Bearing that specific problem in mind, this paper seeks to provide a starting point to the collection and analysis of compromises and countermeasures. First, it is necessary to define a means to identify a compromise. Second, a manner in which to determine the impact of a compromise is required in order for this to be of any predictive use. Third, the groundwork for the mitigation of compromise which will serve as the starting point for continuing works is sought.
This work is intended for presentation to the video game industry, particularly game developers, and as such the examples, and some terminology, are closest matched to this audience. Nonetheless, this is not solely applicable to such realms, and will strive to maintain generality where possible.
Type of Compromise
It is sufficient to provide a simplified view of the game architecture in order to define the two primary categories of compromise. We can split the game into the game world and the player world -- working definitions can be provided later. Information either travels from the game world to the player world, or from the player world to the game world. The former is normally classified as output, and the latter as input.
With two streams of information there naturally follows two types of compromise, one for each stream. The compromise of the output stream is termed the alteration of knowledge. This is so named because it impacts what an individual in the player world knows about the game world. The compromise of the input stream is termed the alteration of ability. This is so named because it impacts how an individual in the player world interacts with the game world.
Both situations present the opportunity for benefit or detriment. In the knowledge stream, a compromise may expose more details about the game world than normally allowed, or it may obscure that which is normally visible. In the ability stream, a compromise may augment abilities, or it may handicap them. It is vitally important to consider both benefit and detriment opportunities in game analysis.
Benefiting a stream would likely be done by a player to give himself, or his team, an increased chance of succeeding in the game. By increasing the amount of data visible by the players, a compromise improves the knowledge of those players, enabling them to make better informed strategic or tactical decisions. Altering the ability stream may improve player reactions and resources, or it may grant the player abilities they would not normally have.
Example: In Quake a player may have altered their local version of the enemy model skins such that they glow in the dark and/or with spikes that can be seen through walls(1). This is a benefit of knowledge compromise, as it affords that player to clearly see his enemies, which would otherwise be obscured by the dark.
A detriment to a stream would likely be done by a player who is attempting to weaken the position of his opponent. The compromise may hide essential information, limiting the ability to make informed decisions, or alter the actions taken by the players, thereby reducing their effectiveness.
Example: An FPS server maintainer sets the damage done by all non-clan members to be 90% of the actual damage. This is a detriment of ability compromise, as it weakens the ability of non-clan members by lessening the damage level they can inflict.
Note that compromises may target a specific set of playes, or it may simply impact the entire. In the case of the entire game it may still yield an advantage for specific players - that is, the applied compromise may produce a game world, that although it seems fair, offsets the balance in favour of a certain player's strategy.
Example: In an RPG a player may alter the mechanics of a realm such that all magical enchantments and magical effects have reduced effectiveness. This would reduce the damage done by enchanted weapons, but would also reduce the damage blocked by enchanted armor - the net effect might appear the same to many of the players. The exception being that the compromise was instituted by a player who does not rely on such magical effects: in absolute consideration, all others positions are lowered, and his remains equal,but looked at relatively that means his position has improved. Neverwinter Nights allows extreme opportunities as players can act as DMs creating their own relams stocked with custom items and thereby granting themselves extra powers.
As noted in the previous example such compromises may not be very overt. The more often a game is played, or the more often data in a particular game is used, the more susceptible it is to subtle changes. That is, a 1% change in a single instance would not likely be noticed, nor would it alter the outcome of the game. However, that 1% applied over hundreds of instances would slightly improve a player's ranking. In games that are very sensitively balanced, small changes in the game can make very large impacts over a period of time. The consideration of volume is further discussed under Detailed Analysis.
Classifying game compromise makes possible a common dialog that can be used to document, research, and discuss such compromises. As seen with software development in general, the establishment of patterns is a common method used to trade experience and to learn new techniques. The above does not profess to be the ultimate classification technique, rather it serves as the base from which a more complete repository of compromises could be based - such classification is vital to a particular project, as will be revealed further by this document.
Potency / Availability
The basic model of knowledge and ability is not sufficient for a predictive framework. Extension, by means of providing further classification, is needed to allow for analysis of impact.
Information in a game has, at any time, a particular state. Whereas the knowledge and ability stream indicates only the direction, the state of the information has two distinct properties: abstraction and accessibility.
Abstraction is the expression of the degree of purity, or conversely the degree of realism, represented by the data. What an individual in the player realm ultimately receives is the least abstract form of information. This information, received by the player, is said to have passed the reality fringe. What the game ultimately manipulates is information in its most fundamental form - a form in which no further reduction or separation can be performed. This fundamental information lies within the purity fringe.
Example: Morrowind, with patch, displays the hit points of the enemy only as a colored bar on the screen. It is likely that this data is stored in memory as two integers, current level and maximum. The display engine does not need knowledge of the absolute values, but instead only needs a percentage representation of the current level. This combination of the two variables pushes the data past the purity fringe. The display engine then draws this percentage as a colored bar on the screen. At the point of display the information has passed the reality fringe.
The Might And Magic series incorporated this revelation of potency directly into game by: acquiring additional skills and items will allow the player increased levels of knowledge about the game monsters or items.
A game compromise does not normally impact the data in a game directly, rather it alters the behavior of a game component in order to indirectly alter the data.(2) Each component tends to manipulate more than one piece of data. This leads to the defintion of Potency, which indicates how much control of a game a would be gained if the component were compromised. That is, the potency considers all of the data that exists in a component, where as the abstraction refers only to specific data items.
Accessibility is the expression of the degree of security for the information streams. On the one extreme the game defines a protocol of exchange that is rigidly enforced by external means. That is, the enforcement of this security is outside the scope of the rules of the game.(3) This protocol crosses what is termed the secure fringe. On the other end of this scale information leaves the game world -- the game has relinquished all control of the information into another domain, the player world. The point at which information crosses into this new domain is termed the free fringe.
Example: A game server resides behind a firewall that allows, an enforces, only a well defined protocol to propagate. This firewall is providing the secure fringe -- it is an external means used to rigidly enforce a game protocol. At the other end is a multicaster, which takes game information packets and broadcasts them unencrypted within a local network. This multicaster is on the free fringe, as once it broadcasts the data in this form, it has given up all control of the data.
At each point in the game, either within a component, or the exchange between components, each data item has some level of accessibility. It is important to consider how often this data will be used, or will appear, in this component. This is known as the volume of the data. The more often data is used, the more susceptible it may be to compromise(4) - or quite possibly, the more often it will likely be targeted for compromise due to its prolonged influence on the game. The consideration of volume and accessibility together yields the availability of the data.
Abstraction and Accessibility are properties that can assist in determining the risk of a compromise. As information moves away from the secure fringe to the free fringe, it becomes increasingly susceptible to manipulation -- that is, its availability increases. As information moves away from the purity fringe to the reality fringe, the potency of manipulation generally decreases. Used appropriately such analysis can provide the basis to reducing the occurrence of, or mitigating the effects of, game compromises.
The fringes have special meaning in relation to the availability and potency. Below the purity fringe the potency reaches a maximum - a compromise would be capable of altering the complete range of a variable. Above the reality fringe potency reaches a minimum(5), since the information has already undergone every translation applicable to it. Below the secure fringe availability becomes constant, typically a minimum, as access is limited by fixed external means. Above the free fringe availability reaches a maximum - in terms of game rules, any entity is now free to access the data.
Clearly most games will not follow this strict linear pattern, as that would require a very strict layered architecture. Normally various components of a game need to be defined and then placed appropriately with respect to the fringes. The analysis is then done for each component. The preceding provides this basic framework for identifying trouble spots, more information can be found in the Detailed Analysis section.
Note: Although it seems similar, the potency and availability should not be considered the same as impact and occurrence (or probability) in terms of traditional risk management. The reason is that it may well be a social consideration that determines which points are more susceptible to compromise.(6) In a game with a persistent world, a cheater may choose to exploit a very low potency compromise in order to prevent detection, but nonetheless gives them a long-term advantage. For a cracker, nothing short of the most potent compromise is of any use to them, and they will ignore all other available compromises in search of one which unlocks the game. The sociopolitical considerations are a topic for further research.
The intent of such analysis is to provide a clear starting point towards the improving of the game, in terms of reducing compromise occurrence and mitigating compromise impact. Establishing the fringes is a method to quickly eliminate, or provide, the manners in which this goal can be achieved. For example, the fringes can either quickly indicate that not such mitigation is possible, or that external security mechanisms are better than in-game mechanics. Additionally, the potency and availability score serve as a manner for communication within the development environment, assisting in project planning and quality assurance.
Mitigation is done by addressing the general reduction techniques and identifying some key trouble areas. The primary technique is domain adjustment, which will yield the most beneficial results(7). Following this are the range reductions, which are more specific.
Note: The Detailed Analysis section contains information pertaining to how the following strategies are devised.
On the high side of the domain is the reality fringe and the free fringe. If the free fringe lies below the reality fringe then the game has provided for an easy compromise of abstract data (i.e. Abstract data is readily available for the would-be cheater). In order to minimize this area of compromise, it is necessary to push the free fringe up to the reality fringe.
The free fringe is not typically pushed beyond the reality fringe(8), as once the information has passed the reality fringe it is primarily outside of the domain of the game. Any attempt at pushing this fringe further can always be matched with mimicry, or intelligent interpretation. That is, since the intended players reside past the reality fringe, it is not possible for the game mechanics to distinguish between a genuine entity and an artificial one.
It should be noted that mimicry and intelligent interpretation are both techniques that can be used well before the reality fringe is passed. Mimicry is the act of tricking the system into believing that the input is coming from a genuine entity, that is, it is a compromise of the ability stream in the game. Such trickery could be devised to react to abstract data, or interpreted data, made available by another game compromise. Intelligent interpretation simply refers to a compromise of the knowledge stream that takes partially abstract values and calculates derived values of interest to a mimicy devise, or for presentation to the player.
The presence of both a mimicry compromise and an intelligent interpretation compromise yields an effective short-circuit of the complete game streams. In such a situation the player appears to react to game events even though neither the event, nor the action, required any actual intervention on behalf of the genuine player. Curiously, this exact scenario is intentionally implemented in any game that allows for the participation of artificial, or computer, opponents. Such games need to be careful, as the system being exploited by the artificial player is likely also going to be a target for compromise.(9)
On the low side of the domain is the purity fringe and the secure fringe. Since compromises on abstract data have the greatest potency, it is desirable to ensure that the secure fringe is greater than the purity fringe. In the interest of compromise reduction it is actually desirable to push the secure fringe as close as possible to the real fringe. In practice this latter attempt will be limited by available mechanics.
Example: In a typical computing environment, the pushing of secure fringe to the real fringe could be realized in this scenario: all game output comes as an A/V stream from a secure server, all game input devices send their raw data (keystrokes, mouse movements, etc...) directly to that secure server. This allows only for a mimicry compromise. That is, a compromise would need to mimic the behavior of a human player, as it has no knowledge of any abstract data, nor any manner to produce enhanced abilities. This compromise is not fairly preventable, and is also the most difficult. Fairly meaning that perhaps it could be prevented, but would also punish valid playing entities -- such as illegitimizing high shot accuracies as in games like Quake.
Range reduction means either reducing the potency or reducing the availability. Within the gaps between the purity fringe and reality fringe, and the secure fringe and free fringe, reduction of range is the only option available for mitigation of compromise. This reduction can be complicated - indicating domain adjustment, minimizing of these gaps, is the primary goal. When reasonable domain adjustment has be exhausted it is however necessary to apply range reduction.
In both the potency and availability range there is an implicit reference to volume of data. Potency and availability are both proportional to the volume of information available. This makes the volume the first target for reduction, as its reduction will result in the reduction of both potency and availability.
When calculating the volume of information is important to consider three values: the size, the rate, and the instance count. The size is the strict size of the information packet, presumably expressible in bytes. The rate is how often the information passes the defined point. The instance count is the one that may often be forgotten. It is an estimation of the number of instances of the game that will exist during its lifetime.
Note: The instance count is important because often the number of compromises available for a game is most related to its popularity. Including this in the expression for volume explicitly includes this variable into compromise consideration.
Potency is an expression of the form of the information contained in the knowledge and ability streams. Reduction of the potency, other than a volume reduction, means a reduction in the abstraction, or generality of the information. This reduction can be achieved by either specifically limiting the range of allowed values for information, or by exposing function results instead of function variables.
Example: Storing a game variable as an integer allows any valid integer value to be placed in that variable. Specifying this integer as a strict set of values, limits the potency of modifying that variable. In some programming languages, such as ADA, this is offered as a natural syntax.
Availability is an expression of the security of the information contained in the knowledge and ability streams. It is typically a calculation of the complexity of the encoding, and the volume, of the information. Reduction therefore, aside from reducing volume, is achieved either by increasing the complexity of the data encoding.
Complexity is well expressed in terms of the computational complexity required to sensibly modify the target data. This is a combination of both the discovery complexity, and the execution complexity. The discovery complexity is an expression of how long it takes for the player world to understand the mechanics of the protection. The execution complexity is the standard complexity of how long it would take to break the encoding and modify the data.
Example: Discovery complexity is often treated as negligible in most secure environments -- security cannot be achieved by obscurity. However, in many environments the discovery time may be long enough to cover some critical time period. Spyro's Revenge existed for, what is seen as, a very long time before a crack emerged (a 2 month discovery complexity), but this was sufficiently long to prevent pirate copies from appearing during the primary sales period after release.(10)
Impact of Defects
Normally defects are the wild cards of game compromise: you do not know in advance where they will appear or what impact they will have on the game. Since it is unrealistic to assume that defects will not occur, and because their impact on game compromise is significant, it would be unreasonable to have a method to mitigating game compromise that did not consider the existance of defects.
It is possible to consider defects without the modification of the overall method: treat potential defects in the same fashion as potential compromises. This is sound since it is possible that every defect could alternately be introduced in the form of a designed compromise. That is, the set of all defects is a subset of possible compromises. This is also reasonable, since defects are often used as leverage to produce more significant compromises. It therefore follows that the general method for analysis of compromise includes the impact of defects.
One non-negligible trouble point when including defects in the analysis is the significance of the secure fringe. There arises a class of defects that occur on the priveleged side of that fringe, meaning they may not subject to external security considerations. A manner in which to reduce this problem is by segmenting the secure fringe, such that the intended secure portions of the game are subjected to secure communications with each other. Such a technique is usually discussed in relation to Byzantine failure(11) and will not be further discussed here.(12)
This section defines more precisely the terms and concepts presented in the paper. It was completed in parallel with the discussion aspect of the paper. It is intended to provide, when possible, a less ambiguous set of definitions, for the purpose of critique and review of this paper. Additionally this allows for a more rigorous search of inconsistencies and ommisions from the general discussion, and the method in general. It is not a normative definition, nor is it meant to supplant the general discussion.
This section has been omitted from this form since it uses equations that can't be shown. Please
see the PDF for this section.
1. http://planetquake.com/ Pak2's mods
2. Many games are susceptible to trainers, items that often directly alter the memory of the system. Such a compromise can be thought of as an alteration in the behavior of the memory of the system. Additionally, often compromises alter data is being actively transferred between components - Detailed Analysis shows how the transfer points can be treated the same as the component behaviours.
3. A secure socket layer through a firewall is an example: the defines a protocol that will be used to communicate with a server and it is understood that it will be the jobs of the system administrators to prevent unauthorized access to that server.
4. In specific cases, such as certain forms of interpretation and cryptography, the task of understanding or decrypting is eased by the presence of multiple samples of data. Especially in cases where the range of data limited, an abundance of samples allows a compromise to tune its operations to minimize the ambiguities in its calculations.
5. Reaching the minimum of potency doesn't necessarily mean a compromise would not be effective, for such a minimum may well yield a promising compromise.
6. This consideration is termed relevance, and is mentioned briefly in the Detailed Analysis of Potency. This analysis in this form does not provide a method to include relevance.
7. This is ascertaining by examining the detailed analysis, where it indicates that domain adjustment would remove entire components from certain consideration, whereas range reduction would only reduce the potency and availability of specific components.
8. To prevent certain types of cheating it may be desired to push the free fringe beyond the real fringe - this would be the case when the real data is still easily interpreted and or modified. Such an action however would be rarely effective without out-of-domain cooperation, which is the core of the subject about Digital Rights Management (DRM) Operating Systems, such as Microsoft's next OS version Palladium. It should be interesting to note, that any game which involves a human element, necessarily needs to have domain travel from the game world to the real world, which guarantees that that there are components where the data is both real, and fully available.
9. To an individual who wishes to cheat and/or develop a compromise, it should be clear that the presence of an artificial game player indicates that mechanisms exists which allow short-circuiting the full knowledge / ability stream loop. Extending this even further, any game that includes any sort of artificial agent necessarily has such ability to short-circuit the loop (this easily includes both the scripted behaviors of NPCs in an RPG and behaviours of intelligent monsters in an FPS). Since such intelligent systems are typically designed to be extendable, for the introduction of new agents, or for customer play programming, they are also likely to be a significant source of compromise.
10. "Keeping the Pirates at Bay: Implementing Crack Protection for Spyro: Year of the Dragon", Gavid Dodd, http://gamasutra.com/
11. "The Art of Systems Architecting", Mark W. Maier, Eberhardt Rechtin, includes a brief description of such failures and their use in systems architecture.
12. Refer to "Intrusion-Tolerant Enclaves", Bruno Dutertre, Valentin Crettaz, Victoria Stavridou. This paper describes a manner to prevent intrustion, but such techniques could also be applied to mitigating the effects of defects within the secure fringe.
13. In Age Of Empires a compromise appeared where the player was capable of seeing how much money the other player had (they had discovered the memory location where this data is held). The relevance of this discovery was not immediately obvious to the designer of the game, he initially thought it was not that significant. Upon further description it was understood how significant this really was: by continually monitoring this level of money it was possible to identify discrete transaction amounts, and then furhter correlate this to known events in the game, effectively revealing the strategy and current status of the other players.
"A layered Brain Architecture for Synthetic Creatures", Damian Isla et al, The Media Laboratory, Massachusetts Institute of Technology, 2001
"Cyberspace in the 21st Centry: Part Sevent, Security is Relative", Crosbie Fitch, Gamasutra, 2002
"How to Hurt the Hackers: The Scoop on Internet Cheating and How you can combat it", Matt Prichard, Gamasutra, 2000
"Internet Game Design", Tu-Shen Ng, Gamasutra, 1997
"Intrustion-Tolerant Enclaves", Bruno Dutertre et al, System Design Laboratory, SRI International, 2002
"On the (Im)possibility of Obfuscating Programs", Boaz Barak et al, 2001
"Security in Online Games", Andres Kirmse and Chris Kirmse, Gamasutra, 1997
"TCPA / Palladium Frequently Asked Questions", Ross Anderson, 2002, http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html
"The Art Of Systems Architecting", Mark W. Maier and Eberhardt Rechtin, CRC Press, 2000
"The Case For Game Design Patterns", Bernd Kreimeir, Gamasutra, 2002
Age Of Empires
Might And Magic
Spyro The Dragon