U.S. Pat. No. 8,561,178

DETAILED DESCRIPTION

FIG. 1illustrates an example on-line game configuration. A user plays a game on their computer100and interacts with other users via an application server110(remote service provider). A client version of the on-line game (client application)120is run on a central processing unit (CPU)130in the computer100. The user may utilize an input device140(e.g., mouse, keyboard, joystick) to enter commands (e.g., scroll mouse, press keys) in order to play the game. Data capturing the user commands (e.g., bit strings corresponding to the user command) is received by an input/output control hub (ICH)150(chipset). The ICH150forwards the data to an operating system (OS)160for processing.

The OS160utilizes appropriate drivers to convert the data (e.g., bit strings) to corresponding “human” commands (e.g., the ‘A’ key was pressed, the mouse was moved left) and forwards the “human” commands to the client application120. The client application120processes the “human” commands received in order to update/advance the game (modify the game state). Updates to the game are communicated from the client application120to the remote service provider (RSP)110over a communication network (e.g., Internet) via a network interface170(e.g., modem, wireless card, Ethernet cable port, coaxial cable port). The client application120may include anti-cheating software125to detect cheating software that may attempt to modify the game play in some fashion.

An input modification cheat application180may be run on the CPU130and provide commands to the client application120. The input modification180may monitor game play to determine the commands necessary to increase score (e.g., aim more accurately, fire faster) or to perform repetitive tasks (e.g., dig for gold). The input modification180may delete user commands (e.g., remove commands associated with an accidental shot), may modify user commands (e.g., aim a shot more accurately), and/or may add user commands (e.g., shoot more often). The input modification180need not receive any commands from the user and can simply play the game in place of the user by providing data associated with user commands directly to the OS160for processing and the user commands are then provided by the OS160to the client application120. The client application120is unaware that the commands received may not be from a user (e.g., have been inserted or modified) or that user commands may have been deleted.

A communication modification/intercept cheat application185may be run on the CPU130and monitor communications between the client application120and the remote service provider110. The communication modification/intercept185may also be located external to the computer100. The communication modification/intercept185may provide updates (insert communications) to the RSP110that certain activities have occurred in the client application120(e.g., redundant tasks have been completed) that have not. When the communication modification/intercept185detects game updates being communicated from the client application120to the RSP110that it does not want to be communicated it may delete the update (e.g., simulate a communications failure before the player is to be killed) or modify the update (e.g., adjust the trajectory of a shot from another player to ensure it does not hit the cheating player).

When the communication modification/intercept185detects commands from the RSP110that may adversely affect game play (e.g., bomb detonation) the communication modification/intercept185may provide commands to the client application120(e.g., leave house) or may discontinue/interrupt communications (e.g., disable NIC170, shut off client application120) between the client application120and the RSP110so that the adverse effects do not occur.

The client application120may be modified190and/or the program control flow may be modified to point to code outside of the client application120that modifies and/or corrupts the on-line application in some fashion (cheating software195). The modified client application190or the cheating software195pointed to by the modified program control flow may effect the way that the client application120is played and/or displayed to the user so that the user has an advantage over other players (e.g., display transparent walls) or may disable the anti-cheating software125.

FIG. 2illustrates an example on-line game configuration utilizing the ICH150to detect the various online application cheats. The configuration is similar to the configuration discussed with respect toFIG. 1. The RSP110may include a cheat policy module115. The ICH150includes a processor200that is independent of and inaccessible to the operating systems and other applications running on the CPU130(the processor200is an isolated execution environment). The processor200may be a manageability engine (ME) such as that contained in Intel ® chipsets with Active Management Technology. The ME200will only run software provided by trusted parties. The ME200may be programmed to detect and report various online cheats. For example, the ME200may be programmed to perform input verification (input verification module210), to perform software integrity measurements (integrity measurement module220), and to encrypt and decrypt communications (encrypt/decrypt module230).

The ICH150may include an interface240to receive data associated with commands entered by a user on the input devices140. The ICH150may include filters250to filter the data received from the input devices140, and may have an identity key260stored therein that is inaccessible to the platform owner (e.g., stored in a fuse array on the ICH150). The identity key260can be used to attest to the identity of the ICH150and can be used as the basis for an asymmetric cryptographic certificate, to establish a private connection to the RSP110. Once the ICH's identity is attested to the RSP110, the ICH150can then use a negotiated session key to encrypt communications prior to it being sent across the network. The converse is true for decryption.

The ME200(input verification module210) may be utilized to detect input modification cheating by comparing the commands received from the filters250to the commands processed by the client application120. If the comparison determines that the commands received and commands processed are not the same then the commands must have been derived from a non-human source, such as the input modification cheat180.

The client application120may provide configuration data to the ME200(the input verification210). The configuration data may include identification of acceptable type of input devices140(e.g., mouse and keyboard may be used, track ball can not), and any allowable input translations (e.g., convert one keystroke to multiple keystrokes) permitted by the game. The configuration data may also include information about the RSP110(e.g., IP address) so that the ME200can communicate directly therewith.

The input verification module210may use the configuration data to configure the filters250to look for data (e.g., bit strings associated with a command or action) from the accepted input devices140. The interfaces240receive data from the input devices140and pass the data through the filters250. When game play is active, the filters250monitor the data received to determine if the origin is from an accepted input device140. If the filters250determine the data is not from an accepted input device, the data is simply forwarded to the OS160. If the filters250determine the data is from an accepted input device, the filters250make a copy of the data for the input verification module210and also forward the data to the OS160.

The client application120receives and processes application commands in order to update/advance the game (modify the game state). In normal operation the application commands would be based on data from the input devices. However, the application commands may be modified in some fashion by an input modification cheat application as discussed above with respect toFIG. 1. The client application120captures the application commands received and processed to update the game and forwards them to the input verification module210.

The input verification module210may convert the data received from the filters250into user commands (e.g., change bit strings to mouse presses). The conversion includes use of any allowable input translations. The input verification module210may then compare the user commands generated by the input verification module210to the application commands received from the client application120. If the commands do not match the input verification module210may provide the RSP110and the client application120with notification of non-matching commands. The input verification module210may provide the notification based on a single instance of non-matching commands or some algorithm (e.g., 5 consecutive commands, 50% of commands over a defined interval). The notification may simply indicate non-matching has occurred or may provide details regarding the level of non-matching.

In order to ensure that the non-matching notification is not intercepted and discarded the notification may be encrypted using the encrypt/decrypt module230. The encrypt/decrypt module230may utilize the identity key260to attest to the identity of the ICH150to the RSP110and to establish a private connection to the RSP110. Once the connection is established the encrypt/decrypt module230can use a negotiated session key to encrypt the notification prior to it being sent across the network.

The RSP110receives the encrypted notification from the ME200and decrypts the notification. The RSP110(e.g., the cheat policy module115) makes a determination if cheating is occurring based on the notification. The cheat policy module115may determine cheating is occurring after receipt of a single notification from the ME200or may base the decision on some algorithm (e.g., reach threshold level of notifications/mismatches in a defined period). If the cheat policy module115determines that cheating is occurring (e.g., utilizing input modification cheats) the cheat policy module115may take appropriate action (e.g., provide warning, discontinue play, ban user, ban game play from that machine, notify other players). The action taken by the cheat policy module115may depend on, for example, the level of cheating determined, if cheating has previously been detected for the user or from the machine, and/or if previous action has been taken against the user/machine.

FIG. 3illustrates an example process flow for user command verification. The user enters commands on their input device during game play300. The filters receive data associated with the user commands from the input device305. The filters determine if the data received is from a defined (allowed for game play) input device310. If the data received is not from a defined input device310No, the data is passed to the OS for processing315. If the data received is from a defined input device310Yes, the filters duplicate the data and send the duplicate data to the ME320and pass the original data to the OS315.

The ME (the input verification module) translates the data received from the filters into corresponding user commands325. The ME receives application commands from the client application330. The application commands are the commands that the client application processed to update the game state. The ME (the input verification module) compares the user commands and the application commands received from the client application335. If the commands match340Yes, no action is taken. If the commands do not match340No, the ME (the input verification module) notifies the RSP regarding the mismatch345. The notification is encrypted using the encrypt/decrypt module. The cheat policy module of the RSP determines the appropriate action to be taken based on the notification350.

Referring back toFIG. 2, communications between the client application120and the RSP120may be routed through the ME200to prevent communication modification/intercept cheating as use of the identity key260and the encrypt/decrypt module230provides a secure communication link between the ME200and the RSP110. The identity key260and the encrypt/decrypt module230may also be used to establish a secure communication link between the client application120and the ME200. The secure communication links between the client application120and the ME200and the ME200and the RSP110establish a secure link between the client application120and the RSP110via the ME200. The secure communication link may prevent the communication modification/intercept cheats from detecting communication between the client application120and the RSP110as the cheats will not be able to decrypt the messages. Additionally, since the cheats will not have established their identity they may not be able to insert communications.

In addition to the secure connection between the client application120and the RSP110via the ME200, an insecure connection may to be established directly between the client application120and the RSP110. The direct insecure connection may be used by the client application120to communicate data that does not need to be protected against cheating. This could include data not related directly to game play such as system configuration information.

In order to verify the identity and integrity of the client application120the client application120may be identified by a cryptographic signature that is generated based on the code and a public private key pair. A signature that is based on the code results in the signature of the client application changing if the code is changed. A signature using a public private key pair means that any one with the public key may verify a signature but only those with the private key can generate a valid signature. The ME200(integrity measurement module220) may verify the identity and integrity of the client application120by computing a signature for client application120using the public key and comparing it to the expected (valid cryptographic) signature. If the signatures do not match a software modification cheat may have been detected.

Rather than having a single signature, the client application120may have a cryptographic signature generated for various segments of the code (segment signatures) based on the code segments and a public private key pair. If segment signatures are utilized the integrity measurement module220will need to know which segments of the client application120to generate the signatures for. The client application may provide an integrity manifest that identifies the appropriate segments of the code as well as the expected signatures for those segments to the ME200.

In order for the integrity measurement module220to compute the signatures for the client application120it needs to have access to the code (needs to be able to have direct memory access (DMA) to the code). The code for the client application120will not be stored contiguously in physical memory. Accordingly, the code for the client application120will need to be modified to allow the program to execute in the physical memory locations in which it is stored. The change to code to reflect the physical locations is known as relocation fix-ups. Since the code that the integrity measurement module220will generate signatures for is based on the relocation fix ups the generated signature will not match the expected signature. Accordingly, when the code is loaded into memory the client application will record the relocation fix-ups and will include the relocation fix-ups in the integrity manifest. The integrity measurement module220will back out the relocation fix-ups when computing the signatures.

The integrity manifest may be identified by a cryptographic signature that is generated based on the integrity manifest and a public private key pair. The integrity measurement module220may generate a signature for the integrity manifest using the public key and compare the computed signature to the expected signature in order to verify the identity and integrity of the integrity manifest. By verifying the integrity of the integrity manifest the data contained within the integrity manifest including the signature for the client application or the signatures for the segments is assumed valid. Validating the integrity manifest prevents cheaters from modifying the code and inserting an appropriate expected signature for the modified code in the integrity manifest.

FIG. 4illustrates an example integrity manifest400for a client application. The integrity manifest includes a cryptographic manifest signature410that is based on the integrity manifest400and a public private key pair. The integrity manifest400also includes details for measured segments of code420such as start data430, end data440and expected signature450. The integrity manifest400also includes relocation fix-up data460for the various segments. The integrity manifest may also include an integrity chain table470(to be discussed in more detail with regard to validating the process flow of the client application).

FIG. 5illustrates an example process flow for the integrity measurement module validating the identity and integrity of the client application. The integrity manifest for the application is read500. The signature for the integrity manifest is computed505. The computed signature is compared to the expected signature510. If the signatures do not match515No, the integrity manifest is not valid as it may have been modified517. If the integrity manifest is not validated then the identity of the client application can not be verified. The integrity measurement module may take appropriate action including notifying the RSP.

If the signatures match515Yes, the identity of the client application is validated and the application code store is read from the host memory520. The inverse of the relocation fix-ups is applied to the code525. A signature is computed for the code530. The computed signature is compared to the expected signature530. If the signatures do not match540No, the client application is not valid as the code may have been modified550. The integrity measurement module may take appropriate action including notifying the RSP regarding the modification. The cheat policy module of the RSP determines the appropriate action to be taken with regard to game play at this computer based on the modification notification. If the signatures match535Yes, the client application is validated and game play can continue545.

If the client application included multiple segments defined in the integrity manifest a determination may be made as to whether additional segments remain to be verified and if additional segments remain the process may return to520. Once all the segments have been validated the client application is deemed to be valid.

After the initial verification of the client application, the integrity measurement module may compute the signature for the code segments based on the location of the code in memory (without backing out fix-ups) and these signatures may be stored in the ME for future comparisons. This enables the integrity measurement module to compute and compare signatures in the future without needing to back-out the fix-ups (525). It should be noted that since the signature generated by the ME is not based on the private key that it can only be used for comparisons within the ME and not as the signature for the client application that needs to be generated by the application developer using the private key.

After the initial verification the client application may be validated periodically (e.g., once a day/week, every four hours of use), and/or in an event-driven manner (e.g., transmission of certain data to the remote server). These verifications may be performed on the overall client application or may be performed on selected segments. For example, in event driven verification the verification may be limited to the segment of code for performing that function.

It should also be noted that the validity of the integrity manifest (500-515) need not be performed each time the client application or segments of code for the client application is validated. In fact, the validity of the manifest could be independent of the validation of the client application or segments thereof. The validity of the integrity manifest may be validated periodically (e.g., once a week, every 10 times the client application or portions thereof are validated).

When the client application is running it may reference other programs and/or libraries that are not part of the code for the client application (external code). The external code may be defined, for example, within the executable code in an import address table (IAT), or in an interrupt dispatch table (IDT) that points to the appropriate external code. In order to ensure that the pointers to the external code have not been not modified to point to cheating software or to skip certain code, the various program control flows (process flows) defined in the code may be included in the integrity manifest. The program control flows may be defined in an integrity chain table (e.g.,460ofFIG. 4) within the integrity manifest.

FIG. 6illustrates an example integrity chain table600for a client application. The integrity chain table600may include details for various process flows (integrity chains)610. The integrity chains610may include multiple linked elements620, where an element is a program referenced in the chain. For each element620within a chain610, the element620may define an element indirection level630, a reference location640, and an identifier650. The element indirection level630specifies the level of indirection (e.g., number of function pointers that must be traversed) needed to reach this element of the chain. For example, a value of 1 could represent a direct call into a function in a program's address space and a value of 2 could be used to traverse into an unrelated program. The reference location640specifies the location of the reference to this element (e.g., the location in memory where the pointer is located). The identifier650specifies the manifest corresponding to this element of the chain. The manifest for the element (external code) may include a cryptographic signature for the code and may include links to any external code utilized thereby, if any. The manifest and the links may be protected by cryptographic signatures.

The integrity measurement module may validate the process flow by computing a signature for the code referenced in the defined reference location640and comparing the calculated signature to the expected signature. If the pointer pointed to the defined code in the process flow and the code has not been modified then the signatures should be the same. If the pointer points to different code than expected (e.g., points to cheating code, skips anti-cheating code) or the code has been modified the signatures will not match. It should be noted that if the referenced code includes links to additional code that the additional code should be validated as well (signature generated and compared to expected signature in manifest). The manifest for the referenced code should identify the location of the additional code and identify the manifest for the additional code.

FIG. 7illustrates an example process flow for the integrity measurement module validating the integrity of the client application process flow. Initially, the manifest for the client application will be verified700. The first element in an integrity chain will be read from the integrity chain table in the integrity manifest705. The first element will be verified to make sure it is correct710. For example, if the first element is an IDT register a determination will be made that the first element is indeed the IDT register. If the first element is not valid715No, then a determination may be made that the process flow has been modified in some fashion and the execution path (process flow) is invalid720. The integrity measurement module may take appropriate action including notifying the RSP regarding the modification. The cheat policy module of the RSP determines the appropriate action to be taken with regard to game play at this computer based on the modification notification.

If the first element is valid715Yes, the code called out in the reference location of the first element is read725. A signature for the reference code is calculated730and the calculated signature is compared to the expected signature defined in the integrity chain table in the integrity manifest735. If the signatures do not match740No, then a determination may be made that the process flow has been modified in some fashion and the execution path (process flow) is invalid720. If the signatures match740Yes, a determination is made as to whether the chain is complete745. If the chain is not complete (there are more elements in the chain)745No, then the process returns to725. If the chain is complete (no more elements in the chain)745Yes, then the execution path is valid.

If the client application included multiple integrity chains defined in the integrity chain table a determination may be made as to whether additional chains remain to be verified and if additional chains remain the process may return to705. Once all the chains have been validated the client application process flow is deemed to be valid.

After the initial verification the client application process flow may be validated periodically (e.g., once a day/week, every four hours of use), and/or in an event-driven manner (e.g., transmission of certain data to the remote server). These verifications may be performed on the overall client application process flow or may be performed on selected portions. For example, in an event driven verification the verification may be limited to the process flow (integrity chain) for performing that function.

It should also be noted that the validity of the integrity manifest (700) need not be performed each time the client application process flow or certain integrity chains are validated. In fact the validity of the manifest could be independent of the validation of the client application process flow. The validity of the process flow (FIG. 7) is illustrated as being independent of the validity of the client application (FIG. 5) but is not limited thereto. The processes may be performed at the same time or as part of one process.

The operation of the client application120may be modified by utilizing exception handlers of the CPU130. Exception handlers take control of the CPU130away from the currently executing application (e.g., client application120) if certain events occur. For example, a debug handler may take control of the CPU130from the client application120if a certain area of memory is accessed. A hacker could enable the debug handler by modifying a certain debug register (e.g., to define break points). The hacker could then utilize the debug handler to analyze and hack the client application120without having to modify the client application code, registers, or process flow.

The ME200is unable to access the debug registers of the CPU130. However, the client application120generates system management reports including interrupt reports for the system manager of the CPU. The client application120can have the reports generated during the course of normal execution of the program, or it can be done at random intervals from a dedicated thread within the client application120. The system manager may decode the interrupt reports as a debug register verification requests and read the values of the debug registers. The system manager may provide the reports (e.g., debug register values) to the integrity measurement module220. The integrity measurement module220can analyze the report to determine if break points have been defined in the registers (a debugger has been activated). If a debugger has been activated the integrity measurement module220can determine if the client application120is being debugged (e.g., if the break points are in the linear address space of the client application120). The integrity measurement module220may also determine what debugger has been activated (e.g., whether it is the standard OS debugger or some other debugger).

When activation of an exception handler is detected the integrity measurement module220may take the appropriate action including notifying the RSP110. The cheat policy module115of the RSP determines the appropriate action to be taken with regard to game play at this computer based on the notification. The cheat policy for the application may not allow the debugger to ever be active during game play, may only enable the OS debugger to be used, or may not allow the debugger to be active if it is analyzing the client application.

The system ofFIG. 2utilized the ICH150having an embedded processor (ME) to perform the various cheat detection and reporting methods. The various embodiments are not intended to be limited thereto. Rather, an add-in card (such as a PCI Express card) having an embedded general purpose processor only capable of running sanctioned code and memory not accessible to the operating system or other programs running on the CPU (an isolated execution environment) may be utilized to perform the user command validation. The card would also have inputs for receiving the input data and filters for copying the data from appropriate input devices and passing the data to the processor. The input devices used for game play would be required to plug into this card.

A graphics card having a graphics processing unit (GPU) could also be used if the GPU was an embedded isolated execution environment processor that ran the various cheat detection programs. The necessary inputs and filters would also need to be added to the graphics card. The input devices would need to be plugged into the graphics card in order for the user command verification to work.

The cheat platform could utilize some combination of a chipset having an isolated execution environment processor, additional cards having an isolated execution environment processor, or graphics card having an isolated execution environment processor, with the various isolated execution environment processors performing different functions.

It should be noted that the system ofFIG. 2was discussed with respect to a computer100having a single processor (CPU)120but is not limited thereto. Rather, the computer100could include multiple CPUs or a single multi-core CPU. The client application120could be run on one or more of the CPUs.

The various cheat detection and reporting modules were discussed with respect to the cheating occurring at the computer. It is possible that the cheating actually occurs at the RSP110. That is, a hacker may modify the code or program flow of the software running on the RSP110. Accordingly, the RSP may also utilize an isolated execution environment processor to validate the software and program control flow of the application running thereon and to provide secure communications between an on-line application running on a users computer and the RSP. The isolated execution environment processor may be included in a chipset, an add-in card, or a modified graphics card.

It should be noted that the cheat detection and reporting platforms have been described with specific reference to on line games but is not limited thereto. Rather, the cheat detection and reporting platform could be utilized with any client application that communicates with a remote server.

Although the disclosure has been illustrated by reference to specific embodiments, it will be apparent that the disclosure is not limited thereto as various changes and modifications may be made thereto without departing from the scope. Reference to “one embodiment” or “an embodiment” means that a particular feature, structure or characteristic described therein is included in at least one embodiment. Thus, the appearances of the phrase “in one embodiment” or “in an embodiment” appearing in various places throughout the specification are not necessarily all referring to the same embodiment.

The various embodiments are intended to be protected broadly within the spirit and scope of the appended claims.