I am providing some diagrams in response to your earlier mail,
along with a lengthier description. I want to be sure
everything is out in the daylight to ease review of the
algorithm.
--
Jason Dusek
Wall clock time or game time? You are confusing them; break
them down and you will see it works out.
--
Jason Dusek
Their game time is shifted as a result of their differing
round trip times (no clock synchronization!). They both
receive the update at T in game time.
Why is their game time shifted? Because the _first_ message
they got from the server set the relationship between their
clock and the game time and we don't try to correct that -- we
don't try clock synchonization.
--
Jason Dusek
By game time, I mean client view of the world. It would be
nonsense for me to claim that server time was shifted for each
client. In this, you are critiquing a system I have not
described.
--
Jason Dusek
Diagram
--------------------------------------------------------------
Here is how the data flows from piece to piece:
+------------------------> server ----------------------+
| |
| |
stamper <---------------------------------- client <-------+
The server pushes data for each world update as soon as it
is available. This means that nearer clients see things
sooner. That is okay. We stream the data with a little lead
time, for lag variance and client processing; but not too
much. That lead time does provide an opportunity for
cheating but not a large one.
The stamper is a dongle or a (magical?) obfuscated binary.
It stamps the request with a special key and its internal
time. When the stamper first talked to the server, it
communicated its internal time to the server. Through magic
(discussed below) we know how the stamper's internal time
relates to "game time". The time that a request enters the
game is entirely determined by its "game time". No matter
when it shows up at the server, we know its "time to happen"
because of the "game time" it was signed with by the
stamper. We trust the stamper a great deal.
The server provides world updates to the client. It is
assumed the client is evil, so we keep it on a short leash
with streaming. When the client is ready to do something, it
must send the request to the stamper to get a valid
signature and time for the request.
Low Variance
--------------------------------------------------------------
Can a change in lag alter the time a stamper will stamp
something with? No. Its internal clock is not effected by
the lag.
Can we alter its internal clock? With an obfuscated binary,
definitely. With a dongle, this could still happen; I will
discuss the obfuscated stamper from this point on, as we
could apply the solution in both cases.
We have a low variance assumption -- a request with a
particular "stamper time" should reach the server close to a
particular "server time". If it is too late or too early, we
do not correct. We throw it out and send a new stamper and
renegotiate the relationship between "game time" and
"stamper time".
Changing the lag frequently by any large amount will result
in loss of requests and frequent renegotiations.
Is there any vulnerability in the negotiations?
Ooops!
--------------------------------------------------------------
This "negotiating the offset" business would be time
synchronization, wouldn't it? So game over for me.
While the adversary can not upset the stamper's ticker once it
is set, they can cause it to be set to the wrong "game time".
I overlooked this until just about two hours ago. Why? Well,
the insecure version doesn't need to sync clocks because it
can use the data it's gotten from the server to know the game
time.
The resolution to this does require us to secure the data from
the server, as you suggested. The updates from the server can
actually help the stamper -- now the "gatekeeper" -- know what
the "game time" is. I will need to think about this for some
time.
--
Jason Dusek
Well, that is not clear at all to me. I grant, though, that I
have assumed an almost magical level of obfuscation for my
binary. I do not address any tampering with its runtime image
-- I just assume that is impossible. Do obfuscaters at present
work well enough for that? I honestly don't know. I did not
make this assumption to be perverse but rather because there
is obviously nothing to say if the runtime image can be
tampered with.
I failed to demonstrate a reliable time-stamper but I did
demonstrate a reliable ticker -- which is to say, a system
that allows me to tell how much time has passed on the far
end. That system can not tell me anything I actually care
about, I now realize, since I can not correlate the time on
its end with time on the server's end without time
synchronization -- and time synchronization is vulnerable in
all the ways you mention.
--
Jason Dusek
I hope Matt's response clarified how that works in the
insecure case.
--
Jason Dusek
I am not sure if even that can work, given an obfuscated
binary with an unstrustworthy clock. The server responses form
a vector clock of sorts -- but what prevents that from being
sped forward by speeding up the client machine's clock?
--
Jason Dusek
Yeah, as long as it enforces that, setting the clock forward
allows the adversary to fast forward through the queue but
then they are stuck signing requests with a later time on
them. We have a "no backsliding" rule. Maybe some weird
speeding-and-slowing combo attack could be used to cheat a
little bit -- and now I have to figure out how much.
--
Jason Dusek
If a binary were sufficiently obfuscated, couldn't it store a
"latest game time" to prevent back sliding?
--
Jason Dusek
In games with a fixed reaction time of 400ms, would this
matter much? Bots are (entirely?) for games that really are
tests of reaction time and accuracy; such a bot would be
little help in Dawn of War.
What about a super tactics bot? A computer chess program is
probably stronger than most human players; the AIs in most
games are able to pound human players. Are RTS bots an
unexplored (or invisible) kind of cheating?
More generally, I can not argue against your point -- with
successful lag levelling, I close but one door of a large
house.
--
Jason Dusek