SlideShare a Scribd company logo

The Game Security Framework

Daniel Miessler
Daniel Miessler

A framework for understanding both technical and business information security risks to video games and the video game industry.

1 of 28
Download to read offline
The Game Security Framework (1.0) Jason Haddix & Daniel Miessler
Us • Jason Haddix: Head of Trust and Security, Bugcrowd • Daniel Miessler: Director of Advisory Services, IOActive @jhaddix @danielmiessler
History • This is the second try for the project • Tried originally in 2014, to no avail 3
Concept 4
Structure • Normal, English sentences that are used to describe the entire scenario • Each sentence contains placeholders for the various parts of the risk 
 malicious competitor attacks the server-side and takes advantage of limited server-side bandwidth and uses ddos to cause extreme lag that lets them win a match, resulting in frustrated users not playing the game anymore, which could have been avoided using ddos protection. 5
Structure 6 https://www.owasp.org/index.php/ OWASP_Game_Security_Framework_Project
Semantic Structure Actor attacks Attack Surface and uses Exploit to take advantage of Vulnerability to try to achieve their Goal, resulting in Negative Outcome, which could have been avoided by Defense. 7
Vulnerabilities 8
Ping + Teleport 9 1. Mess with your own connection 2. Server starts reporting your location sporadically 3. Allows you to pass through objects 4. BONUS: Avoid being attacked because you’re like a ghost Player attacks the network and takes advantage of throttling and uses connection degradation to cause extreme lag that lets them avoid harm, resulting in frustrated users not playing the game anymore, which could have been avoided using better code.
Moar Mosters 10 1. When logged in as an admin there are options to do lots of things, like call monsters 2. Players figure out they can execute admin commands as well (only the menu was missing) 3. They get in nasty PvP and call in tons of nasty mobs to crush enemies Player attacks the server and takes advantage of client-side filters and uses hidden admin commands to cause in game chaos that lets them survive pvp, resulting in frustrated users not playing the game anymore, which could have been avoided using server-side controls.
Midnight Store 11 1. Game bugs required the server to be restarted at midnight 2. If you were in the middle of a trade when the server went down, both players got both sides of the trade Player attacks the game and takes advantage of logic bug and uses knowledge of bug to cause item duplication that lets them unfairly increase loot, resulting in less need to buy things, which could have been avoided using better code.
Marvel at my DC 12 1. Play a Star Wars game on Android 2. Go into Airplane Mode in the middle of the game 3. Run Android hack to automatically win 4. Reconnect, advance on the ladder Player attacks the client and takes advantage of local hack and logic flaw and uses local hack to cause unfair ladder win that lets them, resulting in ladder chaos, which could have been avoided using better code.
Ooh Sparkly 13 1. Launching lots of graphics-intensive actions could cause frame rate drops 2. People load up on the most graphics-intensive combos and fire them off if they’re attacked 3. Nobody could kill them because they could run away while their game is lagging Player attacks the client and takes advantage of resource constraints and uses knowledge of bug to cause unfair pvp advantage that lets them avoid death during pvp, resulting in angry players and fewer users, which could have been avoided using better code.
Pink Unicorns 14 1. Players find hidden coordinates in network stream data 2. They hack the client to show hidden items on the map 3. They find hidden players and items before everyone else 4. PK or dramatically improved farming Player attacks the client and takes advantage of client-side filters and uses client modification to cause see hidden content that lets them pk and farm, resulting in frustrated users not playing the game anymore, which could have been avoided using client integrity validation.
Dishonorable Mentions 15 1. Convincing players to download a mod so we can “powerlevel you”. 2. Changing your username to look like a GM, and telling people to give you their items (for safe keeping). 3. Multiple buff stacking due to race conditions / logic flaws. 4. Death / looting issues that allow you to loot dead bodies and get their gear without the person losing the gear when they respawn. 5. Numerous DC logic flaws, where fighting, looting, purchasing is all broken when you DC your connection. As a developer, how would you handle it? 6. Powerleveling service takes your account for a day or so and you soon get a notification that you’ve been banned (they used you for money laundering). 7. …etc, etc.
Case Study 16
Mobile Cover Clipping 17 1. Use of a skill (Mobile Cover) allows players to skip content 2. Skipping content allows after farming rates of bosses Player attacks the client and takes advantage of Game Mechanics and uses knowledge of bug to skip content that lets them farm items faster, resulting in angry players and fewer users, which could have been avoided using better code.
Mobile Cover Clipping 18 https://www.youtube.com/watch?v=kAq2283F7vs
instancing and checkpoints 19 1. Players able to enter a different area (instance) to re- spawn bosses Player attacks the client and takes advantage of Game Mechanics and uses knowledge of bug to skip content that lets them farm items faster, resulting in angry players and fewer users, which could have been avoided using better code.
instancing and checkpoint manipulation 20 https://www.youtube.com/watch?v=Wj8OXIOJvhE
buff/talent stacking 21 1. switching gear rapidly caused buffs or talents to “stack” allowing using talents to gain 1 shot kills, infinite money of headshots, etc. Player attacks the client and takes advantage of Game Mechanics and uses knowledge of bug to Gain In-game Currency and Enhance Gear, resulting in angry players and fewer users, which could have been avoided using better code.
buff/talent stacking 22 https://www.youtube.com/watch?v=pPsKEXmnL_E
Current State 23 • Capturing as many bugs as possible • Categorizing them • Putting them into the framework
Current State 24
Current State 25
Future State 26 • Moar Bugz (crowdsourced) • Continuous improvement of schema • Additional ideas for improvement
Next Steps & Help 27 • If you know any game bugs, you can help out at this location: https://docs.google.com/spreadsheets/d/ 1Og08wyHsqtODBDkU_M2zHAvdxc63GSu-OmT8NjCc9Ak/ edit#gid=0 • We also just started a Slack channel, in case you don’t already have enough of those.
Thanks & Contact 28 • Jason Haddix
 Bugcrowd
 
 @jhaddix • Daniel Miessler
 IOActive
 
 @danielmiessler https://www.owasp.org/index.php/ OWASP_Game_Security_Framework_Project

Recommended

Plunder Pirates Hack tool
Plunder Pirates Hack toolPlunder Pirates Hack tool
Plunder Pirates Hack tool
luckyblossom8256
 
Evolution of The Application
Evolution of The ApplicationEvolution of The Application
Evolution of The Application
Daniel Miessler
 
The OWASP Game Security Framework
The OWASP Game Security FrameworkThe OWASP Game Security Framework
The OWASP Game Security Framework
Daniel Miessler
 
Боремся с читингом в онлайн-играх
Боремся с читингом в онлайн-играхБоремся с читингом в онлайн-играх
Боремся с читингом в онлайн-играх
Positive Hack Days
 
Developers vs Cybercriminals: Protecting your MMO from online crime
Developers vs Cybercriminals: Protecting your MMO from online crimeDevelopers vs Cybercriminals: Protecting your MMO from online crime
Developers vs Cybercriminals: Protecting your MMO from online crime
En Masse Entertainment
 
SRS REPORT ON A ANDROID GAME
SRS REPORT ON A ANDROID GAMESRS REPORT ON A ANDROID GAME
SRS REPORT ON A ANDROID GAME
milan tripathi
 
Hacking
HackingHacking
Hackinggotchagirl
 
En game hacking
En game hackingEn game hacking
En game hacking
Rahmad Kurniawan
 

Recommended

Plunder Pirates Hack tool
Plunder Pirates Hack toolPlunder Pirates Hack tool
Plunder Pirates Hack tool
luckyblossom8256
 
Evolution of The Application
Evolution of The ApplicationEvolution of The Application
Evolution of The Application
Daniel Miessler
 
The OWASP Game Security Framework
The OWASP Game Security FrameworkThe OWASP Game Security Framework
The OWASP Game Security Framework
Daniel Miessler
 
Боремся с читингом в онлайн-играх
Боремся с читингом в онлайн-играхБоремся с читингом в онлайн-играх
Боремся с читингом в онлайн-играх
Positive Hack Days
 
Developers vs Cybercriminals: Protecting your MMO from online crime
Developers vs Cybercriminals: Protecting your MMO from online crimeDevelopers vs Cybercriminals: Protecting your MMO from online crime
Developers vs Cybercriminals: Protecting your MMO from online crime
En Masse Entertainment
 
SRS REPORT ON A ANDROID GAME
SRS REPORT ON A ANDROID GAMESRS REPORT ON A ANDROID GAME
SRS REPORT ON A ANDROID GAME
milan tripathi
 
Hacking
HackingHacking
Hackinggotchagirl
 
En game hacking
En game hackingEn game hacking
En game hacking
Rahmad Kurniawan
 
GDC Next 2013 - Synching Game States Across Multiple Devices
GDC Next 2013 - Synching Game States Across Multiple DevicesGDC Next 2013 - Synching Game States Across Multiple Devices
GDC Next 2013 - Synching Game States Across Multiple Devices
David Geurts
 
How to 2FA-enable Open Source Applications
How to 2FA-enable Open Source ApplicationsHow to 2FA-enable Open Source Applications
How to 2FA-enable Open Source Applications
All Things Open
 
Developing and Hosting Game Server on Cloud
Developing and Hosting Game Server on CloudDeveloping and Hosting Game Server on Cloud
Developing and Hosting Game Server on Cloud
ijtsrd
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
ShapeBlue
 
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
ThreatReel Podcast
 
OISF Aniversary: Active Defense - Helping threat actors hack themselves!
OISF Aniversary: Active Defense - Helping threat actors hack themselves!OISF Aniversary: Active Defense - Helping threat actors hack themselves!
OISF Aniversary: Active Defense - Helping threat actors hack themselves!
ThreatReel Podcast
 
CLUSTERED PEER-TO-PEER COMMUNICATION SYSTEM FOR MULTIPLAYER ONLINE GAMES
CLUSTERED PEER-TO-PEER COMMUNICATION SYSTEM FOR MULTIPLAYER ONLINE GAMES CLUSTERED PEER-TO-PEER COMMUNICATION SYSTEM FOR MULTIPLAYER ONLINE GAMES
CLUSTERED PEER-TO-PEER COMMUNICATION SYSTEM FOR MULTIPLAYER ONLINE GAMES
Yomna Mahmoud Ibrahim Hassan
 
PHP games
PHP gamesPHP games
PHP gamesharwoodr
 
Mobile binary code - Attack Tree and Mitigation
Mobile binary code - Attack Tree and MitigationMobile binary code - Attack Tree and Mitigation
Mobile binary code - Attack Tree and Mitigation
Sunil Paudel
 
Six Strategies for Protecting Mobile Games Against Hackers, Crackers, and Cop...
Six Strategies for Protecting Mobile Games Against Hackers, Crackers, and Cop...Six Strategies for Protecting Mobile Games Against Hackers, Crackers, and Cop...
Six Strategies for Protecting Mobile Games Against Hackers, Crackers, and Cop...
AppSolid by SEWORKS
 
Securing the Web @DevDay Da Nang 2018
Securing the Web @DevDay Da Nang 2018Securing the Web @DevDay Da Nang 2018
Securing the Web @DevDay Da Nang 2018
Sumanth Damarla
 
[DevDay2018] Securing the Web - By Sumanth Damarla, Tech Speaker at Mozilla
[DevDay2018] Securing the Web - By Sumanth Damarla, Tech Speaker at Mozilla[DevDay2018] Securing the Web - By Sumanth Damarla, Tech Speaker at Mozilla
[DevDay2018] Securing the Web - By Sumanth Damarla, Tech Speaker at Mozilla
DevDay.org
 
How to build corporate size fraud prevention
How to build corporate size fraud preventionHow to build corporate size fraud prevention
How to build corporate size fraud prevention
Yury Leonychev
 
From Password Reset to Authentication Management
From Password Reset to Authentication ManagementFrom Password Reset to Authentication Management
From Password Reset to Authentication Management
Hitachi ID Systems, Inc.
 
Looking for Vulnerable Code. Vlad Savitsky
Looking for Vulnerable Code. Vlad SavitskyLooking for Vulnerable Code. Vlad Savitsky
Looking for Vulnerable Code. Vlad Savitsky
Vlad Savitsky
 
intern.pdf
intern.pdfintern.pdf
intern.pdf
cprabhash
 
BSides Cleveland: Active Defense - Helping threat actors hack themselves!
BSides Cleveland: Active Defense - Helping threat actors hack themselves!BSides Cleveland: Active Defense - Helping threat actors hack themselves!
BSides Cleveland: Active Defense - Helping threat actors hack themselves!
ThreatReel Podcast
 
Cloud gaming infrastructure in cloudretro.io
Cloud gaming infrastructure in cloudretro.ioCloud gaming infrastructure in cloudretro.io
Cloud gaming infrastructure in cloudretro.io
Th Nguy?n H?u
 
Resistance Girls.pptx
Resistance Girls.pptxResistance Girls.pptx
Resistance Girls.pptx
ssuserf1fd03
 
8 Most Popular Joomla Hacks & How To Avoid Them
8 Most Popular Joomla Hacks & How To Avoid Them8 Most Popular Joomla Hacks & How To Avoid Them
8 Most Popular Joomla Hacks & How To Avoid Them
SiteGround.com
 
Practical IoT Security in the Enterprise
Practical IoT Security in the EnterprisePractical IoT Security in the Enterprise
Practical IoT Security in the Enterprise
Daniel Miessler
 
The IoT Attack Surface
The IoT Attack SurfaceThe IoT Attack Surface
The IoT Attack Surface
Daniel Miessler
 

More Related Content

Similar to The Game Security Framework

GDC Next 2013 - Synching Game States Across Multiple Devices
GDC Next 2013 - Synching Game States Across Multiple DevicesGDC Next 2013 - Synching Game States Across Multiple Devices
GDC Next 2013 - Synching Game States Across Multiple Devices
David Geurts
 
How to 2FA-enable Open Source Applications
How to 2FA-enable Open Source ApplicationsHow to 2FA-enable Open Source Applications
How to 2FA-enable Open Source Applications
All Things Open
 
Developing and Hosting Game Server on Cloud
Developing and Hosting Game Server on CloudDeveloping and Hosting Game Server on Cloud
Developing and Hosting Game Server on Cloud
ijtsrd
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
ShapeBlue
 
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
ThreatReel Podcast
 
OISF Aniversary: Active Defense - Helping threat actors hack themselves!
OISF Aniversary: Active Defense - Helping threat actors hack themselves!OISF Aniversary: Active Defense - Helping threat actors hack themselves!
OISF Aniversary: Active Defense - Helping threat actors hack themselves!
ThreatReel Podcast
 
CLUSTERED PEER-TO-PEER COMMUNICATION SYSTEM FOR MULTIPLAYER ONLINE GAMES
CLUSTERED PEER-TO-PEER COMMUNICATION SYSTEM FOR MULTIPLAYER ONLINE GAMES CLUSTERED PEER-TO-PEER COMMUNICATION SYSTEM FOR MULTIPLAYER ONLINE GAMES
CLUSTERED PEER-TO-PEER COMMUNICATION SYSTEM FOR MULTIPLAYER ONLINE GAMES
Yomna Mahmoud Ibrahim Hassan
 
Mobile binary code - Attack Tree and Mitigation
Mobile binary code - Attack Tree and MitigationMobile binary code - Attack Tree and Mitigation
Mobile binary code - Attack Tree and Mitigation
Sunil Paudel
 
Six Strategies for Protecting Mobile Games Against Hackers, Crackers, and Cop...
Six Strategies for Protecting Mobile Games Against Hackers, Crackers, and Cop...Six Strategies for Protecting Mobile Games Against Hackers, Crackers, and Cop...
Six Strategies for Protecting Mobile Games Against Hackers, Crackers, and Cop...
AppSolid by SEWORKS
 
Securing the Web @DevDay Da Nang 2018
Securing the Web @DevDay Da Nang 2018Securing the Web @DevDay Da Nang 2018
Securing the Web @DevDay Da Nang 2018
Sumanth Damarla
 
[DevDay2018] Securing the Web - By Sumanth Damarla, Tech Speaker at Mozilla
[DevDay2018] Securing the Web - By Sumanth Damarla, Tech Speaker at Mozilla[DevDay2018] Securing the Web - By Sumanth Damarla, Tech Speaker at Mozilla
[DevDay2018] Securing the Web - By Sumanth Damarla, Tech Speaker at Mozilla
DevDay.org
 
How to build corporate size fraud prevention
How to build corporate size fraud preventionHow to build corporate size fraud prevention
How to build corporate size fraud prevention
Yury Leonychev
 
From Password Reset to Authentication Management
From Password Reset to Authentication ManagementFrom Password Reset to Authentication Management
From Password Reset to Authentication Management
Hitachi ID Systems, Inc.
 
Looking for Vulnerable Code. Vlad Savitsky
Looking for Vulnerable Code. Vlad SavitskyLooking for Vulnerable Code. Vlad Savitsky
Looking for Vulnerable Code. Vlad Savitsky
Vlad Savitsky
 
intern.pdf
intern.pdfintern.pdf
intern.pdf
cprabhash
 
BSides Cleveland: Active Defense - Helping threat actors hack themselves!
BSides Cleveland: Active Defense - Helping threat actors hack themselves!BSides Cleveland: Active Defense - Helping threat actors hack themselves!
BSides Cleveland: Active Defense - Helping threat actors hack themselves!
ThreatReel Podcast
 
Cloud gaming infrastructure in cloudretro.io
Cloud gaming infrastructure in cloudretro.ioCloud gaming infrastructure in cloudretro.io
Cloud gaming infrastructure in cloudretro.io
Th Nguy?n H?u
 
Resistance Girls.pptx
Resistance Girls.pptxResistance Girls.pptx
Resistance Girls.pptx
ssuserf1fd03
 
8 Most Popular Joomla Hacks & How To Avoid Them
8 Most Popular Joomla Hacks & How To Avoid Them8 Most Popular Joomla Hacks & How To Avoid Them
8 Most Popular Joomla Hacks & How To Avoid Them
SiteGround.com
 

Similar to The Game Security Framework (20)

GDC Next 2013 - Synching Game States Across Multiple Devices
GDC Next 2013 - Synching Game States Across Multiple DevicesGDC Next 2013 - Synching Game States Across Multiple Devices
GDC Next 2013 - Synching Game States Across Multiple Devices
 
How to 2FA-enable Open Source Applications
How to 2FA-enable Open Source ApplicationsHow to 2FA-enable Open Source Applications
How to 2FA-enable Open Source Applications
 
Developing and Hosting Game Server on Cloud
Developing and Hosting Game Server on CloudDeveloping and Hosting Game Server on Cloud
Developing and Hosting Game Server on Cloud
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
 
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
 
OISF Aniversary: Active Defense - Helping threat actors hack themselves!
OISF Aniversary: Active Defense - Helping threat actors hack themselves!OISF Aniversary: Active Defense - Helping threat actors hack themselves!
OISF Aniversary: Active Defense - Helping threat actors hack themselves!
 
CLUSTERED PEER-TO-PEER COMMUNICATION SYSTEM FOR MULTIPLAYER ONLINE GAMES
CLUSTERED PEER-TO-PEER COMMUNICATION SYSTEM FOR MULTIPLAYER ONLINE GAMES CLUSTERED PEER-TO-PEER COMMUNICATION SYSTEM FOR MULTIPLAYER ONLINE GAMES
CLUSTERED PEER-TO-PEER COMMUNICATION SYSTEM FOR MULTIPLAYER ONLINE GAMES
 
PHP games
PHP gamesPHP games
PHP games
 
Mobile binary code - Attack Tree and Mitigation
Mobile binary code - Attack Tree and MitigationMobile binary code - Attack Tree and Mitigation
Mobile binary code - Attack Tree and Mitigation
 
Six Strategies for Protecting Mobile Games Against Hackers, Crackers, and Cop...
Six Strategies for Protecting Mobile Games Against Hackers, Crackers, and Cop...Six Strategies for Protecting Mobile Games Against Hackers, Crackers, and Cop...
Six Strategies for Protecting Mobile Games Against Hackers, Crackers, and Cop...
 
Securing the Web @DevDay Da Nang 2018
Securing the Web @DevDay Da Nang 2018Securing the Web @DevDay Da Nang 2018
Securing the Web @DevDay Da Nang 2018
 
[DevDay2018] Securing the Web - By Sumanth Damarla, Tech Speaker at Mozilla
[DevDay2018] Securing the Web - By Sumanth Damarla, Tech Speaker at Mozilla[DevDay2018] Securing the Web - By Sumanth Damarla, Tech Speaker at Mozilla
[DevDay2018] Securing the Web - By Sumanth Damarla, Tech Speaker at Mozilla
 
How to build corporate size fraud prevention
How to build corporate size fraud preventionHow to build corporate size fraud prevention
How to build corporate size fraud prevention
 
From Password Reset to Authentication Management
From Password Reset to Authentication ManagementFrom Password Reset to Authentication Management
From Password Reset to Authentication Management
 
Looking for Vulnerable Code. Vlad Savitsky
Looking for Vulnerable Code. Vlad SavitskyLooking for Vulnerable Code. Vlad Savitsky
Looking for Vulnerable Code. Vlad Savitsky
 
intern.pdf
intern.pdfintern.pdf
intern.pdf
 
BSides Cleveland: Active Defense - Helping threat actors hack themselves!
BSides Cleveland: Active Defense - Helping threat actors hack themselves!BSides Cleveland: Active Defense - Helping threat actors hack themselves!
BSides Cleveland: Active Defense - Helping threat actors hack themselves!
 
Cloud gaming infrastructure in cloudretro.io
Cloud gaming infrastructure in cloudretro.ioCloud gaming infrastructure in cloudretro.io
Cloud gaming infrastructure in cloudretro.io
 
Resistance Girls.pptx
Resistance Girls.pptxResistance Girls.pptx
Resistance Girls.pptx
 
8 Most Popular Joomla Hacks & How To Avoid Them
8 Most Popular Joomla Hacks & How To Avoid Them8 Most Popular Joomla Hacks & How To Avoid Them
8 Most Popular Joomla Hacks & How To Avoid Them
 

More from Daniel Miessler

Practical IoT Security in the Enterprise
Practical IoT Security in the EnterprisePractical IoT Security in the Enterprise
Practical IoT Security in the Enterprise
Daniel Miessler
 
The IoT Attack Surface
The IoT Attack SurfaceThe IoT Attack Surface
The IoT Attack Surface
Daniel Miessler
 
Implementing Inexpensive Honeytrap Techniques
Implementing Inexpensive Honeytrap TechniquesImplementing Inexpensive Honeytrap Techniques
Implementing Inexpensive Honeytrap Techniques
Daniel Miessler
 
Securing Medical Devices Using Adaptive Testing Methodologies
Securing Medical Devices Using Adaptive Testing MethodologiesSecuring Medical Devices Using Adaptive Testing Methodologies
Securing Medical Devices Using Adaptive Testing Methodologies
Daniel Miessler
 
Peak Prevention: Moving from Prevention to Resilience
Peak Prevention: Moving from Prevention to ResiliencePeak Prevention: Moving from Prevention to Resilience
Peak Prevention: Moving from Prevention to Resilience
Daniel Miessler
 
Adaptive Testing Methodology [ ATM ]
Adaptive Testing Methodology [ ATM ]Adaptive Testing Methodology [ ATM ]
Adaptive Testing Methodology [ ATM ]
Daniel Miessler
 
IoT Attack Surfaces -- DEFCON 2015
IoT Attack Surfaces -- DEFCON 2015IoT Attack Surfaces -- DEFCON 2015
IoT Attack Surfaces -- DEFCON 2015
Daniel Miessler
 
SecLists @ BlackHat Arsenal 2015
SecLists @ BlackHat Arsenal 2015SecLists @ BlackHat Arsenal 2015
SecLists @ BlackHat Arsenal 2015
Daniel Miessler
 
RSA2015: Securing the Internet of Things
RSA2015: Securing the Internet of ThingsRSA2015: Securing the Internet of Things
RSA2015: Securing the Internet of Things
Daniel Miessler
 
The Real Internet of Things: How Universal Daemonization Will Change Everything
The Real Internet of Things: How Universal Daemonization Will Change EverythingThe Real Internet of Things: How Universal Daemonization Will Change Everything
The Real Internet of Things: How Universal Daemonization Will Change Everything
Daniel Miessler
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
Daniel Miessler
 

More from Daniel Miessler (11)

Practical IoT Security in the Enterprise
Practical IoT Security in the EnterprisePractical IoT Security in the Enterprise
Practical IoT Security in the Enterprise
 
The IoT Attack Surface
The IoT Attack SurfaceThe IoT Attack Surface
The IoT Attack Surface
 
Implementing Inexpensive Honeytrap Techniques
Implementing Inexpensive Honeytrap TechniquesImplementing Inexpensive Honeytrap Techniques
Implementing Inexpensive Honeytrap Techniques
 
Securing Medical Devices Using Adaptive Testing Methodologies
Securing Medical Devices Using Adaptive Testing MethodologiesSecuring Medical Devices Using Adaptive Testing Methodologies
Securing Medical Devices Using Adaptive Testing Methodologies
 
Peak Prevention: Moving from Prevention to Resilience
Peak Prevention: Moving from Prevention to ResiliencePeak Prevention: Moving from Prevention to Resilience
Peak Prevention: Moving from Prevention to Resilience
 
Adaptive Testing Methodology [ ATM ]
Adaptive Testing Methodology [ ATM ]Adaptive Testing Methodology [ ATM ]
Adaptive Testing Methodology [ ATM ]
 
IoT Attack Surfaces -- DEFCON 2015
IoT Attack Surfaces -- DEFCON 2015IoT Attack Surfaces -- DEFCON 2015
IoT Attack Surfaces -- DEFCON 2015
 
SecLists @ BlackHat Arsenal 2015
SecLists @ BlackHat Arsenal 2015SecLists @ BlackHat Arsenal 2015
SecLists @ BlackHat Arsenal 2015
 
RSA2015: Securing the Internet of Things
RSA2015: Securing the Internet of ThingsRSA2015: Securing the Internet of Things
RSA2015: Securing the Internet of Things
 
The Real Internet of Things: How Universal Daemonization Will Change Everything
The Real Internet of Things: How Universal Daemonization Will Change EverythingThe Real Internet of Things: How Universal Daemonization Will Change Everything
The Real Internet of Things: How Universal Daemonization Will Change Everything
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
 

Recently uploaded

FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Nexer Digital
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 

Recently uploaded (20)

FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 

The Game Security Framework

  • 1. The Game Security Framework (1.0) Jason Haddix & Daniel Miessler
  • 2. Us • Jason Haddix: Head of Trust and Security, Bugcrowd • Daniel Miessler: Director of Advisory Services, IOActive @jhaddix @danielmiessler
  • 3. History • This is the second try for the project • Tried originally in 2014, to no avail 3
  • 5. Structure • Normal, English sentences that are used to describe the entire scenario • Each sentence contains placeholders for the various parts of the risk 
 malicious competitor attacks the server-side and takes advantage of limited server-side bandwidth and uses ddos to cause extreme lag that lets them win a match, resulting in frustrated users not playing the game anymore, which could have been avoided using ddos protection. 5
  • 7. Semantic Structure Actor attacks Attack Surface and uses Exploit to take advantage of Vulnerability to try to achieve their Goal, resulting in Negative Outcome, which could have been avoided by Defense. 7
  • 9. Ping + Teleport 9 1. Mess with your own connection 2. Server starts reporting your location sporadically 3. Allows you to pass through objects 4. BONUS: Avoid being attacked because you’re like a ghost Player attacks the network and takes advantage of throttling and uses connection degradation to cause extreme lag that lets them avoid harm, resulting in frustrated users not playing the game anymore, which could have been avoided using better code.
  • 10. Moar Mosters 10 1. When logged in as an admin there are options to do lots of things, like call monsters 2. Players figure out they can execute admin commands as well (only the menu was missing) 3. They get in nasty PvP and call in tons of nasty mobs to crush enemies Player attacks the server and takes advantage of client-side filters and uses hidden admin commands to cause in game chaos that lets them survive pvp, resulting in frustrated users not playing the game anymore, which could have been avoided using server-side controls.
  • 11. Midnight Store 11 1. Game bugs required the server to be restarted at midnight 2. If you were in the middle of a trade when the server went down, both players got both sides of the trade Player attacks the game and takes advantage of logic bug and uses knowledge of bug to cause item duplication that lets them unfairly increase loot, resulting in less need to buy things, which could have been avoided using better code.
  • 12. Marvel at my DC 12 1. Play a Star Wars game on Android 2. Go into Airplane Mode in the middle of the game 3. Run Android hack to automatically win 4. Reconnect, advance on the ladder Player attacks the client and takes advantage of local hack and logic flaw and uses local hack to cause unfair ladder win that lets them, resulting in ladder chaos, which could have been avoided using better code.
  • 13. Ooh Sparkly 13 1. Launching lots of graphics-intensive actions could cause frame rate drops 2. People load up on the most graphics-intensive combos and fire them off if they’re attacked 3. Nobody could kill them because they could run away while their game is lagging Player attacks the client and takes advantage of resource constraints and uses knowledge of bug to cause unfair pvp advantage that lets them avoid death during pvp, resulting in angry players and fewer users, which could have been avoided using better code.
  • 14. Pink Unicorns 14 1. Players find hidden coordinates in network stream data 2. They hack the client to show hidden items on the map 3. They find hidden players and items before everyone else 4. PK or dramatically improved farming Player attacks the client and takes advantage of client-side filters and uses client modification to cause see hidden content that lets them pk and farm, resulting in frustrated users not playing the game anymore, which could have been avoided using client integrity validation.
  • 15. Dishonorable Mentions 15 1. Convincing players to download a mod so we can “powerlevel you”. 2. Changing your username to look like a GM, and telling people to give you their items (for safe keeping). 3. Multiple buff stacking due to race conditions / logic flaws. 4. Death / looting issues that allow you to loot dead bodies and get their gear without the person losing the gear when they respawn. 5. Numerous DC logic flaws, where fighting, looting, purchasing is all broken when you DC your connection. As a developer, how would you handle it? 6. Powerleveling service takes your account for a day or so and you soon get a notification that you’ve been banned (they used you for money laundering). 7. …etc, etc.
  • 17. Mobile Cover Clipping 17 1. Use of a skill (Mobile Cover) allows players to skip content 2. Skipping content allows after farming rates of bosses Player attacks the client and takes advantage of Game Mechanics and uses knowledge of bug to skip content that lets them farm items faster, resulting in angry players and fewer users, which could have been avoided using better code.
  • 19. instancing and checkpoints 19 1. Players able to enter a different area (instance) to re- spawn bosses Player attacks the client and takes advantage of Game Mechanics and uses knowledge of bug to skip content that lets them farm items faster, resulting in angry players and fewer users, which could have been avoided using better code.
  • 21. buff/talent stacking 21 1. switching gear rapidly caused buffs or talents to “stack” allowing using talents to gain 1 shot kills, infinite money of headshots, etc. Player attacks the client and takes advantage of Game Mechanics and uses knowledge of bug to Gain In-game Currency and Enhance Gear, resulting in angry players and fewer users, which could have been avoided using better code.
  • 23. Current State 23 • Capturing as many bugs as possible • Categorizing them • Putting them into the framework
  • 26. Future State 26 • Moar Bugz (crowdsourced) • Continuous improvement of schema • Additional ideas for improvement
  • 27. Next Steps & Help 27 • If you know any game bugs, you can help out at this location: https://docs.google.com/spreadsheets/d/ 1Og08wyHsqtODBDkU_M2zHAvdxc63GSu-OmT8NjCc9Ak/ edit#gid=0 • We also just started a Slack channel, in case you don’t already have enough of those.
  • 28. Thanks & Contact 28 • Jason Haddix
 Bugcrowd
 
 @jhaddix • Daniel Miessler
 IOActive
 
 @danielmiessler https://www.owasp.org/index.php/ OWASP_Game_Security_Framework_Project