Statistical Effort Modelling of Game Resource Localisation Attacks

TL;DR

This paper presents a full instantiation of the automatable method to obtain statistical effort models for game resource localisation attacks, which represent a major step towards creating game cheats, a prime example of MATE attacks.

Abstract

Evidence on the effectiveness of Man-At-The-End (MATE) software protections, such as code obfuscation, has mainly come from limited empirical research. Recently, however, an automatable method was proposed to obtain statistical models of the required effort to attack (protected) software. The proposed method was sketched for a number of attack strategies but not instantiated, evaluated, or validated for those that require human interaction with the attacked software. In this paper, we present a full instantiation of the method to obtain statistical effort models for game resource localisation attacks, which represent a major step towards creating game cheats, a prime example of MATE attacks. We discuss in detail all relevant aspects of our instantiation and the results obtained for two game use cases. Our results confirm the feasibility of the proposed method and its utility for decision support for users of software protection tools. These results open up a new avenue for obtaining models of the impact of software protections on reverse engineering attacks, which will scale much better than empirical research involving human participants.

Figures (9)

• Figure 1: The simulation method of the game resource localisation attack. The defender needs to invest time once in playing the game while dumps are taken. Based on that one playing session, multiple attack executions can then be simulated, of which the results can be aggregated into statistical distributions that model the required attack effort.
• Figure 2: Hasse diagram for the partially ordered set of pruning logics used in the experimental evaluation in this paper, induced by the specificity relation
• Figure 3: Outcomes of six targeted pruning logics in greedy attack strategies on unobfuscated versions of the two games. (a)--(f) show the results on SuperTux, (g)--(l) show the results on AssaultCube. The X-axis shows the number of dumps $n$ taken by the modeller. In red (right Y-axis), the mean success rate is plotted, i.e., the mean value of $\hat{\sigma}_{A_n}^{P_v}$. In black and gray, the $P_{25}$, $P_{50}$, and $P_{75}$ percentiles of the remaining number of candidate locations are plotted, i.e., of $\hat{\phi}_{A_{2,n}}^{P_v}$. The red line in graph (b), e.g., shows that with a $+$-attack using two or more dumps, the mean success rate is 100%, meaning that remaining candidate locations to be considered will highly likely always include the actual location the attacker is after. The black line shows that with only two dumps, half of the attacks had already pruned the search space for the attacker to less than about 900 candidate locations. The gray lines show that 75% had pruned the search space to less than 2000 locations, and 25% had already pruned it to less than 700 locations. Finally, the grayed area of each plot marks the zone where the attack cannot yet achieve any useful pruning of the search space, because the number of used dumps is simply too low.
• Figure 4: Outcomes of six targeted pruning logics applied greedily on RNC-protected games. (a)--(f) show results on SuperTux, (g)--(l) show results on AssaultCube. The legend is the same as in Figure \ref{['fig:base_obfuscation_results']}.
• Figure 5: Outcomes of two related pruning logics applied greedily on two versions of the games. (a)--(d) show results on SuperTux, (e)--(h) show results on AssaultCube. The legend is the same as in Figure \ref{['fig:base_obfuscation_results']}.