BSides Vancouver 2015 - Robert Wood - Threat Modeling in the Gaming Industry

out um are they yes no okay yeah so they are going out I'll provide the um the PDF if anyone wants uh wants a copy to look at in peruse but we're us we're primarily a software security consulting firm and what that means is we help companies everywhere from or in every place from the design all the way up to the development and into the maintenance and uh and release of software we help them build maintain and and uh and sustain secure software and everything that goes into that and of course games are you know just one form of software in a very unique and exciting industry um you know they come with it their own

set of business risks their own set of challenges given that there are many different flavors of games there's many different platforms that games can exist on there's a lot of different Revenue models all of that and so that's some of the things that we'll touch on and how threat model Inc is unique to those various elements of the gaming industry and so here's our rough agenda for today I hope University oh all right my mouse is apparently not non-existent so that's okay um so here's our rough agenda for today and um I'll try not to just read slides back to you and actually talk through the slides instead of uh um you know read them but

um all right so um getting things started threat modeling there's a lot of different nomenclature that goes around the industry on what threat modeling actually is there's a lot of different companies that have a different idea of what it means to threat model something the way we look at it at sigital is a little bit different than some other folks and we look at it very much in a in a control flow sense as opposed to a data flow um but in general threat modeling is the depiction of a system and a system can be you know one piece of software operating in a network and B it can be you know a SOA based infrastructure with

many different web services interacting with one another hosted in the cloud A system can be a lot of things it can be an embedded system that's running you know some customized proprietary operating system communicating over a bunch of proprietary Network protocols um with some some back end doing something and basically we're going to build a pictographic representation of what that system is all of the things that make up that system and we're going to Overlay that that pictographic representation of the system with assets controls threats trust boundaries and we're going to use that representation to kind of think about and represent various attack vectors that a set of threat act threat actors can carry out

against a against a system to compromise assets and you know there's a lot of different security activities that are used and applied throughout the industry you know there's pen testing there's um you know you can do a lot of things with reconnaissance like we've had all the the red teaming and social engineering-esque talks today the Privacy talks today you can learn a lot of stuff about organizations about people fitting within an organization um you know and we do all that stuff as well but really that's a lot of pen testing stuff and source code review a lot of that helps you identify very tactical point in time bugs or issues that are happening at a snapshot a

snapshot in uh in time so let's say a cross-site scripting issue or a SQL injection issue or buffer overflow whatever the case may be a threat threat modeling and design analysis is more focused on capturing and identifying the other the other class of potential issues and that is design flaws and you know research over time has shown that you know design flaws and implementation bugs make up about 50 50 each with regards to vulnerabilities that manifest within software systems so to get started with talking about threat modeling in this presentation we're going to talk about a little bit of the syntax that we that we use here at sigital so we have you know assets

controls threat agents trust zones attack vectors and the attack surface and I'll iterate through each of these just giving you a really quick kind of overview of what those are after I have some beer

and the special is fantastic by the way I don't know who picked the special but it is it is good um so assets assets are probably the the most critical thing that we need to really think about when we're designing and Building Systems so an asset is any piece of sensitive functionality or sensitive information that needs to be protected anything in the system that needs to be protected whether that's user passwords whether that's financial data whether that's game assets such as your you know players inventory in a uh in a like an MMORPG game whether that's in-app purchase content that you don't want somebody to have without paying for it thanks to that effect a control

alternatively is the thing that protects the asset um and that could be anything from parameterized queries if you're trying to defend against some value stored in a back-end database that could be something like output encoding it could be any number of things but controls protect assets in short a threat agent is an entity that is attempting to attack your system or intending to cause harm to your system or your organization and as we can see in this little diagram on the on the bottom right a threat agent uses an attack vector to either circumvent or bypass a control to attack an asset or to attack a component which is holding some asset and ultimately they're after that asset and

yeah so you know that's that's basically the the biggest takeaway from from threat modeling that you're going to get is the various ways in which threats or threat agents are going to be able to compromise assets and thinking about and reasoning about these things while you're going through the design stages and then also after a system is all up and running you can do this this stuff again and you know see the various ways in which you've already implemented your system and then you possibly you can go back refactor things as needed to protect uh protect those sensitive assets so thinking about what your threat should be so all threats are different as I'm sure you guys we know and appreciate you

can have anything from you know the script kitties the very very basic threat actors who are just using a bunch of canned packaged up tools the point and click Auto pone all of that all of that crap that they can find and download on the internet to very very sophisticated adversaries and that could be a single adversary in the gaming in the gaming industry uh you know we typically don't think about skilled Advanced uh crazy threat actors but the guys who really are doing in-depth game cracking and bypassing cheat engines or cheat detection engines doing a lot of that low level reverse engineering and patching work it really is complex stuff and carrying out those attacks is you

know it takes a lot of sophistication it takes a lot of knowledge it takes a lot of patience and understanding of the tool set used to do those things so debuggers disassemblers things like that and also you know if if we reason about threat modeling in the context of other systems like Financial systems for instance you can run into the case of the nation states the organized crime all that but these are just some of the some of the ways in which you can think about and break out various classes of threats that you want to reason about um within your threat model and so it's a little bit of a little bit of an eye strain this slide but this is

the the threat modeling process at a high level and basically the at the start of it I'll break it up into a couple of different chunks at the start of it we need to First understand what the system is what it does how it's built we usually do that from a from a security perspective since security is oftentimes not embedded within the development life cycle we're kind of um you know outside looking in or advising inwards we usually do this through a series of interviews artifact reviews things to that effect so we need to interface with the people who designed who built and who implemented this system to really understand everything that that goes into it and we can understand the

various components that go into it the network protocols that are used to stitch those components together the trust boundaries as in the um the network zones that various components fit into we need to understand what the assets of the system are where those actually live the controls that protect them things like that um we then we then need to start you know going back to our previous slide we then need to start reasoning about the threats that are relevant to our system and once we understand the threat structure we can overlay that information onto our system diagram that we've built at this stage and so then we're about six or fifth bullet down yeah fifth bullet

down um so once we've overlaid our threat structure onto our system diagram we can start to enumerate and think through you know being the creative security individuals that we are various doomsday scenarios or attack scenarios that can occur based on how things are built and laid out and we can do this using you know not only our creativity and experience of what we've seen in other places and other systems that we've worked on but we can use a set of canonical attack vectors based on various design patterns that are used for instance if you're using a third-party payment system that is you know sending information over HTTP you know certain attacks that are going to be vulnerable to that if

you know that a password storage scheme was built using the spring framework and it's you know an older version of spring you can kind of you can extrapolate that that password storage system was stored using an insecure password storage scheme and not something a little bit more a little bit more Progressive like an Adaptive hash for instance so um you know we build out these these misuse abuse cases these these possible attack scenarios based on how how the various threats exist within our system where they exist within our system what components they can interact with and once that's all done you know we sit back we think about the results and we use the threat model

to identify potentially immediately exploitable things but also use it as a guide to figure out where we might want to go and do more pen testing more source code review more secure design Consulting things like that we use it to guide other areas of our security program and these uh you know these bullets are kind of an iterative process in many cases because you know if you are using a threat model as a living document within an organization so if you're doing this internally you have a you know a development team within your organization a security team within your organization you know you can build the threat model once at the design stage revisit it at different stages or

different release cycles and see how things have changed what new components have been added things to that effect what new controls have been added to address address a Potential Threat things like that so the business risks you know in in any security context we need to consider business risk because as Security Professionals if we cannot illustrate business risk to you know the companies that we're working for or the companies that we're working with if we're Consulting then it's very likely that we're not going to get anything done and that we're you know we just look like the boy who cried wolf um like the Monty Python video earlier for those that that sought with the

rabbit so you know we need to be able to articulate what what risk a particular vulnerability is going to cause that business and in the gaming industry we've got some unique risks um you know some of these are you know of course overlapping with other other Industries so denial of service of course is very common in you know Financial Services don't like denial service just as much as gaming companies don't like denial service you know account theft and account hijacking obviously not a good thing in many many systems however piracy is one of those interesting things fraud is one of those interesting things and cheating is one of those interesting things that can sometimes you don't necessarily have to protect it

based on the based on the revenue model you know in in many cases it's not ideal for instance if you're releasing a single player game you know you don't want that game to be pirated probably you know it depends on your business goals um but it's more than likely you you want certain DLP or uh uh DRM rather certain DRM controls in place to prevent that game from being just outright pirated sold and downloaded on Pirate Bay or you know insert file sharing or uh torrents I hear and so breaking away from you know the secure design or you know the the high Assurance you know security security Wizards who are waving their hands at

everything and saying you know stop everything needs to be extremely secure everything needs to be perfect before you can go to release that may not always be the case in the gaming industry and you know some assets and some some patterns are worth really getting behind and really putting a lot of eggs in those baskets to protect and some are you know you may just want to outright allow them depending on you know the revenue model or the business model of your game um you know if you're if you're releasing a freemium game that's based all on in-app purchases you may not care how many people um download that or even if the game is

99 Cents and your your primary form of Revenue is coming from in-app purchases you may not care if people are able to bypass that initial 99 purchase as long as they still have to go through the IAP to download all that additional content and so then we get into this into this realm where we have the prevent the control monitor or the allow and you know this this stuff may change every so often depending on again the business model the revenue model um but from our experience this is usually how things break down as you know these things on the left are stuff that we we see companies you know outright we know we have to protect this

stuff day in day out this is what's important to our business our our reputation and of course our ongoing Revenue stream and the stuff in the middle is you know we could go either way we could invest in controls to monitor uh certain you know monitor cheating to a certain threshold and uh for instance with the game Titanfall they monitor um they monitor cheating and if they catch cheating at a certain threshold they'll pair cheaters up as a way as a deterrent and have them fight against each other in their own little cheating uh you know cheating match cheating Death Match um other things if you if you are creating bots that get that obtain a

certain level of efficiency within a game then you may get kicked off or you may have items removed or things like that um so it you know it's all dependent on the business so you know we as security people can't just you know red flag everything and say you know this is immediate problem we have to consider the business risks so moving past that uh modeling the system so as I said we're we build our threat model initially from a system model so we have to we have to pictographically construct what a what a gaming system looks like and again that can be a gaming system can be many many things that can be you know anything

from The Angry Birds mobile app um or Candy Crush communicating with Facebook servers for for authentication and session State Management it could be you know a gaming system like an Xbox Xbox One or PS4 it could be you know the the MMORPG like World of Warcraft or or League of Legends things like that um you know these things are all why these examples are all wildly different with regards to platform um you know Revenue model all of that but it all kind of fits in um and so we have to we have to figure out how that system is built how control flows throughout the uh flows throughout the system from lower privileged users to higher privileged users or components

and we have to capture the various app layer and network layer protocols that are stitching together all of those systems and so this next slide and you don't have to kind of read and interpret the entire thing is a very very very basic system diagram and you can ignore the um The Legend on the bottom for right now um but as if you if you notice we kind of have things broken up into into three primary sections we have the the internet facing um you know kind of untrusted stuff on the on the left um minus the minus the CDM right now but um the untrusted stuff on the left so the players over there you know the game

client is installed on their system the launcher and the Patcher service is installed on their system they have a web browser that can be used to interface with um with our game servers and then within our within our games data center our our own network environment you know we have all these different components we have you know the the servers uh the servers that are handling the distributive world and all the various components that exist on there we have a centralized authentication Service we have you know payment um we have a general uh content driven website we have uh um you know a payments website that's handling Revenue recurring Revenue um information collection and the actual

processing and then some back-end databases things to that effect so trust boundaries and I'll I'll go back here to uh well let you guys read this and then I'll quick click back really quickly um trust boundaries there's there's two different types of trust boundaries that we use anyways and one is a a system or a machine boundary and that is you know one server between another server those would be considered two different machine boundaries so if you have a database server an application server those are two different machine boundaries and then you also have Network boundaries or trust zones and those are you know we have the player land over here and uh well you can't see

where I'm pointing but you have the player laying up on the top left and then you have the data center and you can get a little bit more granular if you if you need to and you can go into and zero in on you know restricted Network zones within that organization's data center that might store you know PCI relevant data such as payment payment systems or uh payment data being stored for recurring payments or you know just general databases that are housing sensitive information and um so moving into the assets um these are just some generic assets again in our very overly simplified game um gaming system here um you know some of the some of the ones

that we've reviewed have been you know exponentially more complex and um you know I initially attempted to anonymize one of those and put it up on the slides and it uh it almost gave me a stroke and I tried looking at it in PowerPoint so um so I couldn't do that but these are some sample assets uh relative to this particular game so we have you know the general game content so consider our our sample game here is uh something like World of Warcraft and you know so you pay for the initial clients to be installed on your system you know whether it's 20 bucks 50 bucks whatever you pay an ongoing subscription fee so

therefore you supply your credit card information that credit credit card information or whatever payment method you supply is stored and charged on a on a recurring basis then you have a bunch of uh you have various assets so you have your your in-game inventory your um the armor and stuff that you have the weapons um the currency the virtual currency that you have um the experience points and and uh and such associated with your character and then you have some other things like the the data that influences uh fraud and cheat detection services on the back end and you know we consider that an asset again because it's a sensitive piece of functionality or data that we don't want

to be manipulated because we don't want people cheating and defrauding our game and then on the internal side because we do also consider internal threats in many cases and especially in this case we have the the customer service of the CSR accounts and csrs in many cases as we you know kind of talked about leading up to this um in the various social engineering talks csrs and some other privileged um privileged people within an organization will have a lot of functionality that you know they they legitimately need for their you know for their business role but unfortunately if those people get compromised if they're if their credentials get compromised then you can do a lot of damage and this is you know

this is one of those areas where defense in depth is absolutely critical because oftentimes in the in the CSR model you have people with access to the most sensitive information in your system um you know whether that's passwords payment data what have you getting paid the least amount of money in you know your security hierarchy so you're um you know the the model is just kind of flipped on its head you have you know it's uh it's like the cleaning ladies or the the cleaning staff who have access to your entire building whereas you know people within your organization who get you know compensated very well may not have that level of access same same

exact idea so and what I meant earlier by overlaying um and I apologize I think some of these are coming a little bit fuzzy but um you'll be able to see it more clearly in the slides but what I meant by overlaying onto the system model um the threat structure this is exactly what I meant so where an asset or where any of the components that we consider within threat model lie we place that exactly on the diagram so for instance with the with the player database over in the kind of middle right upper portion we have two assets residing there we have the player's information so that is you know the player's personal information their account

information things like that and then we also have their credentials and there's you know other various assets throughout as you know as you guys can can read so of course the controls again are the things that need to protect the the assets they're the you know their their sole purpose in life is to protect in a given asset and so again these are just some of the controls within our simplified system that um you know without making the diagram too too hard to interpret um in a very quick manner we like to we'd like to pair the controls right up with the asset that they're protecting and the reason that we do this is that

when you're reasoning about a threat being able to access an asset um you know and that that workflow representing a vulnerability if you identify an asset on your on your threat model that does not have a control associated with it then that very well may be you know a red flag for you as a security or designer to consider um if as a threat agent I don't have to bypass circumvent beat a control to compromise something then there's something wrong um and we should maybe consider it and put some layers of Defense around that so a couple of canonical threats for for the gaming industry and you know again some of these are um you know some of these are Universal you

know you always almost always have to consider the internet facing attacker who's just out there existing in the world just attacking your systems you have the malicious users so the players who will actually pay for the game legitimately or download it legitimately who after doing that that initial bit of Revenue or giving you that initial bit of Revenue you know and they may they may steal it who knows but let's assume they just they just obtain the game they then try to break it further whether that's to buy it once crack it and then release it to the masses whether that's buy it you know release some uh you know release some weaponized exploits for it

that allow Mass cheating at scale whether that's compromising all of your in-app purchases and releasing those for um you know plug and play for the masses you know those kind of users are oftentimes oftentimes the most uh you know narrowed or zeroed in on uh by the gaming industry just because of their uh the skill that that come with that uh with that particular threat agent in many cases um you know using the the tool sets that they do um you then have um you know if you consider multiplayer games or land-based games you have attackers and this can actually kind of piggyback off of the uh the second bullet you have attackers who reside on

the same Lan um either exploiting the game clients sniffing game traffic you know performing other various cheats like for instance if I'm playing Counter-Strike with a bunch of my friends on the same Lan and you know there's an exploit and Counter-Strike that allows me to you know outright uh you know win any game that um within the the people playing on the same on the same land that I am you know I'm going to have a huge huge advantage over them and you know you can insert any exploit that you want into that into the hypothetical scenario well not so hypothetical but into that scenario and then you've got some internal uh some internal threats so you may have

um you know a malicious customer service representative again with those per with those people being paid the least amount of money in your organization they have they don't have as much motivation to say you know I'm going to really protect my 1250 an hour and I'm never going to portray this company there's no way I won't do it because if somebody strolls in and you know consider a very high security system and they're like I will pay you fifty thousand dollars right now to do something nefarious and I assure you it won't it won't show up at anybody's radar you know they may not have the technical know-how to to understand that their activity is going

to be logged or you know they that fifty thousand dollars may just be too tempting and they may take advantage of the the capabilities that they have in their role to do that nefarious thing whereas you know somebody who's um you know if you try to bribe a siso with that amount of money um you know you're going to have a much different response as that as that briber then you have other uh you know internal attackers such as just the internal Lan attacker so somebody who just gets a job at a gaming company is residing on that internal Network depending on how that network is segmented you know you may be able to do

um nefarious things as well so if you look at um you know towards the top of our model um if you guys can see that you've got some restful calls being made over clear text to http including things to the authentication Service including things from the the payments uh the payments website and right now we don't have any segmentation around that so an internal Network attacker may very well be able to just sniff Network traffic and get access to um to user sessions to user passwords to payment data as it's being passed around the internal Network and ultimately into a database for storage things like that

all right so using the threat model if we step back uh well actually I'll go through the slide and then step back just a little bit I mentioned before with the pairing of the assets and controls the big thing that you want to be able to to step away from at the end of this is how are threats going to attach attack my system are there any paths in which any one of the threats that I've kind of reasoned about internal threat actors you know the malicious users any of them um can reach an asset without having to go through a control or if they do have to go through a control how easy is that

control to circumvent so we talked about the password Storage security just a little bit ago again if you're using vulnerable libraries to do your password Storage security um you know and let's say you're you're using this library that is you know has all these rave reviews on um you know some some shady uh some shady website that says you know your passwords will not you'll never be the next LinkedIn if you use this library to secure your passwords and all it's doing is md5 hashing them then you know you as a developer are putting yourself in a bad spot if that password database ever gets lifted because you will be the next LinkedIn your stuff will get cracked

and um so you have to you have to kind of quantify and reason about how strong those controls are that are protecting the assets and you want them to be relative you don't want um probably you know depending on your business again you don't want some high Assurance super secure control protecting some asset that you may not really care about you know again going back that table of the things that we need to outright prevent and then control and monitor and then of course you you may allow them yeah just you know make sure to tie it back into the business risks so considering when to when to do threat models so you know this is just some

ideas um you know within the development process it's usually best to do somewhat of a and this is more of a hypothetical over here on the left because you don't have a system to actually go and you know review you can't validate anything in code you can't validate anything by you know by launching an nmap scan against it or by you know actually interfacing with it so you know this is going to be a very hypothetical you know hand wavy with the Architects and developers discussion here on the left but it's going to give you a good chance to really start to reason about how the security of your system will come to be over time once you get

into the test you know the testing the coding and the builds and then of course once you actually have a a product ready to test and you know start to analyze is the next big area that you know doing a threat model is very useful and this is where you know these two stages and then you can also do it after the fact once you're in production and it's oftentimes when we get brought in to do do threat models is you can have this living document that's kind of evolved over time so a couple of things to uh to consider specific to the gaming industry and you know I've I've kind of hammered on this throughout the talk is

you know different different game genres are going to have different uh different threat agents that you know they're concerned about they're going to have different assets and they're going to have different controls that they use to protect those assets because again we may not want just a pointless control because you know development time is money um and of course the the revenue model all of that is going to be very different so um I'm a massive Batman fan and um you know I have two tattoos and another one seem to come on Thursday uh relevant to Batman so I'm a Batman nerd so um you know unfortunately due to copyright I can have Batman splashed all

over this uh presentation however I do want to illustrate the differences between these various Revenue models so just quick show of hands how many people are familiar with these two games or classes of games all right so a lot of people that's excellent um yes and um so the Batman Arkham games for anyone who isn't familiar with them they're they're just single player games available for consoles for you can get them off of steam um what have you and you know you just you play as Batman you go kick ass take names and uh you know save the world or save Gotham anyways and it's very self-contained there are some online challenges but they're very limited

there are some uh bits of d uh DLC that you can download um after you pay for them or downloadable content um but ultimately it's very contained within the the player's system you're not playing against of other a bunch of other players um all of that whereas the DC Universe game is a free to download there are some some premium versions that you can download but mostly it's a free to download MMORPG and you select from a big class of characters um you know you uh typical RPG right you you select your character your class you start to go out do missions gain experience gain uh you know get items all of that and you know it's it's a lot

more long-term to you know you're just kind of working through this story that's relevant to the the character and and side that you're playing on and so the the risks that these two companies face are going to be two very very very different things so cheating in the Batman Arkham games it may not be relevant whatsoever you know a much bigger risk to the Batman Arkham games maybe if uh you know what if a user can well you know piracy is is one thing that I won't get into piracies um you know a risk in both of these but let's say piracy of the DLC content so what if I'm able to you know automate

the generation of accounts that have free access to DLC and this has happened in a couple of games and I I won't name which and I don't believe it was this was one of them so I think I'm protected there but um they're you know upon generating or upon activating a new account you were granted access to DLC content for a given game and if you can script out the creation of new accounts if there's no email registration or email activation you know we're going to send you a link you click on it verify that you're the owner of this email all of that um but you can just create arbitrary accounts and then activate them through

the game servers and get access to your DLC you as an attacker could carry out this this attack download you know fifty thousand um instances of the DLC and then go resell that at you know at your own price uh you know that may be a huge hit to the revenue of you know Warner Brothers and their their Batman Arkham games uh consequently or uh alternatively with the DC Universe games you know visible cheating is something that could very well destroy the game so visible there's a very big difference between cheating where you know and This falls into the kind of control and monitor stage but cheating just on its own if somebody can kind of just you know unbeknownst to

anybody else just kind of exist and get points and you know make themselves feel good about them uh you know make themselves feel good while they're you know trapped inside for hours and hours on end figuring this out um you know that's kind of a minimal risk to the business whereas visible cheating where you know everywhere they walk people just you know drop dead and all their inventory flows into their um their things or um you know they can automatically win any uh player versus player battle or you know things like that even though they're grossly um you know grossly weaker or less prepared or less skilled or whatever than the person they're playing against that

oftentimes has a very very bad reputation hit against the organization and when people are not paying or when people are not playing these games they're not making the company money so you know very similar to the first talk today about you know people are they're investing all of these dollars to keep your eyes fixated on their content it's the exact same idea here so the longer that you exist in their game even though it's a free-to-play game you're making them more money through the the in-app purchases through you know advertisements that they're that they're shipping you through all of the things that they're collecting so you know two very very different examples even though they're both you know Batman themed and

from the same uh from the same set of Studios so some other things that that need to be considered in the gaming industry and this is you know a little bit more unique than many other Industries because you know Financial Services a lot of it's just web-based stuff you interact with chase.com you know chase.com has a bunch of web services that it interacts with and then it you know sends stuff back to database servers you know many banks operate like this um and you know it's it's very similar for other Industries gaming the the gaming industry is unique because you know they almost have to account for so many different platforms and and all that and

you know you've probably heard the term trusted I'm busted where you know you're trying to you're trying to ship trusted software a trusted system to something where an attacker has complete control over that over that thing um and so there's been technologies that have been kind of pushed out to the masses you know commercial and free and um you know just general design patterns to help protect against these things like like the arcsan and metaphoric commercial products for instance that do you know binary security so you can build your game your game client in such a way that it makes it harder to revert to conduct reverse engineer attack reverse engineering attacks um and actually we'll step back

um so you know in making it more difficult to conduct those attacks you can kind of um you know you can almost take the advantage away from the attacker and you know can kind of keep the ball in your court um you know when considering um you know much more open platforms so for instance uh you know in the gaming in the gaming industry PCS are oftentimes considered the you know the hardest to test because of all the various configurations and um and all of that then let's say game consoles because game consoles ideally are supposed to be much more controlled it's a very it's a very controlled restricted environment until you know the Homebrew Community comes through and

just kicks the doors down and and says you know we're going to install Linux on everything and you know your system security is is laughable so you know testing on on game consoles there's not as much concern usually with protecting game clients on those consoles because they they kind of inherit the trust um inherit the trust from the game console provider um it's almost uh when you consider um cloud-hosted PCS has anyone heard of nvidia's grid service by chance all right so a few people um so grid is a cloud hosted gaming PC platform so you know you basically have a gaming PC a gaming rig that's you know hosted in there in their Cloud

environment and you interact with it through um through a browser like client and you know they're trying to remove that element of you know the unknown the unknown platform being in the attackers being in the attacker's hands and you know keeping that um you know letting the game provider inherit the security properties of you know of their of their deployment um yeah so you know threat modeling in general it's you know it's not a it's not a tool or a process that is specific to the gaming industry um you know you can threat model all the things you can threat model you know in in the gaming industry specifically you can threat model the the client itself

that goes on the software so if we step back to um you know our model here would be that top left box you know you could get much much more granular with that top left box um and how everything gets installed on that system so for instance one risk would be the fact that the the launcher and patcher is getting content from the CDM over HTTP and that fact may result in an attacker if if that launcher Patcher is running as administrator and it's receiving content over HTTP to You Know download and execute some some executable code then you know as an attacker on the land I may be able to inject myself into that network

connection force them to download and nefarious our malicious executable and get it get that launcher to execute that code as uh as admin on the user system gaining remote code execution rights you know that's one example you can you can threat model the the actual game platform itself so the game consoles those Cloud hosted environments things like that you can threat model proprietary Network protocols or authentication protocols all of the various server-side components the distributed worlds you know the payment systems the storage systems all of that um and my point in in uh and pointing out you know all of these things that you can threat model is the fact that you know a lot of these things a lot of

these patterns have been looked at in some way shape or form throughout our existence as a as a field um and in software engineering there's you know it's pretty common to reuse components that are proven um you know that have been well reviewed and that's you know that's why we rely on industry standards for encryption like AES because we know that AES has been reviewed by a lot a lot of smart people instead of you know trusting your mom-and-pop shop cryptographer to say you know hey I got this awesome new crypto protocol that you might want to try because it's awesome and I haven't told anybody about it um you know that should be a red flag

and you probably want to stay away from that if you can um but the point here is that you know software engineering is pulling from reliable and trusted components and in the gaming industry we can do the same thing not only from uh from a software engineering and development perspective when we're when we're building our components so you know using a a reliable game engine um such as unreal or Unity or or cry or you know any of those any of those you know commercial AAA Studios uh engines that have you know that are built on reliable and and proven Technologies um but as you're building your back end you know use um use trusted updated Frameworks don't

use things that are old out of date uh you know not reviewed not supported um things like that and um you know a lot of these a lot of these patterns you know these are just these are just three um you know there are many many many others and you know I'm happy to chat about them with folks afterwards but a lot of these patterns have crossover into other Industries and you know the security in the gaming industry as I alluded to earlier is very very focused on you know protecting the game client you know trying to make sure that people can't do you know in-memory uh in-memory value exchanges and you know swapping out

um you know swapping out their low health for high health or you know giving themselves unlimited uh unlimited gold things like that that's where a lot of research and focus has been on um but all of the other all of the other necessary things to go into a well well-designed and functional game you know have crossover into other Industries where those things have been very very thoroughly reviewed and so you know as game designers and and game developers and security Security Professionals working in this industry you know we can pull from that experience and help integrate it into the the development process um so we talked a little bit about the the trust that I'm busted a little while

ago but another question to just kind of consider and ask yourselves is you know not only what kind of risks um does your users present to you your game you know in terms of piracy in terms of Revenue loss all of that but what kind of risk does your game present to your users for instance if you're developing an inherently uh insecure game and I'll use an example here is we found that um you know one one Studio that that we were working with on one particular title we're using a you know custom developed uh chat client within the game so you know how you press like shift enter or whatever and you can chat with

with other people in the world and blast out messages or do peer-to-peer messages whatever um the thing was riddled with buffer overflows and basically you could send out Mass buffer overflow attacks to folks on you know on the world that you that you were playing in um you know just via the chat client you could send out your payload through the chat client and get remote code execution on everybody else's system and of course the the game client was running as as admin because it had to run as admin God forbid it run as anything else but you know ask yourself these questions is you know you have to consider both sides of the coin because

they're both they're both very important if if that if that flaw had made it out to had made it out to production um and it was discovered and exploited in the wild it could have been absolutely disastrous for this company um and you know thank God it didn't but you know just something to consider and you know I kind of alluded to some of the values of um you know some of some of this stuff earlier in the talk but um you know of course defense in depth is an absolute must you know the more green boxes if you're doing the asset control approach to threat modeling more green boxes you can have next to your

sensitive assets or on the way to those sensitive assets the better you know make sure that if an attacker is going to compromise an asset then they're going to have to go through a lot of pain and trouble and you know security testing Wizardry to get to that asset you know throughout your development process make sure that you have various touch points whether those are architecture discussions whether those are pen tests whether those are code reviews or automated code reviews just checking for you know memory leakage issues or you know have Network scanning stuff going on looking for you know vulnerable ports that are open out of date software things like that you know having many touch points as

possible without you know grinding development to a halt because ultimately you want security to be an enhancement to the product not an inhibitor um and that's you know a whole other topic in itself and you know as you move into devops land and you know automating all the things um so you know using threat modeling to drive other security activities so you know admittedly this is a little bit of a heavier weight process than running you know point-and-click scan or something like that as I'm sure you you know can can reason from this uh from this presentation is you know it takes a lot of you know human thought and human you know intervention to kind of Reason

about how the system is put together you know think about what the attacks are going to be think about where everything has to live all of that and you know all of that human time spent on something you know is ultimately time spent that you know they can't go do other things and we don't yet have intelligent enough machines to do this stuff or at least you know not that they're not intelligent enough but we don't have the software necessarily to do all of this given how complex some things are um but I'm sure we'll get there someday and that'll be that'll be fantastic um so also uh you know these two these last two things are kind of uh

intertwined together but you know consider the value of the asset that you're trying to protect you know ultimately if you have that low value Asset you know that's not where you want to be throwing all of your your develop your security development and security engineering budget at you want to be protecting all of the very high value assets um you know it makes perfect sense when you when you step back and think about it but we've seen many many organizations just redirect their security budgets in the exact wrong or opposite direction and ultimately has come back to bite them in uh you know in negative ways and um yeah so uh wrapping up now so does anyone have

any questions or anything and we've got about six minutes until we flip the room into uh into dinner and such and get more beers so yeah

so the question was um that all focused around whether there has been any significant enhancements in DRM and whether it works any better nowadays um the answer is kind of so there's a few new you know a few new uh developments out there like Microsoft is putting out you know putting out like their play Ready service and there's a few other companies who are kind of piggybacking on like the iTunes DRM original DRM model and like Kindle's DRM and stuff like that but ultimately there exists nothing out there currently that has not been broken and in the research that I've done a lot of the a lot of the DRM has focused mostly on you know protection of physical media

and ultimately that ends up going more towards uh you know protecting like the Blu-ray Drive players and the and the discs that are going out you know mostly movies on them um and not a lot has gone into you know protecting games because ultimately we're moving towards a very very digital distribution model um or at least digital distribution heavy model for gaming and like Steam for instance has actually done um you know they're one of the they're one of the bigger um you know some people love them some people hate them um but they're one of the you know kind of they call themselves pioneers and and I kind of agree with them in this case but

what they're doing is they're doing account specific um they're creating account specific content encryption keys and so you know when I have my Steam account um it will create a a Content encryption key for my for my account and it'll encrypt a portion of whatever game binary I download so if I want to download um you know one of the new Star Wars games in the new GTA 5 game um it'll encrypt part of that um part of that game client with my specific account key and that account key is of course tied to my account so when I go to another laptop or you know a friend's PC I can just log into my

account and um you know assuming that the game is there I can I can decrypt that part of it and and go ahead and play the game but other other users on that same system logged into their own steam accounts won't have that same account key and be able to decrypt the same part of the um the game client and get past it so that's one of the one of the bigger more popular approaches out there that I've seen right now um you know and a lot of folks are actually opting towards the you know to help with DRM we're just not going to do it and piss our users off and you know get money otherwise

hope that helps yep

right yeah so um you know it's more of a comment that the most legitimate and and effective DRM uh mechanism out there right now is to make it almost you know just built into the purchasing process and completely transparent to the users and you know DRM has a has a nasty reputation you know of course Publishers and producers and such want to protect their intellectual property and who can blame them um you know but the biggest complaint against DRM has not been because these people want to protect their intellectual property it's because it's an enormous pain in the ass and yeah

yeah yeah that makes a lot of sense so yeah so just uh recounting experience where um I think I heard it all that you know the only um version that worked was the one that was cracked running on top of the the supposedly protected version um and yeah that's oftentimes what happens in the um in the pirating uh the pirating industry is people are you know you'll have the crackers who will you know show that they can crack or or beat a games DRM and it happens in The Homebrew Community as well as though they just want to get around the system security improve you know that they can do it it's more of an intellectual curiosity

and then you have all the pirators who come in after the fact and actually try to make money off of it um it's kind of a unique little black market itself yeah sure

so it depends on the uh on the money so there's been a few cases where um at least that we've been involved in you know so some of our clients most of our clients rely on us in a um in a very like advisory role where we help them you know throughout their sdlc do testing and design reviews all of that but when we get to a certain level of trust with some of our clients we'll help them and advise them in somewhat of a an incident response capacity and we've had a couple of cases where Studios kind of putting out putting out marketplaces of sorts for you know new game content or new games in themselves

where they have a very very big social life so it's almost like a social media component or extension of their organization um and as soon as you have you know a YouTube video that you know shows how you can download everything on their site for free um or they see black market sites uh pop up with everything at half off from from their Marketplace we've seen that a few different times and you know we've had to like go through it you know there's not really much you can do with the with the black market stuff you have to kind of um you know take a take a you know plant your flag in the sand and say you know

we're going to defend everything from this point forward um and so it's it's like a an engineering mad house where you know everyone is working like around the clock to figure out how to prevent you know how it happened one how to prevent just that and then you know everyone's coding and designing things like it nut cases but yeah I mean we've we've observed it a few different times um the weaponizing at scale but even if it's not weaponizing in the sense where you're monetizing things um weaponizing it in the sense where it's you know visible cheating at scale so if somebody can put out a YouTube video and say you know download this free little utility that I that I uh

created for free and install it on your system and it's going to allow you to you know win any match um you know that visible element of cheating like if you just go online and you know some popular games and download like you know such and such cheats and you see a lot a lot of times users won't play that game uh you know thus impacting the revenue model

so the question was uh focused around the motivations of the attackers developing these hats these hacks and these Bots uh things like that was that all right um sorry it's hard to hear up here uh what's up right so a lot of times you know it kind of circles back to the um you know to the um you know the very very stereotypical hacker Persona that we uh that we brought up before so you know that malicious user threat agent um is very oftentimes you know doing it for more of a reputation boost so they want to show in their you know in their little uh you know hacker inner circles that they're the ones to you know who

broke this system who did this thing that's why you know at some of the um uh there's a few German uh german-based conferences that um and and uh re Khan and layer one down in La um who have you know a couple of these really kind of elite game hacker groups um uh like C forever um a couple other names are escaping me but the guys who do like the like the console uh the console rooting um and the guys who found that uh the PlayStation 3 was not using um was not using a secure random number generator in their uh um and some of their encryption implementations and thus were able to predict the

um protect the master key used to sign all the binaries on the consoles and thus be able to run any code that they want and so um and they they just publish that out there and they're like you know look at this cool that we can do and they showed all the math behind it and people are like and you guys are awesome so you know it's a lot of times that that threat agent is very much a um you know a reputation or uh you know look what I can do kind of motivation that's what we've seen anyways and of course every threat agent is going to have very different motivations

yeah yep yeah I mean consider really any any hacking stuff like you know we do this stuff because it's fun right and we get paid for it cool and uh I think they're getting ready to flip the room so I'll end there but I'll be around at the dinner and around tomorrow if anyone wants to catch up and chat and uh happy to chat

oh there it goes all right thank you very much for coming out if you did buy a VIP ticket or a speaker please stick around in our Lounge we're gonna have some cocktails and uh while we flip the room to dinner uh and for the rest of you we'll see you tomorrow thank you for coming out foreign