7. Structure
• Normal, English sentences that are used to describe
the entire scenario
• Each sentence contains placeholders for the various
parts of the risk
malicious competitor attacks the server-side and takes advantage
of limited server-side bandwidth and uses ddos to cause extreme
lag that lets them win a match, resulting in frustrated users not
playing the game anymore, which could have been avoided using
ddos protection.
7
14. Semantic Structure
Actor attacks Attack Surface and uses Exploit
to take advantage of Vulnerability to try to
achieve their Goal, resulting in Negative
Outcome, which could have been avoided by
Defense.
14
16. Ping + Teleport
16
1. Mess with your own connection
2. Server starts reporting your location sporadically
3. Allows you to pass through objects
4. BONUS: Avoid being attacked because you’re like a
ghost
Player attacks the network and takes advantage of throttling and uses connection
degradation to cause extreme lag that lets them avoid harm, resulting in frustrated
users not playing the game anymore, which could have been avoided using better
code.
17. Moar Mosters
17
1. When logged in as an admin there are options to do lots
of things, like call monsters
2. Players figure out they can execute admin commands as
well (only the menu was missing)
3. They get in nasty PvP and call in tons of nasty mobs to
crush enemies
Player attacks the server and takes advantage of client-side filters and uses hidden
admin commands to cause in game chaos that lets them survive pvp, resulting in
frustrated users not playing the game anymore, which could have been avoided
using server-side controls.
18. Midnight Store
18
1. Game bugs required the server to be restarted at
midnight
2. If you were in the middle of a trade when the
server went down, both players got both sides of
the trade
Player attacks the game and takes advantage of logic bug and uses knowledge of
bug to cause item duplication that lets them unfairly increase loot, resulting in less
need to buy things, which could have been avoided using better code.
19. Marvel at my DC
19
1. Play a Star Wars game on Android
2. Go into Airplane Mode in the middle of the game
3. Run Android hack to automatically win
4. Reconnect, advance on the ladder
Player attacks the client and takes advantage of local hack and logic flaw and uses
local hack to cause unfair ladder win that lets them, resulting in ladder chaos, which
could have been avoided using better code.
20. Ooh Sparkly
20
1. Launching lots of graphics-intensive actions could cause
frame rate drops
2. People load up on the most graphics-intensive combos
and fire them off if they’re attacked
3. Nobody could kill them because they could run away
while their game is lagging
Player attacks the client and takes advantage of resource constraints and uses
knowledge of bug to cause unfair pvp advantage that lets them avoid death during
pvp, resulting in angry players and fewer users, which could have been avoided using
better code.
21. Pink Unicorns
21
1. Players find hidden coordinates in network stream
data
2. They hack the client to show hidden items on the
map
3. They find hidden players and items before
everyone else
4. PK or dramatically improved farming
Player attacks the client and takes advantage of client-side filters and uses client
modification to cause see hidden content that lets them pk and farm, resulting in
frustrated users not playing the game anymore, which could have been avoided
using client integrity validation.
22. Dishonorable Mentions
22
1. Convincing players to download a mod so we can “powerlevel you”.
2. Changing your username to look like a GM, and telling people to give you
their items (for safe keeping).
3. Multiple buff stacking due to race conditions / logic flaws.
4. Death / looting issues that allow you to loot dead bodies and get their gear
without the person losing the gear when they respawn.
5. Numerous DC logic flaws, where fighting, looting, purchasing is all broken
when you DC your connection. As a developer, how would you handle it?
6. Powerleveling service takes your account for a day or so and you soon get a
notification that you’ve been banned (they used you for money laundering).
7. …etc, etc.
24. Mobile Cover Clipping
24
1. Use of a skill (Mobile Cover) allows players to skip
content
2. Skipping content allows faster farming rates of
bosses
Player attacks the client and takes advantage of Game Mechanics and uses
knowledge of bug to skip content that lets them farm items faster, resulting in angry
players and fewer users, which could have been avoided using better code.
25. instancing and checkpoints
25
1. Players able to enter a different area (instance) to
re-spawn bosses
Player attacks the client and takes advantage of Game Mechanics and uses
knowledge of bug to skip content that lets them farm items faster, resulting in angry
players and fewer users, which could have been avoided using better code.
26. buff/talent stacking
26
1. Switching gear rapidly caused buffs or talents to
“stack” allowing using talents to gain 1 shot kills,
infinite money of headshots, etc.
Player attacks the client and takes advantage of Game Mechanics and uses
knowledge of bug to Gain In-game Currency and Enhance Gear, resulting in angry
players and fewer users, which could have been avoided using better code.
31. Future State
31
• Moar Bugz (we could use your help)
• A video game Testing Methodology
• Continuous improvement of schema
• Additional ideas for improvement
32. Next Steps & Help
32
• If you know any game bugs, you can help out at this location:
https://docs.google.com/spreadsheets/d/1Og08wyHsqtODBDkU_M2
zHAvdxc63GSu-OmT8NjCc9Ak/edit#gid=0
• We also just started a Slack channel, in case you don’t already
have enough of those.
• NOTE: I’m heading to London tomorrow for the OWASP Summit
and this project is one of the sessions I’m leading there.
33. Summary
33
1. Gaming is big, and growing quickly (~90B/year by
2020).
2. Games are highly vulnerable.
3. The OWASP Game Security Project looks to help by
making the risks easy to understand and
communicate.
34. Thanks & Contact
34
• Jason Haddix
Bugcrowd
@jhaddix
• Daniel Miessler
IOActive
@danielmiessler
www.owasp.org/index.php/OWASP_Game_Security_Framework_
Notas do Editor
Alright, thanks for coming.
I want to talk this evening about game security.
My name’s Daniel
I’ve been doing security for about 18 years
Background is in testing
I do a lot of IoT stuff
I run the consulting group for IOActive
I read a lot, have a blog, and I play table tennis
So why do we care?
Tens of billions of dollars are being spent, that’s why. And it’s only growing.
So my friend Jason Haddix originally started this project back in 2014, pitched it around, and nobody liked it. They weren’t ready.
He was sad, and he shelved it.
I kept trying to get him back into it, and finally a few months ago I pitched him on a new structure and now IT’S BACK!
So the overall concept for the project is to help everyone involved in the gaming ecosystem understand and avoid the main ways games get hacked. It’s no longer for play, it’s for real now. There is real money to be lost, so we’re hoping there will be more interest this time around.
So I was already doing something similar with the IoT Security project. Basically, the idea is that you have normal, English sentences that you use to describe any game vulnerability situation, and the sentences have placeholders to fill in the component of the risk.
DANIEL: So this allows you to fill in all the different vulns we know about into these really clean categories, which are ACTOR, VULNERABILITY, EXPLOIT, GOAL, NEGATIVE OUTCOME, BUSINESS IMPACT
DANIEL: Alright, so now we’re going to talk about a number of vulnerabilities that we’ve captured into the project.
DANIEL
DANIEL
DANIEL
DANIEL
DANIEL
DANIEL: Even better was the fix.
Game, Everquest.
Hundreds of others.
So DIVISION was an example that Jason liked.
It was a AAA title that was hugely popular and it arguably died in popularity because of hacks.
So one bug was being able to skip content by moving through things.
Another was being able to constantly re-spawn lucrative instances.
Another was being able to super-buff your gear and kill by one-shotting.
So the takeaway here is that they had something great and didn’t take the hacking seriously, and the game’s actual bottom line suffered as a result.
So what we’re currently doing is getting as many bugs into the system as possible
Categorizing them
And making sure they don’t break the schema
This is what an entry looks like on the site.
And here’s the spreadsheet we’re using to capture bugs.
We have a lot already.
So the future state is — most importantly — getting more bugs in the system.
We want to keep improving the schema so it’s easy to use and descriptive.
We’re also working on a testing methodology, which I’m excited about.
If you would like to help out, we’d love to get more input on:
More bugs and examples with stories if possible
feedback on the structure of the project
whatever
Gaming is not a toy anymore. It’s a business.
Games tend to have massive vulnerabilities all throughout the stack.
We want to help anyone involved in making or testing games to better understand and communicate gaming vulnerabilities so they can be avoided.
So that’s what I wanted to talk about tonight, and I’m happy to take any questions.