“WALK IN” SLIDE

August 14-15 2006

Games as Malware: Games as Malware: Why Security Is Your Why Security Is Your Problem TooProblem TooDave WeinsteinDave WeinsteinMichael HowardMichael HowardSecure Technologies UnitSecure Technologies UnitMicrosoftMicrosoft

Presentation/Presenter Title Slide

August 14-15 2006

Overviews and Overviews and IntroductionsIntroductionsDave WeinsteinDave Weinstein

Recovering game developer, with occasional relapses Recovering game developer, with occasional relapses when auditing game code for security concernswhen auditing game code for security concerns

Michael HowardMichael HowardSenior Security Program Manager in the Security Senior Security Program Manager in the Security Engineering team focusing on secure engineering Engineering team focusing on secure engineering practices and process. practices and process. Co-author of the Security Development Lifecycle, Writing Co-author of the Security Development Lifecycle, Writing Secure Code, and 19 Deadly Sins of Software security. Secure Code, and 19 Deadly Sins of Software security. Speaking of deadly sins, the only game he really plays is Speaking of deadly sins, the only game he really plays is good old good old Diablo IIDiablo II, and he wishes he could use Corpse , and he wishes he could use Corpse Explosion on some development teams once in a while. Explosion on some development teams once in a while.

And with apologies to Dr. Elisabeth Kubler-Ross…And with apologies to Dr. Elisabeth Kubler-Ross…

August 14-15 2006

Stage One: DenialStage One: DenialGame Security Is All Microsoft’s Game Security Is All Microsoft’s FaultFault

Not yet, but we’re working on itNot yet, but we’re working on itWe are continually hardening our We are continually hardening our applications and operating systems, and applications and operating systems, and refining our tools and technologies to refining our tools and technologies to make our products more securemake our products more secureBad Guys will always move to the Bad Guys will always move to the optimum point on the work/reward curveoptimum point on the work/reward curveUnhardened popular software is a great Unhardened popular software is a great targettarget

August 14-15 2006

Stage One: DenialStage One: DenialBad Guys Don’t Care About GamesBad Guys Don’t Care About Games

Bad Guys care about Bad Guys care about moneymoneyOrganized crime is already using …Organized crime is already using …

… … Identity Theft to open accounts on MMOs for Identity Theft to open accounts on MMOs for Gold FarmingGold Farming… … custom Malware in Internet Cafés to steal custom Malware in Internet Cafés to steal MMO accountsMMO accounts

Compromised accounts are already being Compromised accounts are already being sold and traded in the same black market sold and traded in the same black market channels that sell identity documents, channels that sell identity documents, credit cards, and bank accountscredit cards, and bank accounts

August 14-15 2006

Stage One: DenialStage One: DenialWe Don’t Have Multiplayer So We’re We Don’t Have Multiplayer So We’re SafeSafe

Do you…Do you………have Replays?have Replays?……have Save Games?have Save Games?……support User-Created Content?support User-Created Content?……download updates from the Internet?download updates from the Internet?……download download anythinganything from the Internet? from the Internet?

August 14-15 2006

Stage One: DenialStage One: DenialChristmas, Reviews, Sales, not Christmas, Reviews, Sales, not SecuritySecurityThis isn’t important enough to miss a This isn’t important enough to miss a

ship date forship date for““Market seems to act on this information Market seems to act on this information and punishes a vendor, who on an and punishes a vendor, who on an average, loses around 0.63% of its average, loses around 0.63% of its market value on the day a vulnerability market value on the day a vulnerability is reported in its products.”is reported in its products.”

[Telang R and S Wattal (2004)][Telang R and S Wattal (2004)]

August 14-15 2006

Stage One: DenialStage One: DenialWe’re Not An Attractive TargetWe’re Not An Attractive Target

Major market penetration in and of Major market penetration in and of itself makes you an attractive targetitself makes you an attractive target

"Nobody ever expects the Worm of "Nobody ever expects the Worm of Warcraft..." Warcraft..."

Dan Kaminsky, DoxPara Research Dan Kaminsky, DoxPara Research Common patterns in game Common patterns in game development make things easier for development make things easier for attackersattackers

August 14-15 2006

Stage One: DenialStage One: DenialWhat Patterns?What Patterns?

Heavy use of middleware, that itself is Heavy use of middleware, that itself is often highly customized, and reuse of often highly customized, and reuse of existing game code in future productsexisting game code in future productsEngines designed to be user extensible, Engines designed to be user extensible, with automated downloading of user-with automated downloading of user-created content and codecreated content and codeServer status, patch level, and location are Server status, patch level, and location are often broadly advertisedoften broadly advertisedRequirement that the game run with full Requirement that the game run with full Administrator privilegesAdministrator privileges

August 14-15 2006

Stage Two: AngerStage Two: AngerBlaming Security ResearchersBlaming Security Researchers

““They are nothing but terrorists”They are nothing but terrorists”A well-known game industry figure, A well-known game industry figure, expounding on security researchers at expounding on security researchers at the Fairmont Barthe Fairmont Bar

A largely monosyllabic diatribe A largely monosyllabic diatribe consisting almost exclusively of the consisting almost exclusively of the Seven Words You Cannot Say On Seven Words You Cannot Say On TelevisionTelevision

Ok, that was meOk, that was me

August 14-15 2006

Stage Two: AngerStage Two: AngerThe World As It IsThe World As It Is

Many security researchers have never Many security researchers have never been directly involved in shipping been directly involved in shipping commercial softwarecommercial softwareSome security researchers will Some security researchers will publicly disclose vulnerabilities publicly disclose vulnerabilities without notifying the developerswithout notifying the developersSome security researchers will Some security researchers will distribute “proof of concept” exploits distribute “proof of concept” exploits for discovered vulnerabilitiesfor discovered vulnerabilities

August 14-15 2006

Stage Two: AngerStage Two: AngerCorrectly Directing BlameCorrectly Directing Blame

Malware authors and distributors who Malware authors and distributors who exploit vulnerabilitiesexploit vulnerabilitiesMarketing that takes a solid month of Marketing that takes a solid month of your development cycle to stabilize an your development cycle to stabilize an early build for E3 and generates early build for E3 and generates exactly zero coverage. Anywhere.exactly zero coverage. Anywhere.

Even if you search with GoogleEven if you search with GoogleOurselvesOurselves

August 14-15 2006

Stage Three: BargainingStage Three: BargainingIf we had a problem, what do we If we had a problem, what do we do?do?Stop requiring Administrator privilegesStop requiring Administrator privileges

In fact, drop them if you find that you have In fact, drop them if you find that you have themthem

Compile your code with Compile your code with /GS/GS, , /SAFESEH/SAFESEH, , /NXCOMPAT/NXCOMPAT, and , and /DYNAMICBASE/DYNAMICBASEReplace unsafe API calls (i.e., strcpy) with Replace unsafe API calls (i.e., strcpy) with the safe replacements provided by the safe replacements provided by MicrosoftMicrosoftMichael will be covering these in detail in Michael will be covering these in detail in “Hardening the Box: Xbox 360 and “Hardening the Box: Xbox 360 and Windows Vista Security Models”Windows Vista Security Models”

August 14-15 2006

Stage Three: BargainingStage Three: BargainingAnd then we’re safe?And then we’re safe?

No, that just mitigates the damage No, that just mitigates the damage caused by security vulnerabilities.caused by security vulnerabilities.

August 14-15 2006

Stage Three: BargainingStage Three: BargainingWhat Are These “Vulnerabilities”?What Are These “Vulnerabilities”?

Fundamentally, they are coding errors Fundamentally, they are coding errors that occur when assumptions about that occur when assumptions about the data are violatedthe data are violatedThe coding errors become The coding errors become vulnerabilities when they take data vulnerabilities when they take data from an untrusted source, and do not from an untrusted source, and do not validate it against those assumptions validate it against those assumptions before usebefore use

August 14-15 2006

Stage Three: BargainingStage Three: BargainingBuffer OverrunsBuffer Overrunswhile (*while (*pwszTemppwszTemp != L'\\') != L'\\')

*pwszServerName++ = *pwszServerName++ = **pwszTemppwszTemp ++; ++;

Blaster involved more than 1.5 million Blaster involved more than 1.5 million compromised computers, all from a two compromised computers, all from a two line coding error by a senior developerline coding error by a senior developer

August 14-15 2006

Stage Three: BargainingStage Three: BargainingDifferent Assumptions in CodeDifferent Assumptions in Code……fgets( fgets( bufferbuffer, 256, file );, 256, file );LogCommand( users[curUser].Name, LogCommand( users[curUser].Name, bufferbuffer ); );……void LogCommand( char *user, char *void LogCommand( char *user, char *cmdcmd ) ){{

char logString[128];char logString[128];sprintf( logString, “User: %s Command: %s”, sprintf( logString, “User: %s Command: %s”,

user, user, cmdcmd ); );……

}}

August 14-15 2006

Stage Three: BargainingStage Three: BargainingASSERT Considered HarmfulASSERT Considered Harmfulvoid Packet::CopyContents( void *buffer,void Packet::CopyContents( void *buffer,

unsigned int maxSize )unsigned int maxSize ){{

ASSERT (buffer );ASSERT (buffer );ASSERT( ASSERT( ContentsSize()ContentsSize() <= maxSize ); <= maxSize );memcpy( buffer,memcpy( buffer,

Contents()Contents(),, ContentsSize()ContentsSize() ); );}}

August 14-15 2006

Stage Three: BargainingStage Three: BargainingArithmetic UnderflowArithmetic Underflow

int dataSize = packet->int dataSize = packet->SizeSize() – () – HEADERSIZE;HEADERSIZE;

if( bufferSize > dataSize )if( bufferSize > dataSize ){{

memcpy( buffer, memcpy( buffer, &packet->&packet->BufferBuffer()()

[HEADERSIZE],[HEADERSIZE], dataSize );dataSize );

}}

August 14-15 2006

Stage Three: BargainingStage Three: BargainingArithmetic OverflowArithmetic Overflow

#define _BLOCKSIZE 64#define _BLOCKSIZE 64void *_MemAlloc( size_t void *_MemAlloc( size_t cb cb ) {) {

    // Round to nearest block size    // Round to nearest block size    size_t cbr = (    size_t cbr = (cbcb + _BLOCKSIZE – 1) + _BLOCKSIZE – 1) &&                ~(_BLOCKSIZE – 1);                ~(_BLOCKSIZE – 1);    return malloc( cbr );    return malloc( cbr );}}

August 14-15 2006

Stage Four: DepressionStage Four: DepressionThis Is Really Bad, Isn’t It?This Is Really Bad, Isn’t It?

YesYes

August 14-15 2006

Stage Five: AcceptanceStage Five: Acceptance“We’re Doomed!” Is Acceptance?“We’re Doomed!” Is Acceptance?

There is a way out…There is a way out…… … and line noise will help you.and line noise will help you.

August 14-15 2006

Stage Five: AcceptanceStage Five: AcceptanceLine Noise?Line Noise?

In 1989, Professor Barton Miller’s team at In 1989, Professor Barton Miller’s team at the University of Wisconsin discovered a the University of Wisconsin discovered a powerful means for finding code defects powerful means for finding code defects with unintended input:with unintended input:

It started on a dark and stormy night. One of the authors was logged on to his workstation on a dial-up line from home and the rain had affected the phone lines; there were frequent spurious characters on the line. It was a race to see if he could type a sensible sequence of characters before the noise scrambled the command. This line noise was not surprising; but we were surprised that these spurious characters were causing programs to crash.

August 14-15 2006

Stage Five: AcceptanceStage Five: AcceptanceWhat is Fuzzing?What is Fuzzing?

The deliberate use of malformed data to The deliberate use of malformed data to find code defectsfind code defectsWhat can fuzzing do?What can fuzzing do?

Finds specific classes of code defects:Finds specific classes of code defects:Access violationsAccess violationsMemory spikesMemory spikesCPU spikesCPU spikes

What can’t fuzzing do?What can’t fuzzing do?Validate that the application correctly handles Validate that the application correctly handles malformed datamalformed dataFind some classes of fundamental design Find some classes of fundamental design defectsdefects

August 14-15 2006

Stage Five: AcceptanceStage Five: AcceptanceHow does this help us?How does this help us?

This is one of the primary tools that This is one of the primary tools that attackers use to find vulnerabilitiesattackers use to find vulnerabilitiesIt provides a very cost-effective and It provides a very cost-effective and automatable way of finding security and automatable way of finding security and stability defects in codestability defects in codeIt does not require significant expertise in It does not require significant expertise in security to usesecurity to useIt lends itself well to regression testingIt lends itself well to regression testing

August 14-15 2006

Stage Five: AcceptanceStage Five: AcceptanceIs there anything else we can do?Is there anything else we can do?

Use the PreUse the PreFastFast (i.e. “/analyze”) static (i.e. “/analyze”) static source code analysis tool, included with the source code analysis tool, included with the Windows SDK or Visual Studio 2005 Team Windows SDK or Visual Studio 2005 Team System, to identify potential security System, to identify potential security defects in codedefects in codeUse PageHeap to find memory issues as Use PageHeap to find memory issues as soon as possiblesoon as possibleUse AppVerifier to look for flagged behaviorUse AppVerifier to look for flagged behavior

August 14-15 2006

Questions?Questions?

August 14-15 2006

Writing Secure Code, 2Writing Secure Code, 2ndnd Edition EditionMichael Howard and David LeBlancMichael Howard and David LeBlanc

Microsoft Press, 2003Microsoft Press, 2003

Fuzzing Tools WikiFuzzing Tools Wikihttp://rtos.trinux.org/secwiki/FuzzingToolshttp://rtos.trinux.org/secwiki/FuzzingTools

Security Development LifecycleSecurity Development Lifecyclehttp://msdn.microsoft.com/library/en-us/dnsecure/html/sdl.asp

Impact of Software Vulnerability Announcements on the Impact of Software Vulnerability Announcements on the Market Value of Software Vendors – an Empirical Market Value of Software Vendors – an Empirical

InvestigationInvestigation http://www.heinz.cmu.edu/~rtelang/event_study.pdfhttp://www.heinz.cmu.edu/~rtelang/event_study.pdf

Additional ReferencesAdditional References

© 2006 © 2006 MicrosoftMicrosoft Corporation. All rights reserved. Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

DirectX Developer CenterDirectX Developer Centerhttp://msdn.microsoft.com/directx

Game Development MSDN ForumsGame Development MSDN Forumshttp://forums.microsoft.com/msdn

Xbox 360 CentralXbox 360 Centralhttp://xds.xbox.com/

XNA Web siteXNA Web sitehttp://www.microsoft.com/xna