Analysis of Anti-Hacking Software PunkBuster: How to Stop Cheating in Online Games David Nichols
Background Online gaming has readily increased in popularity over the past decade, becoming one of the most popular forms of gaming today With this increase in popularity the need for security has grown, as the player base becomes more and more diverse Proper network security has become essential ▫Not only to prevent cheating ▫But also to protect users personal information Debate has risen over who should provide security ▫Publishers, Users, or Third Parties
Design Decisions When designing a online game the publishers must choose between a number of trade offs ▫Efficiency and Accessibility vs. Security ▫Secure private servers vs. P2P As both technological and economic have evolved so has game design ▫Shift from privately hosted servers to public P2P models Significantly cheaper and more expandable
P2P Network Design Host (client or admin) Client
Popular Security Mechanisms Checksums ▫Check client data for integrity via checksums Can be forged Check client data against game rules ▫Many cheats can be sent within the rules Unique Database Structures Admins/Game Managers These security measures don’t stop many types of attacks
How Cheating Works Most of these cheats are based on weaknesses in the client-server model ▫Clients and even admins can’t be trusted Changes to the game code ▫Game code generally in binary Can be decoded Data files not in binary ▫Can change software (wallhack) or game state in memory (inf. ammo) Outside programs performing game actions ▫Turbo function and action scripts Modify personal computer’s system software ▫Change graphics driver to render all objects Packet Manipulation ▫Change packets being sent out (aimbot) ▫Use private data from client packets (wallhack) ▫Delay packets (slow time or retroactively act)
Two Main Types of Cheating Computer based attacksImproper Usage Aimbot ▫Use client info to aim ▫Modify code for dmg Artificial lag/Flood attacks ▫Attack physical device Look-ahead ▫Forge time stamp Physics hacking ▫Remove collision detection Altering game elements ▫Server override or impersonation Extrasensory perception ▫Display client info on screen Turbo Environmental exploits Ghosting Improper settings Scripting Collaboration
PunkBuster Created and first implemented in 2000 by Tony Ray to stop cheating in Castle Wolfenstein ▫Owned by Even Balance, Inc. ▫Subsequently used in numerous online shooters ▫Built around client-server model Installed on both clients and servers ▫Constantly communicates with Even Balance’s master servers Designed to scan for cheating computers and then ban them from protected servers/games
PunkBuster’s Implementation Each admin server requires its own unique directory Two main components of PunkBuster: ▫PunkBuster Server (runs on game servers) password protected ▫PunkBuster Client (runs on players' playing machines while they play the game) If admin PB not up-to-date all players notified ▫If client PB not up-to-date player not allowed to join Frequent status reports (encrypted) are sent to the PunkBuster Server by all players Violations cause player to be kicked and all others notified Admins can manually kick players ▫For a specific number of minutes or permanently ▫Can be bypassed by altering time stamp Player power facility – allows games to run without admin
PunkBuster’s Security Features Real-time memory scanning ▫Uses Windows API functions and heuristic searches Communicates over games internet connection ▫To avoid firewall ▫Uses UDP ports to communicate “Throttled two-tiered background auto-update system” with master servers ▫Provide end-user security ▫Ensure no corrupted or false updates on user PC Guarantees update integrity ▫Uses digital signatures provided by Verisign (Authenticode) ▫Updates validated by master servers based on security info Prevents Admins from using PB to send viruses
PunkBuster’s Security Features Can request partial MD5 hashes of files inside the game installation directory ▫Results compared against a default config Calculate differences and ban if necessary Admin search functions ▫To check player’s key bindings and scripts for cheats Stream PB server logs to other locations ▫Allows for the creation of universal “banned lists” Random player settings checks ▫Cvar checking A number that represents game settings, must be in admin’s range
PunkBuster’s Security Features User Authentication ▫Use digital signatures ▫Happens continuously through game (2-3 per minute minimum) Screenshot Requests ▫Admin can request screenshot samples from players Or can be done randomly Can block screenshots (black screen) or erase visible hacking ▫Reflected in RecentSS value, visible to all players, prevents admins from cheating Hardware bans ▫Ban hardware components used to circumvent PB Uses hard drive ID and other undisclosed components ▫Use multiple private one-ways hashes in order to protect the confidentiality of users serial number info Use GUID (Globally Unique Identifier) to ID users ▫Based on game installation ▫128 bit one-way hash generated from CD-key ▫Encrypted GUID bans
Attacks on PunkBuster Battlefield 3 – “Game discontented you were kicked by PunkBuster” error ▫Attackers used GUID scanner to duplicates of user’s GUID ▫Used security loophole to ban players IRC mass false positives ▫Because PB scans all virtual memory, attackers uploaded text fragments from cheat programs on popular IRC channels ▫PB would see malicious text in channel clients’ text buffers and ban them Incompatibility issues with: ▫Steam, non-windows admins, 64-bit clients, and some Firewalls
Criticisms Heavily uses user’s network, causing lag ▫Hogs bandwidth Puts heavy pressure on user’s PC processors ▫Slowing down or overheating some PCs Even Balance, the company, has too much power ▫“Judge, Jury, and Executioner” Permanent bans based solely on their digression, not controlled by publishers Invasion of privacy ▫Screenshots, program lists, memory scans, hardware info, IP addresses, and other personal security info Still doesn’t stop all cheating/attacks