fides remote anomaly based cheat detection using client emulation n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Fides: Remote Anomaly-Based Cheat Detection Using Client Emulation PowerPoint Presentation
Download Presentation
Fides: Remote Anomaly-Based Cheat Detection Using Client Emulation

Loading in 2 Seconds...

play fullscreen
1 / 37

Fides: Remote Anomaly-Based Cheat Detection Using Client Emulation - PowerPoint PPT Presentation


  • 101 Views
  • Uploaded on

Fides: Remote Anomaly-Based Cheat Detection Using Client Emulation. Ed Kaiser Wu-chang Feng Travis Schluessler. The Cheating Problem. Networked games simulate complex worlds limited server computation player sensitivity to network latency Client is trusted to run simulation locally

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Fides: Remote Anomaly-Based Cheat Detection Using Client Emulation' - ferrol


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
fides remote anomaly based cheat detection using client emulation

Fides: Remote Anomaly-Based Cheat Detection Using Client Emulation

Ed Kaiser

Wu-chang Feng

Travis Schluessler

the cheating problem
The Cheating Problem
  • Networked games simulate complex worlds
    • limited server computation
    • player sensitivity to network latency
  • Client is trusted to run simulation locally
    • follow game rules
    • keep secrets from player
  • Cheats are software that abuse the trust
    • accomplish feats a cheater is unable to do
    • automate actions a cheater is unwilling to do
cheating affects online games
Cheating Affects Online Games
  • Frustrates legitimate players
    • distorts in-game economy
    • not fun to play against cheaters
    • cannot tell if good opponents are legitimate
      • good players get accused of cheating
  • Impacts profitability of game developer
    • existing players may quit in frustration
    • bad reputation dissuades new players
    • increases operating costs
      • EVE online 2% adversary  30% CPU

Game Experience May

Change During Online Play

what cheats modify ng08
What Cheats Modify [NG08]
  • Game memory via WriteProcessMemory()
    • static data (e.g., gravity constants)
    • dynamic data (e.g., location, health, team)
    • altering existing code (e.g., hot patch)
    • injecting new code (e.g., DLL injection)
  • Game execution
    • thread hijacking (e.g., detour, function hooking)
    • thread injection via CreateRemoteThread()
    • as debugger via DebugActiveProcess()
nemesis warcraft iii maphack
Nemesis Warcraft III MapHack
  • Reveals map and secret opponent locations
    • inject DLL containing cheat code
    • detours rendering functions
    • hooks I/O handlers for toggling operation
    • calls game message functions to display status

Cheat

Enabled

state of the art in defense
State-of-the-Art in Defense
  • Signature-based cheat detection
    • generate cheat-specific signatures
      • must obtain working cheats
      • continual developer effort
      • state grows as new cheats are cataloged
      • does not deal well with polymorphism
    • search every process for known signatures
      • indiscriminately reads private data (e.g., Blizzard’s Warden)
      • prone to false positives:

“Rifle Aim

Prediction:”

into IRC channel

Tricking Punkbuster

Tricking VAC

similar to other security problems
Similar to other Security Problems
  • Similarity to rootkits
    • adversary controls the machine
      • has administrator privileges
      • runs before anti-cheat software
      • can modify the operating system and other tools
    • uses advanced techniques
      • cloak itself just-in-time (e.g., Hoglund’s Supervisor)
      • spoof anti-cheat software results
  • Similarity to viruses
    • obfuscation to prevent reversing
    • polymorphism to thwart signature detectors
yet is distinct security problem
... yet is Distinct Security Problem
  • Adversary is owner of machine
  • Always connected, for long time periods
    • cannot disable server-initiated security (unlike Windows Update)
    • server can perform arbitrary checks on-demand
  • Typically targets game code
    • limited places to attack
    • can do anomaly-based detection (à la kernel integrity approach)
  • Presence is not immediately catastrophic
    • machine is not used to attack network hosts
    • damage can be rolled back easily
      • unlike reissuing stolen credit card numbers, SSNs, etc.
    • can wait to take action (to prevent cheater from learning)
  • Monetary penalty for being caught
    • $50 game copy, $10/month, plus time lost (opposed to botnet)
the fides approach
The Fides Approach
  • Approach leverages properties of problem
  • Anomaly-based cheat detection
    • know what game looks like
      • cheat agnostic
      • finite state
      • readily available
    • search the game client for deviations
      • cheater targets game code
    • detection is sufficient
      • cheat is not immediately catastrophic
fides approach cont d
Fides Approach cont’d
  • Via continued random remote measurement
    • unpredictable measurements
      • probability of detecting cheater
      • conceals what will next be measured and when,

instilling “fear-of-the-unknown”

    • server has indefinite contact with the client
      • cheater is always connected, for long time periods
fides approach cont d1
Fides Approach cont’d
  • Using partial client emulation
    • accommodate client system variation
      • between players
      • between sessions (e.g., desktop vs. laptop)
    • regarding libraries, versions, and locations
      • operating systems
      • service pack level
    • always connected, for long time periods
      • can audit until absolutely confident in detection
      • avoid false-positive detection
fides architecture

Game

Client

Game

Server

Controller

Auditor

Fides Architecture
  • Controller decides what & when (and eventually how) to measure the client
    • compares measurement to emulated state
    • alters player account when caught cheating
  • Auditor only reads game process state

Player

Account

Emulator

Request

Data

limitations to approach
Limitations to Approach
  • As software implementation
    • Auditor will become target of attack
      • feed it known legitimate client process-state data
        • statically generated (pre-sampled and stored in database)
        • dynamically generated (running second unmodified client)
      • hook it to know when to unload cheat
  • Cannot catch cheats external to game client
    • collusion cheats

(e.g., online poker cheaters)

    • robotic cheats

(e.g., Guitar Hero robot)

addressing the limitations
Addressing the Limitations
  • Auditor is the weak point
    • cryptographically entangle the Auditor
      • similar approach to Pioneer
    • use secure hardware to verify Auditor operation
      • similar to Intel anti-virus presence detector
    • run the Auditor itself on secure hardware
      • (e.g., the Intel AMT Manageabilty Engine)
      • similar to Copilot
    • client polymorphism
      • using methods similar to in-memory DLL injection
  • Does not detect completely external cheats
    • anomaly-based detection on user behavior or statistics, available to server
controller design
Controller Design
  • Emulates client-process state
    • drives audit strategist (could be game-specific)
    • used to validate audits

Game Server

Client

Layout

Code

Disassembler

Binary

Parser

Game

Binary

Code

Patterns

Memory

Layout

Client

Emulator

Libraries

Dynamic

Data

Audit

Strategist

Emulated

Client State

Cheaters

Audit

Validator

Auditor

partial client emulation
Partial Client Emulation
  • Done once at client login
    • share library names, versions and locations
  • Works on commercial-off-the-shelf games
  • Binary Parser recreates client layout
    • uses libraries/executable stored at Controller
    • uses client layout (base locations) to map them
    • identifies and hashes static code & data
      • high confidence in client understanding
    • identifies dynamic data regions
      • more expensive (i.e., game-specific) to validate
      • high confidence in client understanding
partial client emulation cont d
Partial Client Emulation cont’d
  • Code Disassembler
    • creates a rough call graph
      • learns instruction range for each function
      • learns CALL addresses (i.e., relating functions)
      • lower confidence (difficult to get complete coverage)

Partial Call Graph of a Homebrew game

partial client emulation cont d1
Partial Client Emulation cont’d
  • Execution Sampler and Execution Profiler
    • run game in VM with identical layout to client
    • learn dynamic calls not obtainable through static analysis
      • use hardware debugging techniques to single-step through execution
auditor design
Auditor Design
  • Measures the client process
    • returns the data to the controller

Game Client

Sample

Memory

Hash

Page

Trace

Stack

Detect

Debugger

EIP

00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00

0x8CC70208

0x90BEFFFA

0xA4506CEB

0xBEF9A3F7

0xC67178F2

EIPn

Game

Data

Digest

yes / no

...

r / w / x

r / w / x

EIP0

Request

Handler

Controller

auditor measurements ng08
Auditor Measurements [NG08]

Cheat Methods best detected by the Auditor Measurements

evaluation
Evaluation
  • Implemented Auditor & Controller in C++
    • running on separate 2.39GHz Intel Core2
    • on commercial-off-the-shelf game Warcraft III
experiment setup
Experiment Setup
  • Ran the following cheats:
    • Bendik’s MH, NOPs a few bytes
    • Kolkoo’s MH, NOPs bytes over more pages
    • Revealer MH, NOPs and hooks input functions
    • Simple MH, NOPs bytes over many pages
    • Nemesis MH, complex and “undetectable”
  • Periodically audit (±5% randomness)
  • Code page hash audit the game
    • hash currently executed code page
  • Measure the mean audits required to detect
    • averaged over 1000 trials

complexity

results
Results
  • Auditing roughly once every 100ms
  • Auditing roughly once every second
observations
Observations
  • Detects the cheats relatively quickly
    • within minutes at high frequency (≤100ms)
    • in twenty minutes at low frequency (≈1s)
  • Audits required to detect
    • starts low
      • when sampling faster than game input loop, audits encounter more pages infrequently executed
    • asymptotically levels off
      • when sampling much slower than game input loop, each audit becomes independent random sample
      • complex cheats alter more game state, become easier to detect and thus require fewer audits
conclusions
Conclusions
  • Cheats are advanced
    • large range of cheat methods
    • present a distinct security problem
  • Fides is specifically designed to catch them
    • anomaly-based detection
    • via continued random remote measurements
    • using partial client emulation
thanks
Thanks

Sponsored in part by an Intel Research Council Award.

gold farming example
“Gold Farming” Example
  • Automation software
    • endless repetition
  • Cheap foreign labor
    • manage the software
    • respond to moderators

$200 / month

expense

virtual

$60k / month

profit

warcraft iii execution profile
Warcraft III Execution Profile

threads spend 77% of time

sleeping

across

8 active threads

(of 22 total)

15.6

can emulator state be reduced
Can emulator state be reduced?
  • Yes. Significant similarity between game execution on similar systems.
    • similar libraries
    • loaded to similar locations
warcraft iii memory allocation
Warcraft III Memory Allocation
  • Ran game on two different XP machines
    • 1000 trials on each (2000 total)
    • memory section is one or more 4KB pages
      • executable  code
      • writable  dynamic data
      • only readable  static data
warcraft iii memory allocation1
Warcraft III Memory Allocation

heap

entry point 0x40000

stack

what about unrecognized dlls
What about unrecognized DLLs?
  • Should not occur too often, however,
  • “soft-ban” them
    • if possible, only let them play on servers with peers also without recognized libraries
      • ensures legitimate clients shall not play with cheaters
    • if not possible, do not let them play until they update to recognized libraries
does auditor suspend the client
Does Auditor suspend the client?
  • Yes, in the following cases:
    • hash of current executed code page (for EIP)
    • sample memory (to ensure quiescent read)
    • stack trace (to ensure quiescent read)
    • detect debugger, last resort attach as debugger
  • Is it expensive or affect gameplay?
    • included in the benchmark speeds (order of μs)
    • only when audits are requested in tight loop (i.e., near frequency of context switch ≈16ms)
what about x86 64
What about x86-64?
  • Stack trace becomes a little more arduous
    • must collecting all instruction pointers stored in current registers
    • then uncover the stack as normal
references
References

H. Shacham, M. Page, B. Pfaff, E. Goh, N. Modadugu, and D. Boneh. On the Effectiveness of Address-Space Randomization. In ACM CCS, Oct 2004.

netCoders. “The Unerring Punkbuster…” http://forum.netcoders.cc/announcements/14061-unerring-punkbuster.html

Wired News. “Guitar Hero Robot Plays Videogame With Electronic Precision.” http://blog.wired.com/gadgets/2008/11/guitar-here-rob.html

YouTube user awkookrenewed. “How to get banned from any server.” http://www.youtube.com/watch?v=Bcc3doeZSeu