Real Flaws in Virtual Worlds

[GameBanshee News]

Security Focus features a pertinent interview taking a look at the (lack of) security in MMOs, and the dangers of exploitation, talking to the author of the book Exploiting Online Games.

While testing the exploitation of games, what did you discover about the level of security of their code? In other words, do game developers care about security, or is everything just focused on performance?

The most interesting thing about online game security is not the code itself, but the very design of these systems. The first thing to understand is that MMORPGs like World of Warcraft have millions of subscribers. At any one time there are over 400,000 people playing World of Warcraft together.

Now imagine you have to build a system that supports that many users over the Internet. The virtual world that the players interact with is very large and has vast amounts of "state." The problem is to share this state with all of the active users and keep the virtual world coherent. The only logical solution is to "crack off" some of the state and share it with the game programs running on a gamer's PC. That PC ends up controlling local state, which is periodically sync'ed with the game servers.

There's the big problem with this design. A gamer's PC is well outside the trust boundary. Any computation that is being pushed out to the client system is subject to attack by a malicious gamer who wants to cheat using his or her own PC. Much of the code in the book involves poking around in game code on your own PC -- using disassemblers, parsers, etc. Attacks against PC-controlled time and state that blur trust boundaries are complex and very interesting from a software security perspective.

Of course game developers care deeply about security! Nothing makes a game developer angrier than people who cheat and most game developers set out to thwart that kind of thing when they design their games. In the book we include a FAQ about game hacking, written by a game developer named Matt Pritchard, who tried to explain the attacker's perspective to the uninitiated.

When it comes to developers the biggest problem in software security is that many still believe that security is all about functionality. For example, they think that sprinkling on some "magic crypto fairy dust" will solve the security problem. But the kinds of attacks we describe in our book are not based on traditional network-based attacks, remote buffer overflows, or SQL injection. Instead, they are based on taking control of the local game process on your own PC and having it do things on your behalf. Some of the most interesting attacks against online games involve building "bots" that can automatically play the game for you. The bot program runs on your PC along with the game client. The challenge is to have that happen in an undetectable fashion. (Incidentally, this is why games have so much relevance when it comes to future attacks on other distributed systems.)

Game developers will learn plenty about the attacker's perspective and real attacks by reading our book. In the end, that will make for much better software security and games that are much harder to cheat in. My bet is that this book will help to spark more interest in software security in general.

Spotted on Slashdot.