Dangerous Code?
If Law is Code, then too is it a critical point of intersection between our virtual and real lives. Yet, these software and hardware edges are combat zones. Hackers, scripters, on the one side, on the other, developers and their supporting cohorts. It is an important struggle that goes to the heart of the integrity of our worlds. On the one hand exploits unchecked can topple our virtual cathederals. On the other hand, sometimes the solutions ask compromises from us. When is the cure worse than the disease?
We thank Sean Meadows for bringing to our attention an interesting turn in this struggle involving NCSoft and some of their games...
It would seem that we, as players, as elves, as superheros, or rogues - or whatever your vocation - are in the midst of a vast co-evolutionary struggle.
The use by game developers of specialized software products to monitor and protect game clients on the surface seems a natural development. NCSoft's purported use of such a system (see BUGTRAQ citation below) appears as one example. The product manufacturer in this case claims the following benefits:
"Malicious code diagnosis and blocking... Blocks Auto-mouse and Macro program... Blocks access and manipulation atempts to the game client... Self protection of security module... Detects Speed hack... Optimized CPU occupancy rate"
Because of the nature of the attacks this product guards against and the design of how it is to be integrated with client software, its solution necessitates a substantial and intrusive reach into the host computer system. Ryu Conner asserts that this reach may be dangerous (via this BUGTRAQ report). What of the larger implications?
That there are barbarians pounding the virtual gates is no suprise. Consider, for example, a forum post (below) with its claimed instruction on how to (partially) circumvent the cited product. The depth of detail deployed on both sides implies the sophistication:
Tweaked gunbot !!
Hey'a, i was bored this afternoon, so i decied to do some testing stuff. Ive added some professional encryption and protection tools to the newest (and cracked) gunbot, since im to lazy for search the original one, and im just wanna know if it works normally. If works, if the releasers want to, they can give me the original proggy and il add encryption to the proggy making much more harder to gis team patch it. Since im on win me, i dont know if works.
ohhh, i was almost forgetting it, i was looking the nprotect files, and ive just found out that gunbound.gme has a software protection called "ACProtector", i guess that is this that make gunbound.gme "hide" itself after a while and other stuff, and "gameguard.des" has an packer named "UPX", "gamemon.des" has also the upx protection, file "npggNT.des" has upx.., file "npgmup.des" also have the upx protection, file "npgmup.des.new" has upx protection, file "npsc.des" also have upx..., and FINALLY "NPSCAN.DES" has a protection called "PE Compact". so, if u wanna make a bypass, first u gotta kill ALL those protections.
If the moorings of the virtual to the physical world becomes messy and expensive, this could sour the economics of deploying these worlds in configurations and platforms that are multi-purpose and familiar to us today. That would be a shame.
Games really have to get out of the bad habit of only running nicely in admin accounts. At some point I expect Microsoft will strongly encourage users to run as a limited user, probably through a future version of Windows. Right now I suspect the majority of users are running as full admin, and that's putting them at some risk.
What does this mean for virtual worlds? It means the clients shouldn't write anything into c:\program files unless necessary - there are other places to put this kind of data, and well documented. So when it comes time to download a patch, the patcher UI is going to need to prompt the user for admin details or similar so it can run temporarily as that user. Or say 'log on as admin please'. The issue with writing data into program files is that an attacker could replace code with his own, and when that code was run under an administrative context, the attacker's code would get those rights.
None of this stuff ought to be new, it's been in the Windows Logo program guidelines for about 10 years.
Microsoft's program manager for Security has a few interesting videos over at their channel nine site
Posted by: David Roberts | Jan 20, 2005 at 11:40
This is becoming more of an issue as extensible clients become more common. Although SWG's macros don't contain the ability to execute arbitrary code, it's entirely possible that there's a buffer over-run hole or something similar in there. AC1's Decal (which was entirely third-party) system is wide open to exploitation, and there are probably some potential "gotcha's" in WoW's client extensions. Tribes 1 and 2 had *very* extensible clients (script writers had access to nearly everything the original UI programmers built), including the ability to run outside DLL and executables.
There are a lot of plusses to extensible clients (leveraging the userbase to throw many thousands of programmer hours at the UI, specialized UI's that it wouldn't be cost-effective to implement in-house, side-tracking the hacking urge into something constructive). But there are going to be some very big messes while we figure out how to handle the process.
What I would like to see (and eventually expect) would be a "Authorized Extension" system, where the client and servers contained management for UI extensions that had been approved. You could run any UI extension you wanted if you were writing it yourself, in a protected memory space with lots of debugging and security hooks (which would slow the code down considerably). For a fee, you could submit your extension for review by the game operator, who would examine it to see if it was well-behaved, original, and well enough documented to be supportable, then make it available to players on a micropayments plan (add 25 cents to a dollar to your monthly fee for that month if we're talking a one-time fee, pennies to nickels if we're talking monthly renewal), remitting most of the micropayment to the author and keeping the rest to defray support costs. If an extension costs more to support than it makes in micropayments, it gets pulled or a surcharge is added. Possibly the agreement with the author would require them to provide support (if you are getting a nickel a month from 20K players, a few hours a week supporting it is a reasonable exchange). I like that better, actually, not only does it move the cost off my books, it gives the creators incentive to fix their bugs and provide good built-in help.
People could still bypass your authorized system by running scripts they had downloaded in debug mode, but a few strategically placed nag screens about the unreliability and dangers of unauthorized extensions (ala Microsoft's "Signed Drivers" program) and a couple of inevitable trojan incidents would keep that to a minimum. Players get better UI's, operators get happier customers, an independant workforce they don't have to pay, and more money, and extension authors get paid without the hassles and freeloading of your typical shareware situation.
There's some liability concerns there, which a good lawyer would have to look at and write the agreements for. And I'm not sure what labor laws would say about the status of the extension authors.
--Dave
Posted by: Dave Rickey | Jan 20, 2005 at 12:06
I have alot of different feelings on this. I'll sum it down to this though. If NCI (NC Soft NA) is representative of the industry. Then MMOs are vastly unprepared to one day wake up and be told that their customers are exposed to a critical vulnerability.
And I mean that at all levels and at all faucets. There appear to be no channels to deal with receiving an exploit. There are no channels to fix it. There are no channels to talk about it. When an exploit becomes known the company line needs to end and the Human being needs to surface. You should feel a civic and moral duty to protect your customers. I *do not* see that level of maturity.
It continues onto into the technical domain. It would appear that the coding process is not taking the pains to see security as a goal. Compatibility issues with security features (like non-Admin accounts). No review of the security of your own code. And it would appear that when you partner with a third party company you take just take them at their word. A handshake and contract is obviously good enough to mean you'll never have a security issue.
That's not just unprepared, that's negligent.
This doesn't even delve into the customers feelings. They will not be happy about such things. There will have privacy concerns, autonomy conerns, efficacy concerns, and technical concerns. No one likes being considered a criminal in their own home.
Is the curse worse than the disease? It certainly is for the customer when the service chooses to be dysfunctional.
Posted by: Sean Meadows | Jan 20, 2005 at 13:59
From Jan 6th, The Sims 2 'viral spreading' of unwanted sim behavior through EA's SimExchange:
http://www.securityfocus.com/news/10232
Posted by: Andres Ferraro | Jan 20, 2005 at 14:06
Two thoughts:
1) If the hardware is not under your physical control, absolute security is impossible - there *will* be breaches. The question is, how hard can you make these breaches to achieve?
Which segues nicely into
2) the support you get from the OS. As long as our virtual worlds run on a "Hackers Paradise" OS (yes, Microsoft, that means you!), the manufacturers of those worlds are almost forced to take excessive precautions. Most of the things that the NProtect offers should be offered by the operating system - a clear separation of processes is mandatory for security, and windows is sorely lacking in that department. Especially since (as previously mentioned) most games require Admin privileges.
Posted by: Robert 'Groby' Blum | Jan 21, 2005 at 12:06
What would be a non-Hacker's Paradise OS?
You wouldn't seriously suggest that it would be any more secure to run under Linux? The user *has* admin privileges to their own system! Thus, forbidding the game admin privileges doesn't stop them from running the crack with admin privileges.
- Brask Mumei
Posted by: Brask Mumei | Jan 21, 2005 at 20:40
I'm a huge advocate of closed systems for games :)
If you can't have that, it'd be nice if the OS made it at least hard to get at the code. I'm not suggesting other OS's do a good job there, either - but Windows makes it ridiculously easy. Even if I do not have Admin privileges.
At the end of the day, though, no commercial OS out there is focussing on malicious attacks through root/admin. (Yes, it's an extremely hard topic. But it's overdue. )
My point still stands - as long as the OS doesn't support it, the manufacturer has to build it. The harder the OS makes hacking, the less the manufacturer will be inclined to invest additional time and effort to prevent it.
Posted by: Robert 'Groby' Blum | Jan 24, 2005 at 10:39
Update on Kotaku:
There’s been quite a strong response to NCsoft’s decision to require anti-cheat software Gameguard to run for access to their massively multiplayer online game Lineage II...
Posted by: Nathan Combs | Jan 28, 2005 at 21:22
Just yesterday I was sent a reference to a news story from Johannesburg about obsessive gamers planting trojans and worms to gain access to online game resources. Lineage was mentioned as one of the top targets.
An interesting quote from the story:
"It's sad to think that people will be so desperate to do better in a virtual world that they're actually prepared to commit a real crime. We expect to see more Internet skirmishes between rival online gamers and malicious code to assist this kind of Internet robbery in the future."
Achievers will stop at nothing to win! ;-)
http://www.itweb.co.za/sections/internet/2005/0501260953.asp?S=Virus%20Watch&A=VIR&O=FRGN
Personal addendum: At 28.8 kbps, I found Valve/VU's Steam absolutely abhorrent. Four hours to download multiple patches, then another "we don't trust you" download three weeks later? No thanks. As much fun as HL2 was, I don't ever want to suffer experiences like that again.
But given the cheaters this kind of intrusiveness is probably the future. Sigh.
--Flatfingers
Posted by: Flatfingers | Jan 29, 2005 at 00:42