The Game Security Framework
1 like449 views
The document discusses the Game Security Framework (version 1.0), detailing its development history and structure for outlining potential game vulnerabilities. It provides examples of different attack scenarios and their consequences, emphasizing the need for better coding practices to mitigate risks. The authors encourage community participation in identifying bugs and improving the framework for future iterations.
The Game Security Framework
- 1. The Game Security Framework (1.0) Jason Haddix & Daniel Miessler
- 2. Us • Jason Haddix: Head of Trust and Security, Bugcrowd • Daniel Miessler: Director of Advisory Services, IOActive @jhaddix @danielmiessler
- 3. History • This is the second try for the project • Tried originally in 2014, to no avail 3
- 4. Concept 4
- 5. Structure • Normal, English sentences that are used to describe the entire scenario • Each sentence contains placeholders for the various parts of the risk malicious competitor attacks the server-side and takes advantage of limited server-side bandwidth and uses ddos to cause extreme lag that lets them win a match, resulting in frustrated users not playing the game anymore, which could have been avoided using ddos protection. 5
- 6. Structure 6 https://www.owasp.org/index.php/ OWASP_Game_Security_Framework_Project
- 7. Semantic Structure Actor attacks Attack Surface and uses Exploit to take advantage of Vulnerability to try to achieve their Goal, resulting in Negative Outcome, which could have been avoided by Defense. 7
- 9. Ping + Teleport 9 1. Mess with your own connection 2. Server starts reporting your location sporadically 3. Allows you to pass through objects 4. BONUS: Avoid being attacked because you’re like a ghost Player attacks the network and takes advantage of throttling and uses connection degradation to cause extreme lag that lets them avoid harm, resulting in frustrated users not playing the game anymore, which could have been avoided using better code.
- 10. Moar Mosters 10 1. When logged in as an admin there are options to do lots of things, like call monsters 2. Players figure out they can execute admin commands as well (only the menu was missing) 3. They get in nasty PvP and call in tons of nasty mobs to crush enemies Player attacks the server and takes advantage of client-side filters and uses hidden admin commands to cause in game chaos that lets them survive pvp, resulting in frustrated users not playing the game anymore, which could have been avoided using server-side controls.
- 11. Midnight Store 11 1. Game bugs required the server to be restarted at midnight 2. If you were in the middle of a trade when the server went down, both players got both sides of the trade Player attacks the game and takes advantage of logic bug and uses knowledge of bug to cause item duplication that lets them unfairly increase loot, resulting in less need to buy things, which could have been avoided using better code.
- 12. Marvel at my DC 12 1. Play a Star Wars game on Android 2. Go into Airplane Mode in the middle of the game 3. Run Android hack to automatically win 4. Reconnect, advance on the ladder Player attacks the client and takes advantage of local hack and logic flaw and uses local hack to cause unfair ladder win that lets them, resulting in ladder chaos, which could have been avoided using better code.
- 13. Ooh Sparkly 13 1. Launching lots of graphics-intensive actions could cause frame rate drops 2. People load up on the most graphics-intensive combos and fire them off if they’re attacked 3. Nobody could kill them because they could run away while their game is lagging Player attacks the client and takes advantage of resource constraints and uses knowledge of bug to cause unfair pvp advantage that lets them avoid death during pvp, resulting in angry players and fewer users, which could have been avoided using better code.
- 14. Pink Unicorns 14 1. Players find hidden coordinates in network stream data 2. They hack the client to show hidden items on the map 3. They find hidden players and items before everyone else 4. PK or dramatically improved farming Player attacks the client and takes advantage of client-side filters and uses client modification to cause see hidden content that lets them pk and farm, resulting in frustrated users not playing the game anymore, which could have been avoided using client integrity validation.
- 15. Dishonorable Mentions 15 1. Convincing players to download a mod so we can “powerlevel you”. 2. Changing your username to look like a GM, and telling people to give you their items (for safe keeping). 3. Multiple buff stacking due to race conditions / logic flaws. 4. Death / looting issues that allow you to loot dead bodies and get their gear without the person losing the gear when they respawn. 5. Numerous DC logic flaws, where fighting, looting, purchasing is all broken when you DC your connection. As a developer, how would you handle it? 6. Powerleveling service takes your account for a day or so and you soon get a notification that you’ve been banned (they used you for money laundering). 7. …etc, etc.
- 16. Case Study 16
- 17. Mobile Cover Clipping 17 1. Use of a skill (Mobile Cover) allows players to skip content 2. Skipping content allows after farming rates of bosses Player attacks the client and takes advantage of Game Mechanics and uses knowledge of bug to skip content that lets them farm items faster, resulting in angry players and fewer users, which could have been avoided using better code.
- 19. instancing and checkpoints 19 1. Players able to enter a different area (instance) to re- spawn bosses Player attacks the client and takes advantage of Game Mechanics and uses knowledge of bug to skip content that lets them farm items faster, resulting in angry players and fewer users, which could have been avoided using better code.
- 21. buff/talent stacking 21 1. switching gear rapidly caused buffs or talents to “stack” allowing using talents to gain 1 shot kills, infinite money of headshots, etc. Player attacks the client and takes advantage of Game Mechanics and uses knowledge of bug to Gain In-game Currency and Enhance Gear, resulting in angry players and fewer users, which could have been avoided using better code.
- 23. Current State 23 • Capturing as many bugs as possible • Categorizing them • Putting them into the framework
- 24. Current State 24
- 25. Current State 25
- 26. Future State 26 • Moar Bugz (crowdsourced) • Continuous improvement of schema • Additional ideas for improvement
- 27. Next Steps & Help 27 • If you know any game bugs, you can help out at this location: https://docs.google.com/spreadsheets/d/ 1Og08wyHsqtODBDkU_M2zHAvdxc63GSu-OmT8NjCc9Ak/ edit#gid=0 • We also just started a Slack channel, in case you don’t already have enough of those.
- 28. Thanks & Contact 28 • Jason Haddix Bugcrowd @jhaddix • Daniel Miessler IOActive @danielmiessler https://www.owasp.org/index.php/ OWASP_Game_Security_Framework_Project