Presented at
DEF CON 20 (2012),
July 29, 2012, 2 p.m.
(50 minutes)
Fuzzing online games to find interesting bugs requires a unique set of novel techniques.
In a nutshell the lack of direct access to the game server and having to deal with clients that are far too complex to be easily emulated force us to rely on injecting fuzzing data into a legitimate connections rather than use the standard replay execution approach. Top that with heavily encrypted and complex network protocols and you start to see why we had to become creative to succeed :)
In this talk, we will discuss and illustrate the novels techniques we had to develop to be able to fuzz online games, including how to successfully inject data into a gaming sessions and how to instrument the game memory to know that our fuzzing was successful. We will also tell you how to find and reverse the interesting part of the protocol, and how to decide when to perform the injection.
Presenters:
-
Patrick Samy
- Research Engineer, Stanford University
Patrick Samy is research engineer at Stanford university where he focuses on hardware and system security. He is the lead developer of Kartograph network and scripting engine. He also developed the Kartograph real-time visualization engine.
-
Elie Bursztein
- Researcher, Google
Elie Bursztein is a researcher at Google's Mountain View, Calif. headquarters, where he invents ways to fix the Internet's security and privacy problems. Prior to that as a researcher at Stanford University, Elie designed Wikipedia's CAPTCHA and created Talisman, a Chrome browser extension that enhances security. He is also the inventor of the award-winning game hacking tool Kartograph presented at DEF CON 18 and Security and Privacy 2011.
Twitter: @elie
http://elie.im
Links:
Similar Presentations: