08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Â
GDC 2013 - Ditching the Server: Making Client-side Only Social Games
1. Ditching the Server
How to create client-side only social games
Amitt Mahajan (@amittm)
Founder/CEO, Red Hot Labs
2. My Background
• Co-creator/Lead Developer
– FarmVille
– ExampleVille: Zynga’s game engine & framework
• CTO, Zynga Japan
– Develop mobile games for the Japanese market
• Developer, Unreal Engine/Gears of War
GDC2013 • @amittm 2
3. Client/Server Replication
• Client replicates commands to the server
– Mostly async, non-blocking, operations
• Server validates commands to prevent cheating
– Success: Update DB; Failure: Out-of-sync error
GDC2013 • @amittm 3
5. The Problem
• Write code twice, maintain 2 codebases
• Server state needs to be in sync: leads to out-of-sync
errors
• Provision servers & deploy code for each game
• Game teams and server ops teams tightly integrated
• Complicated, hard-to-port, game-specific network code
GDC2013 • @amittm 5
6. Proposal: Client-only validation
• All game logic lives with client-code
• Trust player client state
• Server is a dumb-pipe to store data
• Use automatic validation to lazy check state
GDC2013 • @amittm 6
7. Benefits
• Split creating games from running server operations
• Reuse infrastructure in several games and platforms
• Better utilize server resources with reduced complexity
• Reduce development time and errors
• Reduce out-of-sync errors, potentially better for mobile
GDC2013 • @amittm 7
8. Limitations
• Prior server controlled variables are now insecure
• Player-to-player interactions made insecure
• Potentially complicated validation mechanisms
• Global leaderboards / ladders easily manipulated
GDC2013 • @amittm 8
9. Data Storage
• Schema-less DB offers greatest flexibility (e.g.
NoSQL)
• Object-based schema keyed using class-name and id
• Server does not validate data but keeps track of
properties
• Objects can have references to other objects
GDC2013 • @amittm 9
11. Example API
• Object.get(className, id)
– Returns object data based on className and Id
• Object.set(className, id, data)
– Sets data for an object
• Object.acls(newAcls)
– Changes the access permissions for an object
GDC2013 • @amittm 11
13. Uses for ACLs
• Private or read-only user data
• Shared game state or game objects
• Static, developer-defined, game data
GDC2013 • @amittm 13
14. Example: AccessTokens
GDC2013 • @amittm 14
Client API
Server
1. Login using email/pass
2. Return AccessToken
3. Request game object with token
5. Return requested object
4.Verify access
token grants
permission
SPECIFICALLY to
requested object
15. AccessToken Levels
GDC2013 • @amittm 15
Access Token Level
None • No or invalid access token provided
• User only has access to global objects
User • User logged-in / authenticated
• User can access objects owned by their user ID
System
• Secret/private access token
• Game developer usage only
• Can modify any object on the server
16. Impact on Game Design
• Trust is now a consideration in game-design
• Some game-styles will not be possible without
additional validation
• May limit creativity of game mechanics in certain
cases
GDC2013 • @amittm 16
17. Best Use Cases
• Asynchronous is the intended use case
• Single player games that require cloud storage
– Plants vs. Zombies, Angry Birds
• Single player w/ multiplayer component
– FarmVille, Sims Social
• Limited PvP games
– Words with Friends, Draw Something
GDC2013 • @amittm 17
18. Cheating
• Modification of player stats/state
• Generating favorable outcomes
• Could potentially hurt revenue
• Non-technical players can cheat with tools
GDC2013 • @amittm 18
20. Example: How to hack XP
1. Player uses a proxy to examine network calls
2. Figures out what a save call looks like
3. Modifies game state to desired result
4. Executes a save call with modified state
Note:This isTRIVIAL and a big hole!
GDC2013 • @amittm 20
21. Example: Preventing XP Hacking
• Developer marks XP field in an object as being “rate-limited” or
“important”
• User modifies their local XP value
• On post-object-save:
– Store historical values of field
– Standard deviation rate of change flags account for manual review
– Tweak thresholds for false-positives
GDC2013 • @amittm 21
22. Example: XP delta over time
GDC2013 • @amittm 22
0
200
400
600
800
1000
1200
Day 0 Day 4 Day 8 Day 12 Day 16 Day 20
Suspicious spike outside
acceptable range,
flag account
23. Production Case: Bingo Blast!
• Head-to-head & solo game for iOS/Android
• Shared game objects
• Game requests / messages
• In-app purchases
• No server work required
GDC2013 • @amittm 23
24. Conclusion
• There is no one-size-fits all solution
• Server-side validation is good for absolute cheat
prevention and is proven to work
• Client-only validation provides performance boost, less
errors, and development time reduction at cost of security
• Automatic validation non-trivial and will improve over time
GDC2013 • @amittm 24
Priorserver controlled variables are now insecureItem rarity and drop-ratesServer controlled randomnessPlayer-to-player interactions made insecurePvPTradingPotentially complicated validation mechanismsGlobal leaderboards / ladders easily manipulated
Access-Control-Layer (ACL) systemAllows user and global level read and write permissions per objectData manipulation using access tokensProvide multiple levels of application securityVersioning / Conflict-resolutionSSL
User protects their own account from writing but makes their profile info public read2 players are playing a game that only they can read/write state toDevelopers have protected static game data (such as items or level curves) that only they can modify but everyone can read from
(Note: This will be made into a flow chart)User logs into system using email/pass and receives access tokenFor object.get user sends access token as a parameterAPI server checks access token and grants appropriate permissions to the requestOn object retrieval, request permissions are checked against object permissionsSuccess: Return object, Failure: return access denied error
Modification of player stats/state Change coins to 1million Unlocked all achievements Generating favorable outcomes Slot machine always comes up as a jackpot
AnalyticsExamine distribution of game properties for outliersSecure token and separate serviceSecure server that has global ACL access to dataScripting languageSandboxed script code that is ran on both client and server