Larry Trowell, Principal Security Consultant at Synopsys
The video game market is a $100+ billion industry. Some of the most complex software developed today is for video games, using clients, servers, web components, monetary transfers, social interactions, and virtual markets—with every part needing security. Video games are attractive and lucrative targets for hackers, especially when it comes to cheating and piracy.
With all that in mind, I sat down with Larry Trowell, principal security consultant at Synopsys, for a discussion of lessons that can be learned from the video game industry’s approach to software security. Larry’s career has included work in game engine programming and in penetration testing both games and game hardware.
Q: I’ve heard people say the video game industry better understands the importance of software security and reliability than many other industries.
Larry: One of the reasons that the video game industry is thought to understand the importance of software security is that they’ve had to adapt every year with more robust security to combat hackers. They’ve had to implement signed firmware to combat mods, anti-debugging software to defer piracy and hackers, and runtime integrity checks to combat cheaters.
One thing that the video game industry does differently than other industries is realize that they will not just be attacked but their security will fail. Their game will be pirated, the cheaters will find a way to cheat, and flaws will be found in the system. The difference between the game industry and other industries is that they plan for what to do after the attack succeeds. They remove client control, they lock down the software, they encrypt memory—they do everything you’re supposed to do to stay secure. But importantly, they also plan for what do when those measures are not enough.
Q: So is the video game industry ahead of the curve in software security compared to other industries?
Larry: If they’re thought to be ahead of the curve, it’s because they have a history of pushing the technical boundaries of software security. At first they needed to protect against piracy, so they developed complicated copy protections and anti-debugging software. This path led to also dampening the cheating that was starting to occur when games went multiplayer. When these techniques didn’t provide guaranteed results, they began to look at what to do after the attack, which is something most others in the software industry either don’t do or don’t do well enough.
Q: Is there anything we can learn from the video game industry when it comes to security?
Larry: Video games employ a number of security features that should be implemented in any software that has access to sensitive data or sensitive functionality.
Here are some examples:
- Server-side checks. Client-side security will always fail. This lesson is one that the video game industry has learned the hard way over the years. Their current preferred solution is to check periodically with a server they control to validate that there have been no modifications to the game and that everything is performing as it should.
- Over-the-air updates. Vulnerabilities will be found. There needs to be a means of patching those vulnerabilities as soon as possible. Preferably with a mandatory update, if it can be justified with user experience.
- Anti-debugging. If attackers can step through the code line by line, there’s good chance they will find a way of modifying it to their gain. Debug protection can aid in the prevention of hacks.
- Obfuscation. Obfuscation is not about stopping attackers. It’s about delaying them. The longer it takes an attacker to find a vulnerability, the more time software developers have to find it in-house and repair it.
- Runtime integrity checks. This feature can protect software developers not only from piracy but from having their software be used as a vector for malware injection, which can seriously affect the reputation of a company.
Finally, understand that security is a trade-off. Not every customer/user is going to like added security. However, security is an important feature that must be included without compromise. And the only way to minimize the cost of adding security to the product is to incorporate it from the beginning. Understand the security techniques to implement, and make them work with the product. If you find an issue with one technique, then determine whether another technique may offer similar security with fewer issues.
Whether in video games or in any other industry, the best way to protect your revenue and reputation is to proactively build security into the software development life cycle.
