The Game Security Framework

(1.0)

Jason Haddix & Daniel Miessler

Us

• Jason Haddix: Head of Trust and Security, Bugcrowd

• Daniel Miessler: Director of Advisory Services, IOActive

@jhaddix @danielmiessler

History

• This is the second try for the project

• Tried originally in 2014, to no avail

3

Concept

4

Structure• Normal, English sentences that are used to describe the

entire scenario

• Each sentence contains placeholders for the various parts of the risk

malicious competitor attacks the server-side and takes advantage of limited server-side bandwidth and uses ddos to cause extreme lag that lets them win a match, resulting in frustrated users not playing the game anymore, which could have been avoided using ddos protection.

5

Structure

6

https://www.owasp.org/index.php/OWASP_Game_Security_Framework_Project

Semantic Structure

Actor attacks Attack Surface and uses Exploit to take advantage of Vulnerability to try to achieve their Goal, resulting in Negative Outcome, which could have been avoided by Defense.

7

Vulnerabilities

8

Ping + Teleport

9

1. Mess with your own connection

2. Server starts reporting your location sporadically

3. Allows you to pass through objects

4. BONUS: Avoid being attacked because you’re like a ghost

Player attacks the network and takes advantage of throttling and uses connection degradation to cause extreme lag that lets them avoid harm, resulting in frustrated users not playing the game anymore, which could have been avoided using better code.

Moar Mosters

10

1. When logged in as an admin there are options to do lots of things, like call monsters

2. Players figure out they can execute admin commands as well (only the menu was missing)

3. They get in nasty PvP and call in tons of nasty mobs to crush enemies

Player attacks the server and takes advantage of client-side filters and uses hidden admin commands to cause in game chaos that lets them survive pvp, resulting in frustrated users not playing the game anymore, which could have been avoided using server-side controls.

Midnight Store

11

1. Game bugs required the server to be restarted at midnight

2. If you were in the middle of a trade when the server went down, both players got both sides of the trade

Player attacks the game and takes advantage of logic bug and uses knowledge of bug to cause item duplication that lets them unfairly increase loot, resulting in less need to buy things, which could have been avoided using better code.

Marvel at my DC

12

1. Play a Star Wars game on Android

2. Go into Airplane Mode in the middle of the game

3. Run Android hack to automatically win

4. Reconnect, advance on the ladder

Player attacks the client and takes advantage of local hack and logic flaw and uses local hack to cause unfair ladder win that lets them, resulting in ladder chaos, which could have been avoided using better code.

Ooh Sparkly

13

1. Launching lots of graphics-intensive actions could cause frame rate drops

2. People load up on the most graphics-intensive combos and fire them off if they’re attacked

3. Nobody could kill them because they could run away while their game is lagging

Player attacks the client and takes advantage of resource constraints and uses knowledge of bug to cause unfair pvp advantage that lets them avoid death during pvp, resulting in angry players and fewer users, which could have been avoided using better code.

Pink Unicorns

14

1. Players find hidden coordinates in network stream data

2. They hack the client to show hidden items on the map

3. They find hidden players and items before everyone else

4. PK or dramatically improved farming

Player attacks the client and takes advantage of client-side filters and uses client modification to cause see hidden content that lets them pk and farm, resulting in frustrated users not playing the game anymore, which could have been avoided using client integrity validation.

Dishonorable Mentions

15

1. Convincing players to download a mod so we can “powerlevel you”.

2. Changing your username to look like a GM, and telling people to give you their items (for safe keeping).

3. Multiple buff stacking due to race conditions / logic flaws.

4. Death / looting issues that allow you to loot dead bodies and get their gear without the person losing the gear when they respawn.

5. Numerous DC logic flaws, where fighting, looting, purchasing is all broken when you DC your connection. As a developer, how would you handle it?

6. Powerleveling service takes your account for a day or so and you soon get a notification that you’ve been banned (they used you for money laundering).

7. …etc, etc.

Case Study

16

Mobile Cover Clipping

17

1. Use of a skill (Mobile Cover) allows players to skip content

2. Skipping content allows after farming rates of bosses

Player attacks the client and takes advantage of Game Mechanics and uses knowledge of bug to skip content that lets them farm items faster, resulting in angry players and fewer users, which could have been avoided using better code.

Mobile Cover Clipping

18

https://www.youtube.com/watch?v=kAq2283F7vs

instancing and checkpoints

19

1. Players able to enter a different area (instance) to re-spawn bosses

Player attacks the client and takes advantage of Game Mechanics and uses knowledge of bug to skip content that lets them farm items faster, resulting in angry players and fewer users, which could have been avoided using better code.

instancing and checkpoint manipulation

20

https://www.youtube.com/watch?v=Wj8OXIOJvhE

buff/talent stacking

21

1. switching gear rapidly caused buffs or talents to “stack” allowing using talents to gain 1 shot kills, infinite money of headshots, etc.

Player attacks the client and takes advantage of Game Mechanics and uses knowledge of bug to Gain In-game Currency and Enhance Gear, resulting in angry players and fewer users, which could have been avoided using better code.

buff/talent stacking

22

https://www.youtube.com/watch?v=pPsKEXmnL_E

Current State

23

• Capturing as many bugs as possible

• Categorizing them

• Putting them into the framework

Current State

24

Current State

25

Future State

26

• Moar Bugz (crowdsourced)

• Continuous improvement of schema

• Additional ideas for improvement

Next Steps & Help

27

• If you know any game bugs, you can help out at this location:

https://docs.google.com/spreadsheets/d/1Og08wyHsqtODBDkU_M2zHAvdxc63GSu-OmT8NjCc9Ak/edit#gid=0

• We also just started a Slack channel, in case you don’t already have enough of those.

Thanks & Contact

28

• Jason HaddixBugcrowd@jhaddix

• Daniel MiesslerIOActive@danielmiessler

https://www.owasp.org/index.php/OWASP_Game_Security_Framework_Project