 |
 |
|
July 29, 2004Least Privileges + Games = Microsoft Achilles Heel?Ok. So if you are a regular reader of my blog you know I have went off on a few tangents about least privilege in the past. Let's see, what are a few of the topics I have talked about:
Today I want to discuss something that is more practical when it comes to issues with least privilege, and things Microsoft is going to need to do about it. If anyone reads my blog from the division that publishes Microsoft games, listen up! I want to discuss least privilege, and games. For least privilege to be taken seriously, and be used correctly, it has to work everywhere, all the time. It has to be easy for the user to use, adopt and run without affecting their computing experience. If you make it to hard, they simply won't do it. This is EXTREMELY paramount for kids. You know.. the little people in your house that know more about computers than you, and can kill more terrorists than the US Army Rangers because of the sheer amount of online training with CounterStrike and all the other fun games out there. Well, if you can't make their gaming experience work with least privilege, little Johnny will never accept the computer the way it is... and you got a problem. What am I talking about? Well today I stumbled across a knowledge base article on Microsoft's site which discusses how a problem in the CD verification routines prevent some games from functioning on XP. Especially when fast user switching is involved. Ok, so the immediate reaction is "this is a software issue with the CD verification software". Yep. But its more than that. This isn't Joe Smith's personal Q-Bert game we are talking about here. These are Microsoft's published games. Here is the list provided in the knowledge base article:
So why do you care? Because one of the recommended solutions is to log on as Administrator to play the game! COME ON PEOPLE... NEVER RECOMMEND TO RUN USER MODE APPS AS ADMINISTRATOR! Thats like telling Linux geeks to run Quake as root. Please, please do. I need another rooted box. Let me give you an example of WHY this is a bad idea, based on a recent experience I had. I am a big fan of the game Wolfenstein: Enemy Territory. I don't have a lot of time to play games, but when I do, ET is at the top of my list. Recently I joined a server which wasn't playing very nice. I have the ability to download maps turned on. On this particular server instead of it playing nice and downloading the maps I needed, it somehow forced the game to ShellExecute a http request, shutting down the game and tried to lauch the default web browser. HELLO? See anything wrong here? Lucky for me my intrusion prevention system I wrote kicked in, noticed that a game was trying to call a web browser and promptly stopped the action from occuring. But what MIGHT have happened if I didn't have my IPS running? If I would have had a vulnerable IE browser (I don't run IE so even without the IPS this attack would have failed since FireFox is my default browser), they could have kicked off an attack sequence by directly forcing me to the malicious URL. Now imagine if I was also an Administrator when this occured. Uh oh. Big time problems. So please listen up. Telling someone to run ANYTHING that is NOT REQUIRED to have admin access should be shunned. Stop it. Don't do it. If you believe that you HAVE to be an administrator, rethink the game and try to find ways to isolate only those specific functions that require elevated privileges. Now, I am not a game developer, and I could understand that low level hardware access typically requires higher privileges. But I was always under the impression that this was what DirectX was for. To expose low level access to user mode in a safe way. But other than the hardware control, I can't even fathem why you would need admin privileges to play a game. To be fair, some of these games were written before the big security push at Microsoft. And many of them are games Microsoft bought from outside the company. But if you are going to talk the talk as it comes to least privilege, all your apps need to take this into account in the future Microsoft. And that includes game. Actually, I would consider games to be one of the areas you need to be MOST concerned about. CSO/CIO in major corporations will have layered defenses to help protect against vulnerable and exploitable software. Little Johnny's computer probably won't. And all we need is another couple of thousand zombies thanks to a weakness like this in the next version of Microsoft's <insert game of the week here > Posted by SilverStr at July 29, 2004 10:17 AM | TrackBackComments
>>I can't even fathem why you would need admin privileges to play a game. I beleive these games load a kernel mode driver to verify the physical CD-ROM is present. It is the loading of this driver which requires elevated privileges, not DirectX. Posted by: Chauncey Mcduff at July 29, 2004 11:39 AMThanks for the comment Chauncey! If thats the case, its an easy fix. They could expose the kernelmode driver to a service and communicate via DeviceIOControl. Then by simply polling the service as a normal user, they can get the information they need within the game. Microsoft could even make this generic enough that once the service is installed in one game, they wouldn't need it for all their other titles, as it would already be installed. The service could run with the least amount of privileges, only giving actual IOCTL IRP access to the kernel component, leaving the game admin free. Posted by: SilverStr at July 29, 2004 12:02 PMWow, talk about weird coincidences. Catching up on my blogs after this mornings posts, I notice that Michael Howard posted (http://blogs.msdn.com/michael_howard/archive/2004/07/28/200206.aspx) that he is actually waiting to present to a bunch of game developers about writing secure games. Talk about funny. Lets hope the developers listen. Posted by: SilverStr at July 29, 2004 12:11 PMAs the test lead on Microsoft Golf 2001 Edition, I can tell you that this is because of the SafeDisc copy protection that was used on these titles. Your solution would work, but would also provide a very good single point of attack for hackers and crackers that would let them crack all games at once. The way that most copy protection systems work now (simplified explanation) is the executable is encrypted and checksummed. The kernel driver is decrypted using one set of magic numbers on the CD, and then installed in memory. The kernel driver then handles extraction and decryption of individual pages from the executable based on a second set of magic numbers on the CD. Also, the driver injects itself so that it intercepts calls to kernel32.dll in an attempt to mask itself from debuggers. When I left Microsoft last year, they were working on a copy protection system that did not require admin rights to use consistently, but it was slow going because of weird sector access bugs in several CD firmwares, agreements required with manufacturing houses and security concerns regarding "raw" vs. "cooked" media reads for admins/users. Posted by: Michael Russell at August 2, 2004 10:29 AMMichael - since these safeguards are cracked as soon as the game is out, why bother? Seems to me that it might be time to declare copy protection dead for the second time. Posted by: Arcterex at August 2, 2004 08:29 PMTrue, the safeguards are cracked shortly after the game is out, but the primary purpose of copy protection is not to stop the hard-core cracker crew. It's to stop the casual copier. It's to stop the "Oh, you like it? Let me give you a copy" crew. My favorite example to use is Blue Byte Software's "Incubation: Time Is Running Out." It was an excellent game, had no copy protection, and sold well enough to warrant an expansion pack. The expansion pack was one of the first products to use SafeDisc for copy protection. The expansion outsold the original game. While the protection was cracked about a month later, the industry had learned its lesson. Stop the casual copiers and delay the hardcore pirates for as long as possible, and you'll earn more. Nowadays, though, it's nearly impossible to delay the hardcore pirates. Most illegal "warez" come from either people inside the development house, the media, or the replication centers. While I do have a philosophical objection to copy protection, I was in the games industry for 5+ years and I realize that this is a case where my philosophy and the practicality of reality are going to have to disagree. Posted by: Michael Russell at August 4, 2004 08:52 AMI have a limited account for my friend for Age of Mythology and he was able to play it until today. All of a sudden, the game wants admin priviledges and it never did before. the expansion pack works, though. i don't know how to get the original to work so i'll probably just have to give him admin rights. Posted by: Josh at September 27, 2004 06:23 PM |
 
My 5 Favorite Books
Writing Secure Code
Secure Programming Cookbook Security Engineering Secure Coding Principles & Practice Inside the Security Mind
My 5 Favorite Papers
Smashing the Stack
Penetration Studies Covert Channel Analysis of Trusted Systems DoD Trusted Computer System Evaluation Criteria NSA Security Recommendation Guides
Archives
October 2007
September 2007 August 2007 July 2007 June 2007 May 2007 April 2007 March 2007 February 2007 January 2007 December 2006 November 2006 October 2006 September 2006 August 2006 July 2006 June 2006 May 2006 April 2006 March 2006 February 2006 January 2006 December 2005 November 2005 October 2005 September 2005 August 2005 July 2005 June 2005 May 2005 April 2005 March 2005 February 2005 January 2005 December 2004 November 2004 October 2004 September 2004 August 2004 July 2004 June 2004 May 2004 April 2004 March 2004 February 2004 January 2004 December 2003 November 2003 October 2003 September 2003 August 2003 July 2003 June 2003 May 2003 April 2003 March 2003 February 2003 January 2003 December 2002 November 2002 October 2002 September 2002 August 2002 July 2002 |
|
