Interview: Avni Rambhia, Technological Evangelist at Arxan
With the existence of all sorts of ways to circumvent online game security—everything from aim-bots to more insidious hacks, game developers might often feel that they're fighting a losing battle to protect IP and gameplay integrity on multiple fronts.
Arxan are just one company that works in this field, offering anti-hacking and anti-tampering solutions. We talked to Avni Rambhia, technological evangelist at Arxan, to discuss the treats that face developers, Arxan's technology, and the future arms race between developers and cheaters.
What kind of security threats do MMO/Virtual World operators face?
Avni Rambhia: There are primarily two classes of threats: cheating through tampering or modification of the game client, and DoS and other internet-based attacks on the MMO servers. Cheating lowers the overall value and appeal of the MMO community, while attacks on servers result in expensive outages and incident management overhead.
How does Arxan help in these situations?
AR: Arxan's technology works to prevent the first class of threats—tampering of the clients. By preventing reverse engineering of the software, we harden the process of finding exploitable vulnerabilities; by implementing anti-tamper measures, we prevents modifications, and by providing forensics reporting capability, we helps the game owner identify potential cheaters as well as analyze attack patterns.
Application hardening is the generic term for anti-tamper/hacking technology. The hardening solution is built using a variety of individual techniques, including obfuscation, encryption, anti-debug, patch and repair, authentication and forensics reporting.
Additionally, since Arxan's technology works at the binary level in very small, lightweight units, it protects without affecting user experience or gaming performance.
How do you think the situation with cheating changes in situations such as free-to-play games, where players could be dealing with items which they have paid for with their own money?
AR: I've read reports that say the ability to charge money for game-world assets creates strong incentives for hackers to build exploits that allow amassing of such assets. The assets can then be monetized via online marketplaces like eBay; in order to ensure ongoing value of the game, publishers have greater incentive to preserve the integrity of their clients and thereby the integrity of the gaming world.
What threats do you think developers and publishers might face in the future?
AR: There will always be an arms race between developers and cheaters. Newer programming technology like Silverlight and JavaFX brings new development capabilities, but also creates greater susceptibility to hacking. Newer hacking technologies like virtualizers and emulators facilitate creation of exploits and make it much harder to detect hacks and cheats. Application hardening technologies and client protection strategies have to keep pace with these advancements to ensure ongoing security.
Once an exploit is known, it is important to quickly yet securely close that problem and update all clients. This can be a disruptive process unless your application hardening strategy has been planned and built with resilience in mind.
What technologies are you working on to face up to the future threats?
AR: We continue to work closely with a variety of research communities and security engineers to stay on top of hacker and developer technology, and keep our application hardening arsenal one step ahead of the hackers. We're also making it easier and faster for developers to quickly yet strongly protect their applications and intellectual property.
Forensics reporting and phone home capability, particularly using covert channels, are particularly valuable features to MMO developers, for example, and that's something we're working on.
