1 / 37

Fides: Remote Anomaly-Based Cheat Detection Using Client Emulation

Fides: Remote Anomaly-Based Cheat Detection Using Client Emulation. Ed Kaiser Wu-chang Feng Travis Schluessler. The Cheating Problem. Networked games simulate complex worlds limited server computation player sensitivity to network latency Client is trusted to run simulation locally

damia
Download Presentation

Fides: Remote Anomaly-Based Cheat Detection Using Client Emulation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Fides: Remote Anomaly-Based Cheat Detection Using Client Emulation Ed Kaiser Wu-chang Feng Travis Schluessler

  2. The Cheating Problem • Networked games simulate complex worlds • limited server computation • player sensitivity to network latency • Client is trusted to run simulation locally • follow game rules • keep secrets from player • Cheats are software that abuse the trust • accomplish feats a cheater is unable to do • automate actions a cheater is unwilling to do

  3. Cheating Affects Online Games • Frustrates legitimate players • distorts in-game economy • not fun to play against cheaters • cannot tell if good opponents are legitimate • good players get accused of cheating • Impacts profitability of game developer • existing players may quit in frustration • bad reputation dissuades new players • increases operating costs • EVE online 2% adversary  30% CPU Game Experience May Change During Online Play

  4. What Cheats Modify [NG08] • Game memory via WriteProcessMemory() • static data (e.g., gravity constants) • dynamic data (e.g., location, health, team) • altering existing code (e.g., hot patch) • injecting new code (e.g., DLL injection) • Game execution • thread hijacking (e.g., detour, function hooking) • thread injection via CreateRemoteThread() • as debugger via DebugActiveProcess()

  5. Nemesis Warcraft III MapHack • Reveals map and secret opponent locations • inject DLL containing cheat code • detours rendering functions • hooks I/O handlers for toggling operation • calls game message functions to display status Cheat Enabled

  6. State-of-the-Art in Defense • Signature-based cheat detection • generate cheat-specific signatures • must obtain working cheats • continual developer effort • state grows as new cheats are cataloged • does not deal well with polymorphism • search every process for known signatures • indiscriminately reads private data (e.g., Blizzard’s Warden) • prone to false positives: “Rifle Aim Prediction:” into IRC channel Tricking Punkbuster Tricking VAC

  7. Similar to other Security Problems • Similarity to rootkits • adversary controls the machine • has administrator privileges • runs before anti-cheat software • can modify the operating system and other tools • uses advanced techniques • cloak itself just-in-time (e.g., Hoglund’s Supervisor) • spoof anti-cheat software results • Similarity to viruses • obfuscation to prevent reversing • polymorphism to thwart signature detectors

  8. ... yet is Distinct Security Problem • Adversary is owner of machine • Always connected, for long time periods • cannot disable server-initiated security (unlike Windows Update) • server can perform arbitrary checks on-demand • Typically targets game code • limited places to attack • can do anomaly-based detection (à la kernel integrity approach) • Presence is not immediately catastrophic • machine is not used to attack network hosts • damage can be rolled back easily • unlike reissuing stolen credit card numbers, SSNs, etc. • can wait to take action (to prevent cheater from learning) • Monetary penalty for being caught • $50 game copy, $10/month, plus time lost (opposed to botnet)

  9. The Fides Approach • Approach leverages properties of problem • Anomaly-based cheat detection • know what game looks like • cheat agnostic • finite state • readily available • search the game client for deviations • cheater targets game code • detection is sufficient • cheat is not immediately catastrophic

  10. Fides Approach cont’d • Via continued random remote measurement • unpredictable measurements • probability of detecting cheater • conceals what will next be measured and when, instilling “fear-of-the-unknown” • server has indefinite contact with the client • cheater is always connected, for long time periods

  11. Fides Approach cont’d • Using partial client emulation • accommodate client system variation • between players • between sessions (e.g., desktop vs. laptop) • regarding libraries, versions, and locations • operating systems • service pack level • always connected, for long time periods • can audit until absolutely confident in detection • avoid false-positive detection

  12. Game Client Game Server Controller Auditor Fides Architecture • Controller decides what & when (and eventually how) to measure the client • compares measurement to emulated state • alters player account when caught cheating • Auditor only reads game process state Player Account Emulator Request Data

  13. Limitations to Approach • As software implementation • Auditor will become target of attack • feed it known legitimate client process-state data • statically generated (pre-sampled and stored in database) • dynamically generated (running second unmodified client) • hook it to know when to unload cheat • Cannot catch cheats external to game client • collusion cheats (e.g., online poker cheaters) • robotic cheats (e.g., Guitar Hero robot)

  14. Addressing the Limitations • Auditor is the weak point • cryptographically entangle the Auditor • similar approach to Pioneer • use secure hardware to verify Auditor operation • similar to Intel anti-virus presence detector • run the Auditor itself on secure hardware • (e.g., the Intel AMT Manageabilty Engine) • similar to Copilot • client polymorphism • using methods similar to in-memory DLL injection • Does not detect completely external cheats • anomaly-based detection on user behavior or statistics, available to server

  15. Controller Design • Emulates client-process state • drives audit strategist (could be game-specific) • used to validate audits Game Server Client Layout Code Disassembler Binary Parser Game Binary Code Patterns Memory Layout Client Emulator Libraries Dynamic Data Audit Strategist Emulated Client State Cheaters Audit Validator Auditor

  16. Partial Client Emulation • Done once at client login • share library names, versions and locations • Works on commercial-off-the-shelf games • Binary Parser recreates client layout • uses libraries/executable stored at Controller • uses client layout (base locations) to map them • identifies and hashes static code & data • high confidence in client understanding • identifies dynamic data regions • more expensive (i.e., game-specific) to validate • high confidence in client understanding

  17. Partial Client Emulation cont’d • Code Disassembler • creates a rough call graph • learns instruction range for each function • learns CALL addresses (i.e., relating functions) • lower confidence (difficult to get complete coverage) Partial Call Graph of a Homebrew game

  18. Partial Client Emulation cont’d • Execution Sampler and Execution Profiler • run game in VM with identical layout to client • learn dynamic calls not obtainable through static analysis • use hardware debugging techniques to single-step through execution

  19. Auditor Design • Measures the client process • returns the data to the controller Game Client Sample Memory Hash Page Trace Stack Detect Debugger EIP 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x8CC70208 0x90BEFFFA 0xA4506CEB 0xBEF9A3F7 0xC67178F2 EIPn Game Data Digest yes / no ... r / w / x r / w / x EIP0 Request Handler Controller

  20. Auditor Measurements [NG08] Cheat Methods best detected by the Auditor Measurements

  21. Evaluation • Implemented Auditor & Controller in C++ • running on separate 2.39GHz Intel Core2 • on commercial-off-the-shelf game Warcraft III

  22. Experiment Setup • Ran the following cheats: • Bendik’s MH, NOPs a few bytes • Kolkoo’s MH, NOPs bytes over more pages • Revealer MH, NOPs and hooks input functions • Simple MH, NOPs bytes over many pages • Nemesis MH, complex and “undetectable” • Periodically audit (±5% randomness) • Code page hash audit the game • hash currently executed code page • Measure the mean audits required to detect • averaged over 1000 trials complexity

  23. Results • Auditing roughly once every 100ms • Auditing roughly once every second

  24. Detecting Warcraft III MapHacks

  25. Observations • Detects the cheats relatively quickly • within minutes at high frequency (≤100ms) • in twenty minutes at low frequency (≈1s) • Audits required to detect • starts low • when sampling faster than game input loop, audits encounter more pages infrequently executed • asymptotically levels off • when sampling much slower than game input loop, each audit becomes independent random sample • complex cheats alter more game state, become easier to detect and thus require fewer audits

  26. Conclusions • Cheats are advanced • large range of cheat methods • present a distinct security problem • Fides is specifically designed to catch them • anomaly-based detection • via continued random remote measurements • using partial client emulation

  27. Thanks Sponsored in part by an Intel Research Council Award.

  28. Extra Slides

  29. “Gold Farming” Example • Automation software • endless repetition • Cheap foreign labor • manage the software • respond to moderators $200 / month expense virtual $60k / month profit

  30. Warcraft III Execution Profile threads spend 77% of time sleeping across 8 active threads (of 22 total) 15.6

  31. Can emulator state be reduced? • Yes. Significant similarity between game execution on similar systems. • similar libraries • loaded to similar locations

  32. Warcraft III Memory Allocation • Ran game on two different XP machines • 1000 trials on each (2000 total) • memory section is one or more 4KB pages • executable  code • writable  dynamic data • only readable  static data

  33. Warcraft III Memory Allocation heap entry point 0x40000 stack

  34. What about unrecognized DLLs? • Should not occur too often, however, • “soft-ban” them • if possible, only let them play on servers with peers also without recognized libraries • ensures legitimate clients shall not play with cheaters • if not possible, do not let them play until they update to recognized libraries

  35. Does Auditor suspend the client? • Yes, in the following cases: • hash of current executed code page (for EIP) • sample memory (to ensure quiescent read) • stack trace (to ensure quiescent read) • detect debugger, last resort attach as debugger • Is it expensive or affect gameplay? • included in the benchmark speeds (order of μs) • only when audits are requested in tight loop (i.e., near frequency of context switch ≈16ms)

  36. What about x86-64? • Stack trace becomes a little more arduous • must collecting all instruction pointers stored in current registers • then uncover the stack as normal

  37. References H. Shacham, M. Page, B. Pfaff, E. Goh, N. Modadugu, and D. Boneh. On the Effectiveness of Address-Space Randomization. In ACM CCS, Oct 2004. netCoders. “The Unerring Punkbuster…” http://forum.netcoders.cc/announcements/14061-unerring-punkbuster.html Wired News. “Guitar Hero Robot Plays Videogame With Electronic Precision.” http://blog.wired.com/gadgets/2008/11/guitar-here-rob.html YouTube user awkookrenewed. “How to get banned from any server.” http://www.youtube.com/watch?v=Bcc3doeZSeu

More Related