Wednesday, November 29, 2006

Security cannot be added as an afterthought!!!

Earlier this week, I attended a training on software security. In university days, security concerns in programs were non existent for me, and reflected in programs I designed. This training brought back memories of a first person shooter multi player game (loosely inspired from quake) I created as assignment for Advanced Graphics course. It had a maze like 2 dimensional world, and though players were represented with nice graphics, they were internally represented as spheres, for purpose of calculating damages when they got hit. So if you would shoot at the head of a player in game, nothing would happen to him, since each player's sphere (hitting which damaged it) was centered roughly at it's chest :-).

As stated earlier, no consideration was given to security aspects at all. The clients broad casted the starting location and direction of each bullet fired by them, each client calculated how much damage they had taken from other's bullets, and transmitted this info to the server. Server's main role was to maintain a point count, and deciding where to re-spawn a player when it got killed. Everything worked amazingly well for a week long project.

But as I learnt later, it was a security nightmare. Even if one client is breached, the whole game will go down. A compromised client shooting bullets all over the game world would result in all other players being killed instantaneously, and the compromised client may choose not to report any hits to itself to the server, and hence become invulnerable. My only excuse is, that it was one of the 3 assignments, for one of the 5 courses, in one of the 2 semesters in that year. Later, while learning about software security in professional life, this example immediately came to mind. And the lesson is, security cannot be applied as an afterthought in a software. It has to be taken into account right from the design phase of any project. The security hole I left in the game was a design mistake which could not have been modified without rewriting essentially the whole game, except possibly the graphics engine. In this particular case, one client having being compromised should not have had such adverse effects on all others. If there was a foolproof client authentication scheme, or critical decisions were left to the server, the attackers would need to breach the fiercely protected server to bring down the game, instead of finding and compromising one of the unsuspecting clients.

No comments: