The Game Security Framework (1.0) Jason Haddix & Daniel Miessler
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
The Game Security Framework
(1.0)
Jason Haddix & Daniel Miessler
Us
• Jason Haddix: Head of Trust and Security, Bugcrowd
• Daniel Miessler: Director of Advisory Services, IOActive
@jhaddix @danielmiessler
History
• This is the second try for the project
• Tried originally in 2014, to no avail
3
Concept
4
Structure• Normal, English sentences that are used to describe the
entire scenario
• Each sentence contains placeholders for the various parts of the risk
malicious competitor attacks the server-side and takes advantage of limited server-side bandwidth and uses ddos to cause extreme lag that lets them win a match, resulting in frustrated users not playing the game anymore, which could have been avoided using ddos protection.
5
Structure
6
https://www.owasp.org/index.php/OWASP_Game_Security_Framework_Project
Semantic Structure
Actor attacks Attack Surface and uses Exploit to take advantage of Vulnerability to try to achieve their Goal, resulting in Negative Outcome, which could have been avoided by Defense.
7
Vulnerabilities
8
Ping + Teleport
9
1. Mess with your own connection
2. Server starts reporting your location sporadically
3. Allows you to pass through objects
4. BONUS: Avoid being attacked because you’re like a ghost
Player attacks the network and takes advantage of throttling and uses connection degradation to cause extreme lag that lets them avoid harm, resulting in frustrated users not playing the game anymore, which could have been avoided using better code.
Moar Mosters
10
1. When logged in as an admin there are options to do lots of things, like call monsters
2. Players figure out they can execute admin commands as well (only the menu was missing)
3. They get in nasty PvP and call in tons of nasty mobs to crush enemies
Player attacks the server and takes advantage of client-side filters and uses hidden admin commands to cause in game chaos that lets them survive pvp, resulting in frustrated users not playing the game anymore, which could have been avoided using server-side controls.
Midnight Store
11
1. Game bugs required the server to be restarted at midnight
2. If you were in the middle of a trade when the server went down, both players got both sides of the trade
Player attacks the game and takes advantage of logic bug and uses knowledge of bug to cause item duplication that lets them unfairly increase loot, resulting in less need to buy things, which could have been avoided using better code.
Marvel at my DC
12
1. Play a Star Wars game on Android
2. Go into Airplane Mode in the middle of the game
3. Run Android hack to automatically win
4. Reconnect, advance on the ladder
Player attacks the client and takes advantage of local hack and logic flaw and uses local hack to cause unfair ladder win that lets them, resulting in ladder chaos, which could have been avoided using better code.
Ooh Sparkly
13
1. Launching lots of graphics-intensive actions could cause frame rate drops
2. People load up on the most graphics-intensive combos and fire them off if they’re attacked
3. Nobody could kill them because they could run away while their game is lagging
Player attacks the client and takes advantage of resource constraints and uses knowledge of bug to cause unfair pvp advantage that lets them avoid death during pvp, resulting in angry players and fewer users, which could have been avoided using better code.
Pink Unicorns
14
1. Players find hidden coordinates in network stream data
2. They hack the client to show hidden items on the map
3. They find hidden players and items before everyone else
4. PK or dramatically improved farming
Player attacks the client and takes advantage of client-side filters and uses client modification to cause see hidden content that lets them pk and farm, resulting in frustrated users not playing the game anymore, which could have been avoided using client integrity validation.
Dishonorable Mentions
15
1. Convincing players to download a mod so we can “powerlevel you”.
2. Changing your username to look like a GM, and telling people to give you their items (for safe keeping).
3. Multiple buff stacking due to race conditions / logic flaws.
4. Death / looting issues that allow you to loot dead bodies and get their gear without the person losing the gear when they respawn.
5. Numerous DC logic flaws, where fighting, looting, purchasing is all broken when you DC your connection. As a developer, how would you handle it?
6. Powerleveling service takes your account for a day or so and you soon get a notification that you’ve been banned (they used you for money laundering).
7. …etc, etc.
Case Study
16
Mobile Cover Clipping
17
1. Use of a skill (Mobile Cover) allows players to skip content
2. Skipping content allows after farming rates of bosses
Player attacks the client and takes advantage of Game Mechanics and uses knowledge of bug to skip content that lets them farm items faster, resulting in angry players and fewer users, which could have been avoided using better code.
Mobile Cover Clipping
18
https://www.youtube.com/watch?v=kAq2283F7vs
instancing and checkpoints
19
1. Players able to enter a different area (instance) to re-spawn bosses
Player attacks the client and takes advantage of Game Mechanics and uses knowledge of bug to skip content that lets them farm items faster, resulting in angry players and fewer users, which could have been avoided using better code.
instancing and checkpoint manipulation
20
https://www.youtube.com/watch?v=Wj8OXIOJvhE
buff/talent stacking
21
1. switching gear rapidly caused buffs or talents to “stack” allowing using talents to gain 1 shot kills, infinite money of headshots, etc.
Player attacks the client and takes advantage of Game Mechanics and uses knowledge of bug to Gain In-game Currency and Enhance Gear, resulting in angry players and fewer users, which could have been avoided using better code.
buff/talent stacking
22
https://www.youtube.com/watch?v=pPsKEXmnL_E
Current State
23
• Capturing as many bugs as possible
• Categorizing them
• Putting them into the framework
Current State
24
Current State
25
Future State
26
• Moar Bugz (crowdsourced)
• Continuous improvement of schema
• Additional ideas for improvement
Next Steps & Help
27
• If you know any game bugs, you can help out at this location:
https://docs.google.com/spreadsheets/d/1Og08wyHsqtODBDkU_M2zHAvdxc63GSu-OmT8NjCc9Ak/edit#gid=0
• We also just started a Slack channel, in case you don’t already have enough of those.
Thanks & Contact
28
• Jason HaddixBugcrowd@jhaddix
• Daniel MiesslerIOActive@danielmiessler
https://www.owasp.org/index.php/OWASP_Game_Security_Framework_Project
Related Documents
