Server-side Verification of Client Behavior in Online Games Darrell Bethea Robert A. Cochran Michael K. Reiter University of North Carolina at Chapel Hill {djb,rac,reiter}@cs.unc.edu Abstract operators are not the only ones for whom the stakes are high. Hoglund and McGraw [18] argue that “games are a Online gaming is a lucrative and growing industry, but harbinger of software security issues to come,” suggesting one that is slowed by cheating that compromises the gaming that defenses against game cheats and game-related security experience and hence drives away players (and revenues). problems will be important techniques for securing future In this paper we develop a technique by which game de- massive distributed systems of other types. velopers can enable game operators to validate the behav- In this paper, we develop an approach to detect a signifi- ior of game clients as being consistent with valid execu- cant class of cheats in which a player changes a game client tion of the sanctioned client software. Our technique em- to allow behaviors that a sanctioned game client would not ploys symbolic execution of the client software to extract allow; to accomplish this, the player might modify the client constraints on client-side state implied by each client-to- executable or in-memory data structures of a running client, server message, and then uses constraint solving to deter- for example. Today, the most robust defense against such mine whether the sequence of client-to-server messages can client modification is to maintain authoritative state at the be “explained” by any possible user inputs, in light of the server, beyond the reach of direct manipulation by cheaters. server-to-client messages already received. The requisite This, however, exacts a heavy price from game operators, constraints and solving components can be developed ei- owing to the increased bandwidth use that results due to ther simultaneously with the game or retroactively for ex- sending low-level client events (in the limit, every player in- isting games. We demonstrate our approach in two case put) to the server for accessing such state and conveying the studies: one of the open-source game XPilot, and one of a effects back to clients. As bandwidth is one of the largest game similar to Pac-Man of our own design. costs for large-scale game operators [29] and also a recur- ring one, this tension between bandwidth use and cheat pre- vention is problematic: 1 Introduction In the US and European markets, a good goal to shoot for is 4-6 kilobits per second (kps)/player Multi-player online games are very popular and prof- or less. ... If you can get the bit rate down to itable, and are growing more so. Since 1996 the computer 2kps, you’re “golden.” It’s hard to see how that game industry has quadrupled — in 2008 alone, worldwide can happen, however, without putting dangerous video-game software sales grew 20 percent to $32 billion amounts of data directly into the client, which is [26]. Estimates place revenue from online games at $11 bil- just asking for trouble from talented cheaters and lion, with games such as World of Warcraft, which has more hackers. [29, p. 112] than 10 million subscribers worldwide, bringing in around The movement of games to all manners of devices using $1 billion in revenue for parent company Blizzard Enter- wireless, volume-priced communication only reinforces the tainment [1, 34]. importance of keeping bandwidth utilization to a minimum. Since its inception, the online game industry has been Moreover, even with the amount of detailed client infor- plagued by cheating of numerous types, in some cases with mation collected at the server, server-side checking today financial repercussions to the game operator. Age of Em- is heuristic (and thus potentially incomplete) and manually pires and America’s Army are examples of online games programmed (and thus effort-intensive): that suffered substantial player loss due to cheating [33], and for subscription games, player loss translates directly Players love to cheat — especially in online to a reduction in revenues. And game developers and games ... be ready to add server-side support to prevent user cheating with methods that you were as guidance for game developers who are considering using not able to predict. [17] this technique for detecting cheating in their games. In this paper we demonstrate a technique to detect any type of cheating that causes the client to exhibit behavior, as 2 Related Work seen by the server, that is inconsistent with the sanctioned client software and the game state known at the server. That Detecting the misbehavior of remote clients in a client- is, our approach discerns whether there was any possible server application is an area that has received considerable sequence of user inputs to the sanctioned client software attention. One strategy, of which ours is a special case, is to that could have given rise to each message received at the construct a model of proper client behavior against which server, given what the server knew about the game client actual client behaviors are compared. Giffin et al. [14] de- based on previous messages from the client and the mes- veloped such an approachfor validating remote system calls sages the server sent to the client. In doing so, our approach back to the home server from computations outsourced to remedies the previously heuristic and manual construction (potentially untrusted) worker machines. In that work, re- of server-side checks. Moreover, our approach potentially mote system calls are compared to a control flow model enables new game designs that reduce bandwidth use by generated from the binary code of the outsourced compu- placing more authoritative state at the client, since our ap- tation, specifically either a non-deterministic finite-state au- proach verifies that the client’s behavior is consistent with tomaton or a push-down automaton that mirrors the flow of legal management of that state. While reducing the inter- control in the executable. A more recent example is work action with the client will generally increase the compu- by Guha et al. [16]: through static analysis of the client por- tational cost of our verification, the verification need not tion of Ajax web applications (HTML and JavaScript), their be done on the critical path of game play, and can be per- system constructs a control-flow graph for the client that de- formedselectively (e.g., only for suspected or winning play- scribes the sequences of URLs that the client-side program ers). Moreover, it can benefit from the dramatic growth of can invoke. Any request that does not conform to this graph inexpensive computing power (larger numbers of cores) in is then flagged as potentially malicious. game-operator server farms. The technique we develop here follows this paradigm. Our strategy exploits the fact that game clients are often We similarly use analysis (in our case, of source code) to structured as an event loop that processes user inputs, server develop a model of client behavior, against which inputs messages, or other events in the context of current game (messages from the client) are compared. The primary dif- state, and then sends an update to the server on the basis of ferentiator of our approach from previous works is sound- its processing. We symbolically execute the loop to derive ness: only sequences of client messages that could have ac- a predicate that characterizes the effects of the loop, and tually been produced through valid client execution, on the specifically the update sent to the server, as a function of inputs sent by the server, will be accepted. This precision its inputs and game state. By partially instantiating these is accomplished though our use of symbolic execution to predicates on the basis of the actual messages the server derive the complete implications of each message value to receives from a client and what the server previously sent the client-side state. While this would hardly be tractable to the client, a verifier can then use a constraint solver to for any arbitrary client-server application, the control-loop determine whether the resulting predicate is satisfiable. If structure of game clients and the frequent communication so, then this indicates that the messages are consistent with that is typically necessary for game play bounds the amount proper client execution — i.e., there were some user inputs of uncertainty that the verifier faces in checking the client’s that could have yielded these messages. messages. We demonstrate our approach with two case studies. In A different approach to protecting against client misbe- the first, we apply our technique to the open-source game havior in client-server settings is to ensure that clients man- XPilot. Because XPilot was developed as is commonplace age no authoritative state that could affect the server or the today, i.e., with low-level client events being sent to the larger application; as discussed in the introduction, this is server, this case study does not fully illustrate the strengths commonplace today for games. A recent system for imple- of our approach. However, it does demonstrate the (few) menting web applications to have this property is Swift [9], ways in which we found it necessary to adapt XPilot to for example. The extreme of this approach is for the client use our technique efficiently and to allow for the realities to simply forward all unseen inputs (e.g., user inputs) to the of modern gaming, such as message loss on the network. server, where a trusted copy of the client-side computation For the second case study, we use a game of our own de- acts on these inputs directly; e.g., this is implemented for sign that is similar to Pac-Man but that has features to bet- Web 2.0 applications in the Ripley system [35].