Fundamental security concepts and best practices every game developer should know

Gaming is now the world’s favorite form of entertainment, with Newzoo reporting that by 2023 there will be over three billion gamers on the planet. With the growth of multiplayer games, however, the number of cheaters has also increased.

A study of The New York Times found that nearly 50% of computer gamers admit to using game cheats at least once in their lifetime. Such a volume of cheating significantly harms the gaming experience and, consequently, the revenue of the entire industry, which is estimated at over $300 billion.

If gambling isn’t your thing, just imagine if in every competitive event you watched there was a high probability that one (or more) of the players was cheating. Would you still like it so much?

Is there a difference between the types of cheats regarding prevention?

There is a huge variety of cheat types, from simple upgrade bots that help the player perform exhausting actions over time, to advanced item duplications and infinite ammo.

Client-based cheats like “aimbot”, which allow the player to auto-aim in shooters, and macros that perform a set of pre-recorded actions are impossible to prevent entirely because they are not implementation dependent of the game and only run on the player’s local computer (client). That’s why it’s still seen even in the most popular AAA games, which can have near-infinite security budgets.

As such, although it is far from a simple process, what types of cheating can be avoided by writing secure code and through better design?

Three real cases of cheating in multiplayer games

In Defcon 2019, a player named Manfred showed how easy it is to cheat the most popular multiplayer games. To circumvent all the encryption and obfuscation methods, he used code injection in different layers which allowed him to read and write code on the games client.

  1. In the popular game Ultimate online, each player can delete their own house, but apparently the house id was sent in the request packet and there was no validation from the server that the house id belonged to the requesting player. All the bad actors had to do was change the house id before it was sent to the server and you could now delete other players’ houses.
  2. In another demo, Manfred showed how he exploits massively multiplayer gaming, crevasse. Using integer overflow, he removed -1 coins from the bank and received the maximum amount instead.
  3. Even simpler, and requiring no manipulation of code, by GTA 5 online a player could have an infinite supply of ammo by modifying the client’s memory. Simply locate the memory address that holds the ammo value, which could be done easily with software like “Cheat Engine”, then find your current ammo value (240 for example) and fire a single bullet. Then search through the found addresses for the new value (239). The remaining addresses are the ones that hold the ammo value, so all cheaters have to do is keep changing those address values.

How to avoid cheating in online games

There are two fundamental concepts that can help you achieve a more secure game:

  1. Treat the code as open-source.
    While encryption, obfuscation, third-party applications, and other techniques designed to make it harder to tamper with client code are good security practices, they cannot be relied upon because they can be easily circumvented.
  2. Never trust the client and everything that comes with it.
    As we saw in the examples above, cheaters can modify client memory, disk, network traffic, runtime code, and everything else on the client side.

Seven best practices to avoid cheating in online games

Keeping these two notions in mind, there is no point in establishing a prevention strategy on the client side. We will only focus on the server side. Below are best practices for preventing cheating in any multiplayer game.

  1. Use dedicated servers as the only valid authority. Other multiplayer architectures, like listening servers or P2P, may be good enough for development but not for production. Game decisions should only be made on trusted and protected servers.
  2. When writing network-related code, it is important to separate client and server logic. Labeling server functions designed to be called from the client is the very first step in preventing cheating, as these will be the functions you will need to address.
  3. Never update the server with the result, but with the actions that led to it, even if it involves redundant processing. For example, instead of updating the server that the player has acquired X items, update exactly what the player has done. This will allow the server to perform the necessary checks and draw the required conclusions.
  4. Avoid sending client parameters to the server, again, even at the cost of further processing. Instead of updating the server that the player fired a type X bullet, let the server re-fetch the weapon type.
  5. Validate everything that comes from the client and ignore all client-side checks. Before firing a bullet – is the player holding a ranged weapon? Are there any bullets in the magazine? Is he still alive? Are the parameters received valid and within the expected range of values? Don’t even skip trivial checks!
  6. Enforce a minimum delay between client-server calls, to prevent a server function from being called at a shorter interval than it should. This will for example prevent a cheater from emptying their entire magazine at very high speed (rapid fire modifications).
  7. Environmental controls – some validations will not be as easy to perform. If the player tries to interact with an object in the world, for example, you can check the distance between the player and the object, but what if the object is blocked and the player cannot not interact with him? These types of checks can be performed using engine environment queries (e.g. line traces, collision checks) and in some cases can affect server load.

Summary

Unlike other areas, in multiplayer games, the communication with the server is immense. Each action must be synchronized and validated within the server, which makes it very easy to lose track.

All a cheater needs is missing validation. That’s why it’s essential to have this mindset from the start of a game’s development, always thinking about the possibilities of cheating and how to prevent them.

As mentioned, not all cheats can be avoided by better implementation and code design. The most common type are game bots, software applications that run on the player side and give them a significant advantage.

In a related article, my colleague Oren writes about the evolution of bad bots and why they are so hard to detect.

The post Fundamental Security Concepts and Best Practices Every Game Developer Should Know appeared first on Blog.

*** This is a syndicated blog from the Blog Security Bloggers Network written by Tal Shabi. Read the original post at: https://www.imperva.com/blog/fundamental-security-concepts-and-best-practices-every-game-developer-should-know/

Comments are closed.