMORPG MMORPG Massively multiplayer

When a video game is more than a game Giovanni Viviani MMORPG MMORPG Massively multiplayer

When a video game is more than a game Giovanni Viviani MMORPG MMORPG Massively multiplayer online role-playing games (MMORPGs) are a combination of role-playing video games and massively multiplayer online games in which a very large number

679 views • 47 slides
Multiplayer Computer Games Multiplayer Computer Games knowledge on the basic concepts of

Multiplayer Computer Games Multiplayer Computer Games knowledge on the basic concepts of

Course Syllabus Course Syllabus credits: 4 cp (2 cu) credits: 4 cp (2 cu) prerequisites: prerequisites: Algorithms for Computer Games Algorithms for Computer Games Multiplayer Computer Games Multiplayer Computer

89 views • 4 slides
Aspects of Networking in Introduction Multiplayer Computer Games Internet + wireless making

Aspects of Networking in Introduction Multiplayer Computer Games Internet + wireless making

Aspects of Networking in Introduction Multiplayer Computer Games Internet + wireless making multiplayer computer games (MCGs) more popular Commercial computer games increasingly J. Smed, T. Kaukoranta and H. Hakonen having mutiplayer

191 views • 6 slides
Persistence in Massively Multiplayer Online Games Kaiwen Zhang Bettina Kemme Alexandre Denault

Persistence in Massively Multiplayer Online Games Kaiwen Zhang Bettina Kemme Alexandre Denault

Persistence in Massively Multiplayer Online Games Kaiwen Zhang Bettina Kemme Alexandre Denault Motivation Common game world Importance of game progression Longevity of MMORPGs Necessity of world state recovery Persistence

340 views • 23 slides
Introduction Aspects of Networking in Network growth, especially wireless, Multiplayer

Introduction Aspects of Networking in Network growth, especially wireless, Multiplayer

4/15/2014 Introduction Aspects of Networking in Network growth, especially wireless, Multiplayer Computer Games making multiplayer computer games (MCGs) more popular Commercial computer games increasingly J. Smed, T. Kaukoranta and H.

567 views • 9 slides
CRYSIS 2 MULTIPLAYER CRYSIS 2 MULTIPLAYER ABOUT CRYSIS 2 MULTIPLAYER Who am I? What am I

CRYSIS 2 MULTIPLAYER CRYSIS 2 MULTIPLAYER ABOUT CRYSIS 2 MULTIPLAYER Who am I? What am I

A Programmers Post -mortem CRYSIS 2 MULTIPLAYER CRYSIS 2 MULTIPLAYER ABOUT CRYSIS 2 MULTIPLAYER Who am I? What am I talking about? Hopefully things that will help you What is Crysis 2? First-person shooter 12 players on

663 views • 40 slides
Over-Monetization of Online Games By: Nick Meyer History Online games have evolved a lot in

Over-Monetization of Online Games By: Nick Meyer History Online games have evolved a lot in

Over-Monetization of Online Games By: Nick Meyer History Online games have evolved a lot in a short amount of time. Huge improvements is communication, graphics, and development in general. Older games had a straightforward

348 views • 9 slides
The Weihrauch Degree of Finding Nash Equilibria in Multiplayer Games Tonicha Crook Joint work

The Weihrauch Degree of Finding Nash Equilibria in Multiplayer Games Tonicha Crook Joint work

The Weihrauch Degree of Finding Nash Equilibria in Multiplayer Games Tonicha Crook Joint work with Arno Pauly Swansea University 8th April 2020 Tonicha Crook (Swansea University) Multiplayer Games 8th April 2020 1 / 11 Outline

605 views • 27 slides
Aspects of Networking in Multiplayer Computer Games By Jouni Smed, Timo Kaukoranta, and Harri

Aspects of Networking in Multiplayer Computer Games By Jouni Smed, Timo Kaukoranta, and Harri

Aspects of Networking in Multiplayer Computer Games By Jouni Smed, Timo Kaukoranta, and Harri Hakonen c. 2001 Presented by Cody Olivier Intro / Motivation Virtual reality realm of computing: c1980 Military Simulations Distributed

1.23k views • 23 slides
ARIVU: Power-Aware Middleware for Multiplayer Mobile Games Bhojan Anand , Karthik

ARIVU: Power-Aware Middleware for Multiplayer Mobile Games Bhojan Anand , Karthik

ARIVU: Power-Aware Middleware for Multiplayer Mobile Games Bhojan Anand , Karthik Thirugnanam , Le Thanh Long , Duc-Dung Pham , Akhihebbal L. Ananda , Rajesh Krishna Balan , and Mun Choon Chan National University of

558 views • 43 slides
Switchboard: A Matchmaking System for Multiplayer Mobile Games Justin Manweiler , Sharad Agarwal,

Switchboard: A Matchmaking System for Multiplayer Mobile Games Justin Manweiler , Sharad Agarwal,

Battling demons and vampires on your lunch break Switchboard: A Matchmaking System for Multiplayer Mobile Games Justin Manweiler , Sharad Agarwal, Ming Zhang, Romit Roy Choudhury, Paramvir Bahl ACM MobiSys 2011 Breakthrough of Mobile Gaming

339 views • 22 slides
Cross-Car, Multiplayer Games for Semi-Autonomous Driving Matthew Lakier, Lennart E. Nacke, Takeo

Cross-Car, Multiplayer Games for Semi-Autonomous Driving Matthew Lakier, Lennart E. Nacke, Takeo

Cross-Car, Multiplayer Games for Semi-Autonomous Driving Matthew Lakier, Lennart E. Nacke, Takeo Igarashi, Daniel Vogel The University of Tokyo Welcome inside a car of the future! 2 Short periods of Vehicle-to-vehicle Full window HUDs

435 views • 28 slides
Load Dynamics of a Multiplayer Online Battle Arena and Simulative Assessment of Edge Server

Load Dynamics of a Multiplayer Online Battle Arena and Simulative Assessment of Edge Server

Institute of Computer Science Chair of Communication Networks Prof. Dr.-Ing. P . Tran-Gia Load Dynamics of a Multiplayer Online Battle Arena and Simulative Assessment of Edge Server Placements Valentin Burger, Jane Frances Pajo, Odnan Ref

898 views • 22 slides
Game and Learn: An Introduction to Educational Gaming 1. What Is A Game? Ruben R. Puentedura,

Game and Learn: An Introduction to Educational Gaming 1. What Is A Game? Ruben R. Puentedura,

Game and Learn: An Introduction to Educational Gaming 1. What Is A Game? Ruben R. Puentedura, Ph.D Some Definitions Formal Definition of Play (Salen &amp; Zimmerman) Play is free movement within a more rigid structure. Vygotsky on

462 views • 11 slides
Open-ended learning in symmetric zero-sum games David Balduzzi, Marta Garnelo, Yoram Bachrach,

Open-ended learning in symmetric zero-sum games David Balduzzi, Marta Garnelo, Yoram Bachrach,

Open-ended learning in symmetric zero-sum games David Balduzzi, Marta Garnelo, Yoram Bachrach, Wojciech M. Czarnecki, Julien Perolat, Max Jaderberg, Thore Graepel Long ago and far away (mid-1800s in Cambridge, England): First tutor: I'm

218 views • 11 slides
Director of the Buckingham Lean Enterprise Unit and played extensively at LERC The version

Director of the Buckingham Lean Enterprise Unit and played extensively at LERC The version

accreditation| certification | community T HE B UCKINGHAM H OUSING R EPAIRS G AME P REVIEW The Buckingham Housing Repairs Game was created by John Bicheno, Director of the Buckingham Lean Enterprise Unit and played extensively at LERC The

740 views • 21 slides
CMU 15-896 Noncooperative games 3: Price of anarchy Teacher: Ariel Procaccia Back to prison

CMU 15-896 Noncooperative games 3: Price of anarchy Teacher: Ariel Procaccia Back to prison

CMU 15-896 Noncooperative games 3: Price of anarchy Teacher: Ariel Procaccia Back to prison The only Nash equilibrium in Prisoners Cooperate Defect dilemma is bad; but how bad is it? -1,-1 -9,0 Cooperate Objective function:

479 views • 24 slides
Video Games The Most Complicated Waste of Time Ever! Crystal Shaw Jacob King Kyle Hwang

Video Games The Most Complicated Waste of Time Ever! Crystal Shaw Jacob King Kyle Hwang

Video Games The Most Complicated Waste of Time Ever! Crystal Shaw Jacob King Kyle Hwang What are Video Games ? Video Games are electronic games in which a user interacts with the game using an input device and receives

685 views • 29 slides
Game Bot Identification Game Bot Identification based on Manifold Learning based on Manifold

Game Bot Identification Game Bot Identification based on Manifold Learning based on Manifold

Game Bot Identification Game Bot Identification based on Manifold Learning based on Manifold Learning Kuan Ta Chen Academia Sinica Hsing Kuo Pao NTUST Hong Chung Chang NTUST ACM NetGames 2008 Game Bots Game bots: automated AI programs

371 views • 36 slides
Computational Information Games A minitutorial Part I Houman Owhadi ICERM June 5, 2017 DARPA

Computational Information Games A minitutorial Part I Houman Owhadi ICERM June 5, 2017 DARPA

Computational Information Games A minitutorial Part I Houman Owhadi ICERM June 5, 2017 DARPA EQUiPS / AFOSR award no FA9550-16-1-0054 (Computational Information Games) Probabilistic Numerical Methods Statistical Inference approaches to

933 views • 75 slides
Timed games Patricia Bouyer-Decitre LSV, CNRS &amp; ENS Cachan, France 1/14 Why (timed) games?

Timed games Patricia Bouyer-Decitre LSV, CNRS &amp; ENS Cachan, France 1/14 Why (timed) games?

Timed games Patricia Bouyer-Decitre LSV, CNRS &amp; ENS Cachan, France 1/14 Why (timed) games? to model uncertainty Example of a processor in the taskgraph example x =2 x =3 done done + idle add mult ( x 2) ( x 3) x :=0 x :=0

1.1k views • 76 slides

More recommend