[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-games-devel
Subject:    [Kde-games-devel] Solution for highscores
From:       George Staikos <staikos () kde ! org>
Date:       2001-05-02 22:35:58
[Download RAW message or body]


Ok I am posting this info now but I don't plan to do anything about it for at 
least another week (if then). 

I have been considering the concept of a system-wide KDE highscores system 
for months now.  It took me a little while to work out the details but I 
think I have come to a working solution.  This solution requires a suid 
binary _or_ a daemon listening on a port/socket.  I think a suid binary is 
better.  This is not a KDE binary.  It's simply a binary that takes a score 
for a game and updates the highscore file if necessary.

So here's how it works:

/usr/share/apps/khighscores/gamename.his
(for example...   a highscores file for a game)
They will be stored in order and will be similar to this format:
"Name"     <delimiter>    "score"     <delimeter>     "Game specific info"

This way additional info can be stored for each score.  (sometimes a level 
achieved is included along with points, for instance)

Now these files are world readable but only uid "games" or uid "root" (or 
something similar) writeable.

When a game concludes, it will call a class in libkdegames which will open a 
socket or popen() or execv() or system() the binary and transmit the score to 
the suid app which can then determine if it is a new high score and insert it 
in place.   The app can then read the new highscores file and display it to 
the user.

So what's to stop any user from saying "add this new highscore"?

Encryption
--------

Each game will have an encryption key (or even asymmetric keys) generated at 
install time.  The decryption key is stored in (example) 
/usr/share/apps/khighscore/gamekeys and this file is mode 600.  That way the 
suid binary can read it but no-one else can.  Now how does the game encrypt a 
message?  Simple.  We put a sentinel on the stack in the binary, and at 
install time when the keys are generated, we edit the binary directly and 
replace the sentinel with the encryption key.  Then install the binary.  What 
is to stop a user from debugging the app and finding the key?  Well, as far 
as I can tell, as long as a binary is installed "executable" but not 
"readable", then it is not ptrace()able and thus not debuggable (and 
certainly not readable or copyable).  The only thing that can be done is an 
strace, and this will never give the encryption key.

So, what we do is encrypt the "message" for the suid binary with the cipher, 
and append a cryptographic hash of the message for use as an authentication 
code.  (try to detect if the message has been tampered with - probably 
excessive, but it's easy and the code is already done for doing this).  The 
suid binary decrypts this, checks the hash, then does it's work and returns 
an error code.


Weakness
--------

I can only think of one weakness.  That is, obtaining random data will be 
traceable with strace.  This basically prevents us from making plaintext 
attacks harder.  Thus a good algorithm must be chosen for the encryption 
algorithm.  Yes anyone with root can do things..  You can't stop this.  You 
shouldn't try to because you're wasting your time if you do try.


Editting the binary is only necessary when you don't compile from source.  
However, since most users don't compile from source, there's no point in 
supporting both compile time and install-time key embedding.

This can be configurable on a per-game basis also.  A game could have 
multiple highscore catalogs, varying highscore sizes (top 10, top 100, etc), 
just as an example.  The games that are allowed to register will be listed in 
the gamekeys file along with their key.

We can even ship the binary for generating key-pairs so the admin can 
regenerate new keys if he wishes.  This shouldn't be difficult at all.




So there you have it.  I don't see how this is cheatable, but perhaps I've 
missed something.  I'm tired and I'm still not done exams (I just finished 
writing one within the last hour or so).  The details might need minor work, 
but the overall process is the key here.  Hopefully I haven't left anything 
out.  As for implementation, I'm not sure that I can commit to helping you 
guys do this before 2.2, but I can provide the crypto algorithms.  I'm 
already doing that now in KOffice and am hoping to move the whole framework 
to kdelibs with a customizable, dynamically loading system.


No opening 1000's of homedirs on a school system everytime you finish a game. 
No suid/sgid KDE apps.
No hope of cheating.
No problem!

-- 

George Staikos

_______________________________________________
Kde-games-devel mailing list
Kde-games-devel@master.kde.org
http://master.kde.org/mailman/listinfo/kde-games-devel

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic