Embed Size (px)
Citation preview
Analysis of Anti-Hacking Software PunkBuster: How to Stop Cheating in Online GamesDavid Nichols
Background• Online gaming has readily increased in popularity
over the past decade, becoming one of the most popular forms of gaming today
• With this increase in popularity the need for security has grown, as the player base becomes more and more diverse
• Proper network security has become essential▫Not only to prevent cheating▫But also to protect users personal information
• Debate has risen over who should provide security▫Publishers, Users, or Third Parties
Design Decisions
•When designing a online game the publishers must choose between a number of trade offs▫Efficiency and Accessibility vs. Security▫Secure private servers vs. P2P
•As both technological and economic have evolved so has game design▫Shift from privately hosted servers to
public P2P models Significantly cheaper and more expandable
P2P Network Design
Host(client or admin)
Client
Client
Client
Client
Client
Client
Client
Client
Popular Security Mechanisms
•Checksums▫Check client data for integrity via
checksums Can be forged
•Check client data against game rules▫Many cheats can be sent within the rules
•Unique Database Structures•Admins/Game Managers•These security measures don’t stop many
types of attacks
How Cheating Works• Most of these cheats are based on weaknesses in the client-server
model▫ Clients and even admins can’t be trusted
• Changes to the game code▫ Game code generally in binary
Can be decoded Data files not in binary
▫ Can change software (wallhack) or game state in memory (inf. ammo)• Outside programs performing game actions
▫ Turbo function and action scripts• Modify personal computer’s system software
▫ Change graphics driver to render all objects• Packet Manipulation
▫ Change packets being sent out (aimbot)▫ Use private data from client packets (wallhack)▫ Delay packets (slow time or retroactively act)
Two Main Types of CheatingComputer based attacks Improper Usage
• Aimbot▫ Use client info to aim▫ Modify code for dmg
• Artificial lag/Flood attacks▫ Attack physical device
• Look-ahead▫ Forge time stamp
• Physics hacking▫ Remove collision detection
• Altering game elements▫ Server override or
impersonation• Extrasensory perception
▫ Display client info on screen
• Turbo• Environmental exploits• Ghosting• Improper settings• Scripting• Collaboration
PunkBuster•Created and first implemented in 2000 by
Tony Ray to stop cheating in Castle Wolfenstein▫Owned by Even Balance, Inc.▫Subsequently used in numerous online shooters▫Built around client-server model
• Installed on both clients and servers▫Constantly communicates with Even Balance’s
master servers•Designed to scan for cheating computers and
then ban them from protected servers/games
PunkBuster’s Implementation• Each admin server requires its own unique directory• Two main components of PunkBuster:
▫ PunkBuster Server (runs on game servers) password protected
▫ PunkBuster Client (runs on players' playing machines while they play the game)
• If admin PB not up-to-date all players notified▫ If client PB not up-to-date player not allowed to join
• Frequent status reports (encrypted) are sent to the PunkBuster Server by all players
• Violations cause player to be kicked and all others notified• Admins can manually kick players
▫ For a specific number of minutes or permanently▫ Can be bypassed by altering time stamp
• Player power facility – allows games to run without admin
PunkBuster’s Security Features• Real-time memory scanning
▫ Uses Windows API functions and heuristic searches• Communicates over games internet connection
▫ To avoid firewall▫ Uses UDP ports 24300-24399 to communicate
• “Throttled two-tiered background auto-update system” with master servers▫ Provide end-user security▫ Ensure no corrupted or false updates on user PC
Guarantees update integrity▫ Uses digital signatures provided by Verisign (Authenticode)▫ Updates validated by master servers based on security info
Prevents Admins from using PB to send viruses
PunkBuster’s Security Features• Can request partial MD5 hashes of files inside the
game installation directory▫Results compared against a default config
Calculate differences and ban if necessary• Admin search functions
▫To check player’s key bindings and scripts for cheats• Stream PB server logs to other locations
▫Allows for the creation of universal “banned lists”• Random player settings checks
▫Cvar checking A number that represents game settings, must be in
admin’s range
PunkBuster’s Security Features• User Authentication
▫ Use digital signatures▫ Happens continuously through game (2-3 per minute minimum)
• Screenshot Requests▫ Admin can request screenshot samples from players
Or can be done randomly Can block screenshots (black screen) or erase visible hacking
▫ Reflected in RecentSS value, visible to all players, prevents admins from cheating• Hardware bans
▫ Ban hardware components used to circumvent PB Uses hard drive ID and other undisclosed components
▫ Use multiple private one-ways hashes in order to protect the confidentiality of users serial number info
• Use GUID (Globally Unique Identifier) to ID users▫ Based on game installation▫ 128 bit one-way hash generated from CD-key ▫ Encrypted
• GUID bans
Attacks on PunkBuster• Battlefield 3 – “Game discontented you were kicked by
PunkBuster” error▫ Attackers used GUID scanner to duplicates of user’s GUID▫ Used security loophole to ban players
• IRC mass false positives▫ Because PB scans all virtual memory, attackers uploaded
text fragments from cheat programs on popular IRC channels
▫ PB would see malicious text in channel clients’ text buffers and ban them
• Incompatibility issues with:▫ Steam, non-windows admins, 64-bit clients, and some
Firewalls
Criticisms• Heavily uses user’s network, causing lag
▫Hogs bandwidth• Puts heavy pressure on user’s PC processors
▫Slowing down or overheating some PCs• Even Balance, the company, has too much power
▫“Judge, Jury, and Executioner” Permanent bans based solely on their digression, not
controlled by publishers• Invasion of privacy
▫Screenshots, program lists, memory scans, hardware info, IP addresses, and other personal security info
• Still doesn’t stop all cheating/attacks
