For some reason, Valve made the “interesting” design decision of making that trampoline region readable, writable, and executable at all times. This effectively turns these regions into free “Get Out of ROP Free” cards that exist on every 64-bit Steam game.
Seriously. A lot of these overlays I feel have to be doing gross stuff, but an RWX region just for a jump isn’t giving much hope.
Speaking of Valve too, I think there are still long unpatched vulnerabilities in games they sell. Maybe it’d have to take someone to actively exploit them to get them fixed.
It’s related to the point in the other comment about gamedev culture versus security and how that invites blackhat activity. There are plenty of game engines where the logic is exposed as a scripting language where the language runtime is a security boundary, such as well, Unity (with flaws as exposed in the article).
They try to be a display server without the intent, or permission, to be an actual one. That’s not going well.
Games and the support tooling around them have been valid botnet-building targets for quite the while, it’s almost a perfect storm:
You have a coding culture that flows from ‘get things to passably work, playtest, market, ship, forget / minimum maintenance’ evolving little in terms of adversarial thinking on the developer side. At the same time it’s high on the end user, rampant cheating aside - the meta game of ‘glitch’ speedruns is a treasure trove.
Victim machines are high in processing power and connectivity, geographically diverse and end-users habituated to ignore any visible side effects from things being ‘naturally’ janky, a game crashing now and then isn’t suspicious.
Studios themselves don’t pay competitive wages for developers and absolutely not for engineering proactive and reactive security measures or hardening. Last I heard from friends (of the senior variety with history of CVEs, experience weaponizing, active in CTFs etc.) that declined offers at the likes of Ubisoft, the compensation for a security role was somewhere around half to a third of what they would get anywhere serious.
On the supply side for blackhats they first get tempted by anti-cheat and DRM systems, which get away with things that would be considered malware practices anywhere else. As a side effect of trying to break them, they get intimate knowledge of internals and find vulnerabilities as they go along. With no incentive structure for responsible disclosure, there’s only morals in the way of making a little more on the side.
Nice write-up, but this:
Oh boy. Valve, never change.
Seriously. A lot of these overlays I feel have to be doing gross stuff, but an RWX region just for a jump isn’t giving much hope.
Speaking of Valve too, I think there are still long unpatched vulnerabilities in games they sell. Maybe it’d have to take someone to actively exploit them to get them fixed.
speaking of: https://www.bleepingcomputer.com/news/security/new-godloader-malware-infects-thousands-of-gamers-using-godot-scripts/
That doesn’t really seem related? Obviously you can use a game engine to write malware, that’s not a fault or design mistake.
It’s related to the point in the other comment about gamedev culture versus security and how that invites blackhat activity. There are plenty of game engines where the logic is exposed as a scripting language where the language runtime is a security boundary, such as well, Unity (with flaws as exposed in the article).
They try to be a display server without the intent, or permission, to be an actual one. That’s not going well.
Games and the support tooling around them have been valid botnet-building targets for quite the while, it’s almost a perfect storm:
You have a coding culture that flows from ‘get things to passably work, playtest, market, ship, forget / minimum maintenance’ evolving little in terms of adversarial thinking on the developer side. At the same time it’s high on the end user, rampant cheating aside - the meta game of ‘glitch’ speedruns is a treasure trove.
Victim machines are high in processing power and connectivity, geographically diverse and end-users habituated to ignore any visible side effects from things being ‘naturally’ janky, a game crashing now and then isn’t suspicious.
Studios themselves don’t pay competitive wages for developers and absolutely not for engineering proactive and reactive security measures or hardening. Last I heard from friends (of the senior variety with history of CVEs, experience weaponizing, active in CTFs etc.) that declined offers at the likes of Ubisoft, the compensation for a security role was somewhere around half to a third of what they would get anywhere serious.
On the supply side for blackhats they first get tempted by anti-cheat and DRM systems, which get away with things that would be considered malware practices anywhere else. As a side effect of trying to break them, they get intimate knowledge of internals and find vulnerabilities as they go along. With no incentive structure for responsible disclosure, there’s only morals in the way of making a little more on the side.