OpenConflict: Preventing Real Time Map Hacks in Online Games Elie Bursztein, Mike Hamburg, Jocelyn Lagarenne, Dan Boneh (Stanford University) IEEE Symposium on Security and Privacy

OUTLINE Introduction and Related Work A Generic Tool for Map Hacking Game Hacking with Kartograph Preventing Passive Map Hack ◦ Case Study Starcraft II Defending against Map Hacking OpenConflict Discussion and Conclusion 2

OUTLINE Introduction and Related Work A Generic Tool for Map Hacking Game Hacking with Kartograph Preventing Passive Map Hack ◦ Case Study Starcraft II Defending against Map Hacking OpenConflict Discussion and Conclusion 3

Real-Time Strategy(RTS) Online gaming includes 64% of gamers ◦ RTS % ◦ First person shooter – 10.1% RTS games ◦ Player compete on a two-dimensional map divided in to cells ◦ Starcraft II: normally – cells 4

RTS Game 5

Cheating in RTS games Abusing the resource system ◦ Find the location of resource value in memory Hacking the unit list Tampering with the map visibility ◦ Map hacking ◦ Hardest to perform ◦ Fully passive Note: push approach v.s. pull approach 6

Map Hacking 7

Related Work Battle of Botcraft fighting bots in online games with human observational proofs. ◦ ACMCCS (Nov, 2009) Hacking world of warcraft: An exercise in advanced rootkit design. ◦ Black Hat (2006) Visual reverse engineering of binary and data files. ◦ Visualization for Computer Security (2008) 8

Contribution Presenting a generic attack tool ◦ Kartograph A generic defense against passive attacks in RTS games ◦ OpenConflict Analyzed 1000 Starcraft II games 9

OUTLINE Introduction and Related Work A Generic Tool for Map Hacking Game Hacking with Kartograph Preventing Passive Map Hack ◦ Case Study Starcraft II Defending against Map Hacking OpenConflict Discussion and Conclusion 10

Adversarial Game Instrumentation(AGI) Past approaches: debugger/decompiler Memory attacks on virtually every game 11

Map Data Easiest 12

Map Hacking Based on memory changes ◦ The memory that contains unit positions only changes when units move Reducing Memory Space Finding the visibility map Understanding the visibility map 13

Reducing Memory Space Step1 ◦ Launch the game ◦ Read all memory pages of the process ’ s main module which are marked as  ReadWrite, Commit and Private Step2 ◦ Move the camera, trigger actions  Without discovering any new parts of the map! ◦ Eliminate all the memory blocks that changed 14

Reducing Memory Space(cont.) Step3 ◦ “ Scout ” an unknown area in game ◦ Keep only the memory blocks that changed Step4 ◦ Same as Step2 15

Finding the Visibility Map Use visualization techniques ◦ Create a “ nonlinear ” scouting pattern ◦ Heat map representation Difficulty: ◦ Data types, Align 16

Visualization 17

Visualization(cont.) 18

Understanding the Visibility Map How the structure works? Diff-map analysis ◦ Snapshot & do something 19

Diff-Map with Heat Map 20

Unit Hacking and Network Analysis Unit: Smaller and more complex structure ◦ Produce units and observe memory Network Analysis D: Diff map F: Fixed value C: Counter value D: Random value 21 DF CR

OUTLINE Introduction and Related Work A Generic Tool for Map Hacking Game Hacking with Kartograph Preventing Passive Map Hack ◦ Case Study Starcraft II Defending against Map Hacking OpenConflict Discussion and Conclusion 22

Game Hacking with Kartograph Take lots of memory: ◦ Twice game ’ s memory size ◦ Work on 64-bit windows only Test 15 games ◦ Data structures changed radically 23

Map information Bitmap Composite 24

Using the Game as a Map Hack 25

OUTLINE Introduction and Related Work A Generic Tool for Map Hacking Game Hacking with Kartograph Preventing Passive Map Hack ◦ Case Study Starcraft II Defending against Map Hacking OpenConflict Discussion and Conclusion 26

Preventing Passive Map Hacks Threat model: passive eavesdropping adversaries Assume: P2p architecture Pull approach ◦ Cryptographic protocols? ◦ Challenge: imperceptible latency! 27

Cast Study Starcraft II Wrote a crude “ game engine ” Analyzed 1000 Starcraft II replays(Top players) ◦ High number of actions per minute(APM) ◦ Map size: ~ cells ◦ Playable size: ~ cells ◦ Game duration 28

Cast Study Starcraft II(cont.) Analyzed 1000 Starcraft II replays(Top players) ◦ Visibility 29

OUTLINE Introduction and Related Work A Generic Tool for Map Hacking Game Hacking with Kartograph Preventing Passive Map Hack ◦ Case Study Starcraft II Defending against Map Hacking OpenConflict Discussion and Conclusion 30

Our Approach Prevent the passive map hack Pull approach ◦ Each player ’ s machine only stores information that the player is authorized to see Use an oblivious intersection protocol 31

Intersection Protocol Def: ◦ M be the set of all cells on the map ◦ Each cell may contain units(including builds and other objects) ◦ Each unit has a visibility radius ◦ Union of all of Alice ’ s visibility regions gives the set of cells that Alice can see ◦ denote the set of map cells containing Bob ’ s unit ◦ for some data domain D 32

A1 Intersection Protocol(cont.) 33 B2 B1 UAUA VAVA cell U B1, also V A ∩U B

Intersection Protocol(cont.) 1. Bob should learn nothing about V A 2. Alice should learn nothing about U b other than V A ∩ U B 3. Alice learns the value of f B on V A ∩ U B but nothing about U B \ V A 34

Oblivious Function G: A group of prime order q Bob chooses a secret key k in [1,q-1], Alice chooses a random integer r in [1,q-1] Start: Alice send H 1 (v) r Bob responds with H 1 (v) rk Alice computes H 1 (v) k = H 1 (v) rkr -1 Computational Diffie-Hellman assumption tells that it is secure! 35

Compute V A ∩ U B 36

Compute V A ∩ U B (cont.) (Bob) For each u in U B : a key k u = H 2 (H 1 (u) k ) Encrypt f B (u) using the key k u (authenticated encryption, AE) (Alice) Alice obtain H 1 (v) k for all v in V a Computes k v = H 2 (H 1 (v) k ) for all v in V a Test if one of the ciphertexts received from Bob decrypts correctly with k v 37

Hypergrids 38 A1 38 B2 B1 UAUA VAVA cell U B1, also V A ∩U B

Hypergrids(cont.) 39

Chaff and Multiplayer Basic protocol ◦ leaks to Bob the number cells in Alice ’ s visibility set V A ◦ Leaks to Alice the sum of the lengths of f B (u) for u in U b The queries H 1 (v) r are independent of the player being queried: broadcast Compute H 1 (v) k is the only per-opponent work 40

OUTLINE Introduction and Related Work A Generic Tool for Map Hacking Game Hacking with Kartograph Preventing Passive Map Hack ◦ Case Study Starcraft II Defending against Map Hacking OpenConflict Discussion and Conclusion 41

Basic protocol Core i5 660 dual-core hyperthreaded processor running at 3.33 GHz Standard NIST elliptic curves 200 visibility hypertiles and 150 units per player A single exponentiation = a millisecond => 750 milliseconds per play Unacceptable! 42

Elliptic Curve Montgomery curve Because p is a Mersenne prime ◦ Very efficient implementation, 11-12us for exponentiations on this curve 43

Security Need to remain secure for an hour Best known algorithms take O( ) time to solve discrete logarithms p = ◦ 12 sec p = (speed up OpenConflict by 33%) ◦ 72 machine-days p = (OpenConflict) ◦ 3,200 machine-years 44

Measurements v: visible grid hypertiles (about 30us) u: units (about 15us) 45

OUTLINE Introduction and Related Work A Generic Tool for Map Hacking Game Hacking with Kartograph Preventing Passive Map Hack ◦ Case Study Starcraft II Defending against Map Hacking OpenConflict Discussion and Conclusion 46

Preventing Active Attacks Detecting active attacks after the game ◦ Every client logs network traffic/actions and then sends to other players periodically ◦ Upload to a central server to verify Random number generator? ◦ Commit a seed for a pseudorandom generator at the beginning of the game ◦ A central server to verify 47

Conclusion Map hacking and a defense system for RTS games ◦ Kartograph and OpenConflict Security in online games is a fruitful area of research! 48