Server-side verification of client behavior in online games

Bethea, Darrell; Cochran, Robert A.; Reiter, Michael K.

doi:10.1145/2043628.2043633

Cited by 29 publications

(28 citation statements)

References 30 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…WAVES avoids these inconsistencies for applications where the server validation code is correct by simply replicating that code for the client. Two related works also avoid these inconsistencies but for applications where the client validation is correct: Ripley [21] and [22]. These two classes of work are therefore complementary for legacy applications.…”

Section: Improper Input Validationmentioning

confidence: 99%

“…The most germane work, Ripley [21] and [22], could seemingly be used to meet the same objective: write validation code once (on the client) and allow the system to automatically replicate it elsewhere (on the server). However, there is a crucial benefit to writing validation code on the server instead of the client: all constraints, whether static (not dependent on the server's database, file system, etc.)…”

Section: New Applications and Interactivitymentioning

confidence: 99%

See 1 more Smart Citation

WAVES: Automatic Synthesis of Client-Side Validation Code for Web Applications

Skrupsky

Monshizadeh

Bisht

et al. 2012

2012 International Conference on Cyber Security

View full text Add to dashboard Cite

The current practice of web application development treats the client and server components of the application as two separate but interacting pieces of software. Each component is written independently, usually in distinct programming languages and development platforms -a process known to be prone to errors when the client and server share application logic. When the client and server are out of sync, an "impedance mismatch" occurs, often leading to software vulnerabilities as demonstrated by recent work on parameter tampering. This paper outlines the groundwork for a new software development approach, WAVES, where developers author the server-side application logic and rely on tools to automatically synthesize the corresponding client-side application logic. WAVES employs program analysis techniques to extract a logical specification from the server, from which it synthesizes client code. WAVES also synthesizes interactive client interfaces that include asynchronous callbacks whose performance and coverage rival that of manually written clients while ensuring no new security vulnerabilities are introduced. The effectiveness of WAVES is demonstrated and evaluated on three real-world web applications.

show abstract

Section: Improper Input Validationmentioning

confidence: 99%

Section: New Applications and Interactivitymentioning

confidence: 99%

WAVES: Automatic Synthesis of Client-Side Validation Code for Web Applications

Skrupsky

Monshizadeh

Bisht

et al. 2012

2012 International Conference on Cyber Security

View full text Add to dashboard Cite

show abstract

“…Server-side bot detection requires some resources to analyze the data that is collected, however, and could possibly be circumvented by a bot program [12]. Once a bot is removed from the game, the bot creator can easily change the program to avoid the behavior that resulted in detection.…”

Section: Related Workmentioning

confidence: 99%

Development of Embedded CAPTCHA Elements for Bot Prevention in Fischer Random Chess

McDaniel

Yampolskiy

2012

International Journal of Computer Games Technology

View full text Add to dashboard Cite

Cheating in chess can take many forms and has existed almost as long as the game itself. The advent of computers has introduced a new form of cheating into the game. Thanks to the computational power of modern-day computers, a player can use a program to calculate thousands of moves for him or her, and determine the best possible scenario for each move and countermove. These programs are often referred to as "bots," and can even play the game without any user interaction. In this paper, we describe a methodology aimed at preventing bots from participating in online chess games. The proposed approach is based on the integration of a CAPTCHA protocol into a game scenario, and the subsequent inability of bots to accurately track the game states. This is achieved by rotating the images of the individual chess pieces and adjusting their resolution in an attempt to render them unreadable by a bot. Feedback from users during testing shows that there is minimal impact on their ability to play the game. Players rated the difficulty of reading the pieces on a scale of one to ten, with an average rank of 6.5. However, the average number of moves to adjust to the distorted pieces was only 3.75. This tells us that, although it is difficult to read the pieces at first, it is easy to adjust quickly to the new image.

show abstract

“…Finally, Bethea et al [2] recently described an approach and associated tool to perform online verification that a sequence of inputs received at the server could have been generated by an honest client. Like MAX, their tool combines the results of symbolic execution with state information derived from concrete execution.…”

Section: Related Workmentioning

confidence: 99%

Finding protocol manipulation attacks

KothariNupur

MahajanRatul

MillsteinTodd

et al. 2011

SIGCOMM Comput. Commun. Rev.

View full text Add to dashboard Cite

We develop a method to help discover manipulation attacks in protocol implementations. In these attacks, adversaries induce honest nodes to exhibit undesirable behaviors by misrepresenting their intent or network conditions. Our method is based on a novel combination of static analysis with symbolic execution and dynamic analysis with concrete execution. The former finds code paths that are likely vulnerable, and the latter emulates adversarial actions that lead to effective attacks. Our method is precise (i.e., no false positives) and we show that it scales to complex protocol implementations. We apply it to four diverse protocols, including TCP, the 802.11 MAC, ECN, and SCTP, and show that it is able to find all manipulation attacks that have been previously reported for these protocols. We also find a previously unreported attack for SCTP. This attack is a variant of a TCP attack but must be mounted differently in SCTP because of subtle semantic differences between the two protocols.

show abstract

Server-side verification of client behavior in online games

Cited by 29 publications

References 30 publications

WAVES: Automatic Synthesis of Client-Side Validation Code for Web Applications

WAVES: Automatic Synthesis of Client-Side Validation Code for Web Applications

Development of Embedded CAPTCHA Elements for Bot Prevention in Fischer Random Chess

Finding protocol manipulation attacks

Contact Info

Product

Resources

About