Anti-cheat and Anti-Piracy Measures in PC Games Recommendations for In-House Production

Anti-cheat and Anti-Piracy Measures in PC Games Recommendations for In-House Production All right, I‘d like to get this presentation underway. This is Anti-cheat and Anti-Piracy Measures in PC Games—A Case for In-House Production. ©CAPCOM 1

Foreword The scope of this presentation: • We’ll be covering cheating, piracy, etc., in PC games, DLC, etc. • We won't be covering ransomware or other malware. Note: Due to the nature of the subject, there are a few points that will be left vague. We will also avoid mentioning specific product and tool names. First of all, I‘d like to clarify what this presentation will cover. This section is dedicated to cheating in and piracy of PC games, DLC, and other content. Please note that this is a different topic from malware countermeasures such as those against ransomware. 2 Due to the nature of the subject matter, there are a number of points that will be left vague, and I will avoid mentioning specific tools and products by name. ©CAPCOM 2

Agenda Organizational Background PC Game Tamper Resistance The State of Cheats and Piracy in PC Games Actual Anti-Cheating and Anti-Piracy Measures In-House Production of Anti-Cheat and Anti-Piracy Products RE ENGINE's "Security Module" This is our agenda for today. First, I‘d like to talk about our organizational background, and about tamper resistance in PC gaming. 3 Then we will discuss the cheating and piracy situation in PC games. From there, we will explain the actual anti-cheat and piracy measures. Next, we will discuss the in-house production of "anti-cheat and anti-piracy", which is the purpose of this presentation. Finally, I would like to talk about the security module in our in-house engine "RE ENGINE". ©CAPCOM 3

Our work started three years ago. • Previously, I was a systems programmer. • I then switched to my current position as a security engineer I realized that our anti-cheat and anti-piracy measures were insufficient. • There were organizational problems, as well. This story will be about an initiative that began three years ago. Originally, I was a system programmer, I mainly worked on CPU, memory, IO, and other systemic tasks. At that time, I knew nothing about so-called “security”, such as anti-cheat and anti-piracy. 4 However, I got a chance to work on anti-cheat and anti-piracy measures, while continuing to work as a system engineer. I took advantage of the experience I gained, and switched my main job title to security engineer. The reason for the switch was that we had been vulnerable to cheaters and pirates, and that I had identified some organizational problems. ©CAPCOM 4

Organizational Background Now, let me give you some organizational background. 5 ©CAPCOM 5

Organizational Background Before we started working on this, the anti-cheat and anti-piracy measures were done on a title-by-title basis. • Information was not shared and was known only to those directly involved. • There was lots of confusion and running about... • It was also difficult to share information between divisions. What I noticed first was that each title had its own anti-cheat and anti-piracy measures implemented. This meant, of course, that know-how was not shared, and only those who had worked on the project knew about it. 6 Since I knew nothing about it, I had to run around to various titles to ask about implementation. Moreover, the information among the titles was also different. In addition, the personnel of each title basically belonged to that title‘s department; It was rare to move to another department’s title. This made sharing information between departments even more difficult. ©CAPCOM 6

Organizational Background When we dug deeper, further anti-cheat and anti-piracy problems became clear. • There was a lack of knowledge about cheat tampering. • We also found that there was a misconception that protection software can protect everything. And as we worked to combat cheating and piracy, in addition to inter-departmental problems, other issues came to light. To begin with, the majority of people in the company, including the title‘s staff... Were like “What is cheating? What is piracy?” 7 They knew the names and meanings of cheating and piracy, but they had almost no knowledge of what was being done and how. This state of ignorance led to a certain illusion. All of the titles used third-party protection software to guard their products, and had the illusion that this third-party protection software protected everything. ©CAPCOM 7

Organizational Background After product launch, cheats appeared immediately… • "But we use third-party protection software!" The reality is that if you launch with that illusion, cheats will appear on launch day. Third-party protection software or none. 8 ©CAPCOM 8

Organizational Background I too had illusions that didn't hold up to reality Problems I learned about the hard way • Without cross-title measures, knowledge can't accumulate • Malicious tools are being developed on an ever-evolving basis If we don't evolve too, we'll lose out completely • We had to take action! I, too, had such illusions, and was knocked down by the reality of the situation. And from that reality, I thought about what the problem was. 9 The problem is that we had no cross-title solution for cheaters and pirates. There was no asking and teaching between titles, so the knowledge gained was immediately being lost. In addition, new tools for malicious activities are constantly being developed. In a situation where no information is shared or accumulated, we couldn't possibly keep up. Something had to be done about this. ©CAPCOM 9

Organizational Background Capcom Title C Customer Support T Title B Using a neutral position to collaborate with the Customer Support team By not belonging to a specific title I can share security knowledge between every title RE ENGINE Development Current position Security Team So, first, I made a change in my position in order to solve the assignment problem. To share and accumulate information on anti-cheat and anti-piracy measures for all titles, I placed myself in the RE ENGINE development department. 10 Then, I established a security team there as a security specialist. This has allowed us to address the problem of closed, title-by-title anticheat and anti-piracy measures. I became the hub of information sharing and accumulation. By doing so, I can see the measures and status of each title, which I could not see before, and can take new measures. In addition, by belonging to a neutral department, I am now able to communicate with the customer support team and the multiple titles. The customer support team is able to aggregate a wide range of information, and use this information to help in the fight against cheaters and pirates. Another reason I joined the RE ENGINE development department, I could start to create our own, in-house protection software. This is the organizational background. ©CAPCOM 10

Organizational Background What started as being in charge of the anti-cheat/piracy measures on a title led to developing in-house anti-cheat and anti-piracy measures; and information sharing across departments Let's talk about how that helped solve the issues I outlined Now, I want to talk about how what started as being in charge of the anti-cheat/piracy measures on a title led to improving information sharing and developing in-house anti-cheat systems. 11 ©CAPCOM 11

But first PC Game Tamper Resistance Before that, let's talk about tamper-resistance in PC games as prerequisite information. 12 ©CAPCOM 12

PC Game Tamper Resistance For the purposes of this section, we define PC game = Steam version Unlike consoles, PC games let you do anything you want Steam (PC) Console Executable File Accessible and modifiable Inaccessible Memory Freely readable and writable Inaccessible Saved data Just a file, read/writeable Hardware encrypted Files Just files, read/writeable Hardware encrypted Operating System Integrity Can be tampered with Firmware cannot be rewritten Development standards Basically none Defined by manufacturer PC game developers need to be aware of the above In this section, PC games are defined as game applications on the Steam platform. PC gaming is a platform that allows you to do anything you want compared to consoles. To name a few, executable files 13can be easily accessed and tampered with, and memory can be freely read and written. Saved data is just a file. In contrast, consumer platforms support hardware encryption. The same can be said for game data files as for save data. The OS itself can also be infiltrated and tampered with through drivers and other means. Firmware cannot be messed with on consoles. A slightly different aspect is whether or not the development standards are strict. Consoles offer various protections, but also have certain rules on how to create games. In PC game development, these differences need to be recognized first and foremost. ©CAPCOM 13

PC games give a high degree of freedom, but they are also free to be tampered with! To put it bluntly, the PC is a platform that allows you to create freely, but people are also free to tamper with the game! 14 ©CAPCOM 14

The State of Cheats and Piracy in PC Games Now, let's continue with the state of cheaters and pirates of such PC games. 15 ©CAPCOM 15

The State of Cheats and Piracy in PC Games Actually, If we just don't put any anti-cheat and antipiracy measures in a PC game... what happens? To begin with, what happens if PC games do not have anti-cheat and anti-piracy measures in place? 16 ©CAPCOM 16

The State of Cheats and Piracy in PC Games Cracked on day one! Free DLC and other paid content! Sales damage and actual profit loss! Pirated copies appear in less than a day, paid content such as DLC will be made free. This happens on the first day, so sales are affected, leading to an immediate loss of profit. 17 ©CAPCOM 17

The State of Cheats and Piracy in PC Games But the actual amount of damages is unobservable • • • • There's no control case with no piracy to compare with This is the same story in the wider security community We can only speculate on the cost of cheats and piracy But we know that if we don't take measures, the damage is greater Efficient anti-cheating and anti-piracy measures are required! However, there is no way to determine exactly how much actual damages were incurred. This is because it is not possible to compare the case in which damages were incurred with a case in which no damages 18were incurred. This is not only true in games, but also in the general security community. And since we can‘t specify the actual amount of damages to fight cheating and piracy, it’s not possible to determine how much is appropriate to invest in security. But it is clear that if we don‘t do anything, the damage will surely be greater. It is a difficult problem, but we can say that if cannot accurately determine the cost to benefit ratio of countermeasures, we need to implement them as efficiently as possible. However, it is clear that if we don't do something, more damage will surely occur. ©CAPCOM 18

The State of Cheats and Piracy in PC Games Another problem Mods Another inseparable part of PC gaming is Mods. 19 ©CAPCOM 19

The State of Cheats and Piracy in PC Games Should you target mods in your anti-cheat/anti-piracy programs? • All mods are defined as cheats, except when they are officially supported. • What they are doing internally is no different than cheating. Mods no different than cheats affect the product. Mods are popular with users because they allow them to add or change various features to an existing game. However, for the purposes of anti-cheat and anti-piracy, all mods are defined as cheats. That is to say that mods that are 20 not officially supported by the game, are impossible to distinguish from cheat tools, implementation-wise. We will discuss the effects of these mods that are the same as cheats. ©CAPCOM 20

The State of Cheats and Piracy in PC Games Reputational damage caused by malicious mods • The image of the product is tarnished when mods are released that violate public order and morals without permission • Mods can be mistaken for legitimate implementations and can cause bad publicity Workload due to malicious mods • Customers affected by buggy mods cost support time • Worst cases include freezes and save data corruption • Investigations take time + are futile even if they turn out to be successful • Delays in the original production of the game due to the time required for research • Support for other users is delayed The majority of mods can have a positive impact on the game, some mods, however, can be detrimental to the company. Both in terms of reputational damage and in terms of workload. 21 There are a number of mods that are offensive to public order and morals. When these are disseminated, the image of the product is tarnished and branding is affected. Also, these offensive mods may be mistaken for legitimate implementations, and can cause reputational damage. Some malicious mods can also destroy the game by cheating. In the worst case, they can cause freezes and corrupt save data. If you have a mod that destroys your data and you contact our customer support, they will have a difficult time investigating the issue and will spend a lot of time working on it. Even if the cause of the problem is found, there is nothing that can be done about it. This situation can cause delays in the production of the game. Furthermore, it causes delays in support for users who are not using the mod. ©CAPCOM 21

The State of Cheats and Piracy in PC Games Increased customer support load affects development costs in a roundabout way • Those costs are supposed to be used for creating high quality games • No one should want this situation... As the customer support load increases, it will eventually circle back around and affect development costs. Creating a high quality game needs all the budget it can get. If development costs are affected, the quality of the game 22will decline. This will lead to a drop in sales and loss of revenue, as well as disappointment among users. This is not a situation anyone wants to be in. ©CAPCOM 22

The State of Cheats and Piracy in PC Games Creating future profits is what cheat and piracy prevention is all about Furthermore, it helps protect the company's reputation! In other words, anti-cheat and anti-piracy measures are very important to protect the company's future profits and reputation. 23 ©CAPCOM 23

The State of Cheats and Piracy in PC Games PC games need measures to prevent cheating and piracy! • If you're releasing a PC game, you have to have them! • If you don't, financial damages, reputational damages, and workload increases abound The above should help you understand the need for anti-cheat and anti-piracy measures in PC games. As long as you publish PC games, you must take countermeasures. Otherwise, financial damages, reputational damage, 24and workload will accumulate. ©CAPCOM 24

Actual Anti-Cheating and Anti-Piracy Measures Now let's talk about actual anti-cheating and anti-piracy measures. 25 ©CAPCOM 25

Security Measures In Practice Third-party protection software to prevent cheating and piracy • Included at compile time • Added to completed software • Hybrid You don't need to be knowledgeable, just read the documentation and you can implement it • But here is the pitfall! For anti-cheat and anti-piracy purposes, there is the existence of protection software. Some are installed at the time of compilation, some are applied to the finished product, and some are a hybrid of both. 26 In any case, you don't need to have any knowledge of anti-cheat/anti-piracy measures, just read the documentation of the protection software and you can implement it. However, there are pitfalls. ©CAPCOM 26

Are you really protecting what you want to protect? Does it really protect what you want to protect? 27 ©CAPCOM 27

Security Measures In Practice Are you really protecting what you want to protect? • Many protection softwares are specialized products • They protect the "this" but not the "that" Most protection software is specialized. They can protect some things but not others. 28 ©CAPCOM 28

Security Measures In Practice Example: I want to protect my saved data. Steam (PC) Console Executable File Accessible and modifiable Inaccessible Memory Freely readable and writable Inaccessible Saved data Just a file, read/writeable Encrypted! Hardware encrypted Files Just files, read/writeable Hardware encrypted Operating System Integrity Can be tampered with Firmware cannot be rewritten Development standards Basically none Defined by manufacturer Use protection software that does encryption • Now the save data cannot be messed with! For example, consider that you want to protect your game save data. Comparing PC games to consumer consoles, there are some with and without save data encryption. So, by employing29 protection software that encrypts save data, it is likely to be possible to protect the save data. After applying the software, the save data is indeed encrypted, It is no longer possible to cheat or tamper with the data by rewriting. I spent a lot of money but now my save data is protected. I am happy and satisfied. What a great ending. ©CAPCOM 29

Security Measures In Practice It is true that the save data itself can no longer be rewritten, But is it really no longer possible to tamper with saved data? It is true that the save data itself can no longer be rewritten. But is it really no longer possible to tamper with the save data? 30 ©CAPCOM 30

Security Measures In Practice Of course it's still possible Steam (PC) Console Executable File Accessible and modifiable Inaccessible Memory Freely readable and writable Inaccessible Saved data Encrypted! Just a file, read/writeable Hardware encrypted Files Just files, read/writeable Hardware encrypted Operating System Integrity Can be tampered with Firmware cannot be rewritten Development standards Basically none Defined by manufacturer Executable files and memory can be tampered with! • These can be used as a springboard to falsify saved data! Yes, of course there's no happy ending here. Consoles give no access to executable files or executable memory, so there is no way to tamper with them. 31 PC games, however, are a platform on which both "tampering with the program itself" and "tampering with the executable memory" are possible. In other words, no matter how much you encrypt the save data, it is still possible to alter the program itself to rewrite the contents of the save data. Or, by directly manipulating the memory to change data before it gets saved. ©CAPCOM 31

Security Measures In Practice The problem with this is that the protection software itself cannot be evaluated • The most important concepts in anti-cheat and anti-piracy • Understanding from the inside how the protection works • Understanding clearly what is and isn't being protected The best way to understand all that is to bring anti-cheat and anti-piracy measures in-house This is due to the fact that the we are unable to evaluate the protection software itself. Furthermore, these concept are the most important ones not only in the fight against cheaters and pirates, but also in security in general. 32 Those who employ protection software need to understand how the software protects them. What it can protect and what it cannot protect, and the scope of protection of the product. To understand this protecting software, what I recommend is to produce in-house anti-cheat and anti-piracy software. ©CAPCOM 32

In-House Production of Anti-Cheat and AntiPiracy Products Now, let's move on to the in-house production of anti-cheat and anti-piracy measures. 33 ©CAPCOM 33

In-House Production of Anti-Cheat and Anti-Piracy Products Each protection software has its own range of defense. • We need a clear understanding of what is and isn't protected. Understanding protection software • It is not something that a layman can understand overnight. In other words, it's a long-term game • The long-term game means that the company needs to make it a specialized, permanent work position Covering areas not covered by the protection software • Could be achieved by just adding more protection software • But often they can't be stacked due to compatibility issues The following is a summary of the problems tackled by in-house production of protection software, and the problems in carrying out that in-house production. 34 First of all, let me reiterate that the problem with protection software is that it can protect some things but not others. Being able to determine these things is not something that a layman can suddenly learn overnight. In other words, a long-term battle is necessary. If it is going to be a long-term battle, the company needs to commit to it. We will also need to think about how to protect the parts of the game that are not protected by the protection software. It may be possible to use other protection software in combination. Unfortunately, many protection softwares are not compatible with each other, so this does not solve everything. ©CAPCOM 34

In-House Production of Anti-Cheat and Anti-Piracy Products The way to pull all of this together and solve the problems is "In-House Anti-Cheating and Anti-Piracy Measures." S I L V E R B U L L E T One solution to these problems is to in-house the production of anti-cheat and anti-piracy measures. 35 ©CAPCOM 35

In-House Production of Anti-Cheat and Anti-Piracy Products Four advantages of in-house production There are four advantages to be gained by doing in-house production 36 ©CAPCOM 36

In-House Production of Anti-Cheat and Anti-Piracy Products Advantage 1: Dramatic improvement in understanding • Most important for anti-cheat and anti-piracy • Possible to determine if a return exists to pay the cost • Adopt only those features that are truly necessary Advantage #1 is that you will be understand how the protecting software works! Knowing what is protected and how is the most important part of anti-cheat and anti-piracy. 37 You will be able to determine if there is a return for the cost of protection, and you will have the knowledge, experience, and means to select the right products for the job. By employing only the features you really need, you can cut the cost of the protection software itself. If you adopt protection software just for the sake of it, you may incur unnecessary costs. ©CAPCOM 37

Complementary Protection Software Advantage 1: Dramatic improvement in understanding Advantage 2: Understanding and complementing areas that aren't protected • If we understand why they're not protected, then we understand how to protect them Can be complemented by creating in-house protection software • One gap in your protection and it's all over • This is the same idea of vulnerabilities in general The second advantage of in-house production is the understanding of the areas that are not being protected. It is important to understand what you are doing well, but it is also important to understand what you are not doing well 38 in order to prevent cheating and piracy. Because understanding why it‘s not protected means that you can understand how to protect it. If you understand how to protect it, you can supplement those gaps with in-house protection software. As we all know in the security community, if there is one hole in a security system, it will be exploited and breached. Software vulnerability concepts in general can be applied to the measures against cheaters and pirates. ©CAPCOM 38

Question Should we bring everything in-house? Absolutely not! Now, the question suddenly arises If we can understand all of the third-party protection software, wouldn't it be better to do all security completely in-house? 39 The answer to that is a resounding no. ©CAPCOM 39

Improved Understanding of Protection Software It is undeniable that third-party protection software is very powerful • Breaking third-party protection software requires considerable technical skills • We are not trying to deprecate third-party protection software • To begin with, in-house security software is not very effective because there aren't many people available to work on it. I have emphasized the shortcomings of third-party protection software, but what it does protect, it protects very well. This is true. It takes a great deal of technical skill to break an third-party protector. In this case, we are using in-house production to 40protect other parts of the system. This is not a recommendation to dispose of your third-party protection software. We only have a few people working on in-house protection software to begin with; It cannot compete with third-party protection software. ©CAPCOM 40

Rethinking Things Symbiosis of third-party and in-house production • A single layer of protection ends when one point is breached. • Multi-layered measures to make it harder to break Let‘s change tack; we will take the conversation toward the symbiosis of third-party and in-house protection software. Protection is a process that is so complex that if one point is breached, the whole thing falls apart. We believe that dozens 41 of measures, spread thin and wide, are more difficult to break than one strong, luxurious, one-of-a-kind protection. Even weak in-house countermeasures can be used in conjunction with third-party software to protect each other. By protecting each other, we can share the Advantages of each. This can be a more powerful situation than if only third-party protection software were employed. ©CAPCOM 41

Multilayer Protection Advantage 1: Dramatic improvement in understanding Advantage 2: Understanding and complementing areas that aren't protected Advantage 3: Multi-layer protection • • • • Protection without gaps by complementing Multiple protections rather than one strong protector Mutual protection for each other Duplicate protection in the same location as third-party protection software This brings me to the third advantage of in-house production: multi-layer protection! The definition of multi-layer protection is 42 Protection without holes by complementing each other multiple protections rather than one strong protector. In addition, mutual protections that protect each other, duplicate protections that protect the same location as third-party protect software. ©CAPCOM 42

Multilayer Protection Results observed after releasing in-house protection software Attackers want to attack in the easiest way possible They pick the easiest weaknesses • In other words, no matter how strong the protection, one hole is all it takes Attackers have a complete advantage because attacker they don't have to worry about breaking anything • Defenders are in a naturally weak position The above ideas were arrived at by actually releasing in-house protection software and observing subsequent trends. Basically, attackers want to tamper with the system in the easiest way possible. Therefore, they will always exploit the easiest hole. 43 Meaning, no matter how strong the protections you implement, if there is one hole, you are finished! Also, for the attacker, as long as the software is still operational for their purposes, once they‘re inside it’s mission accomplished. The defender, who has to worry about whether the software is still working as originally intended, has far fewer moves to make. ©CAPCOM 43

Multilayer Protection In the end, protections will be breached • There is no such thing as an unbreakable protection (Silver Bullet)! The goal is to make things difficult for the attacker • The attacker is also human; they will give up if you annoy them enough • It's not just about thinking logically; there's an emotional aspect To put it completely bluntly, any protections will always be breached. There is no protection that cannot be broken. Therefore, we switch to annoying the attacker rather than unbreakable protection. Attackers are also human, so they do not want to do anything too annoying. 44 This is a different way of thinking from the logical protection strength, this is what we consider as the basis of multi-layer protection. ©CAPCOM 44

Multilayer Protection Multi-layer protection from the attacker's point of view • The part you are trying to attack is not plain text • It contains a number of different protections • You can't remove it without removing all protections at the same time Sounds like more effort than it's worth! Let's take a peek at the multi-layer protection mentioned earlier from the attacker's side. First of all, the part we are trying to attack is not in plain text. Furthermore, it has different kinds of protection. At the same 45 time, there is no way to remove it without removing all the protections at the same time. We appeal to the attacker's emotion. Specifically, the emotion you feel when something is a pain in the rear. ©CAPCOM 45

Toward Multi-Layer Protection Only recently have we realized that multi-layer protections are effective • Couldn't have noticed this using only a single piece of third-party protection software • In-house production made this possible • In-house production can change the way it works for each patch, etc. It is only recently that we have realized that multi-layered protection, that take advantage of this hassle from the attacker's point of view, can be effective. 46 This was an insight that we would never have realized with a single third-party protection software. It is a strength that can only be achieved through in-house production. Also, with in-house production, we can change the way we do things with each patch, etc., to further disturb the process. ©CAPCOM 46

In-House Production Advantage 1: Dramatic improvement in understanding Advantage 2: Understanding and complementing areas that aren't protected Advantage 3: Multi-layer protection Advantage 4: New career paths • No one was specialized in such work before • At Capcom, the corporate culture allows us to do things freely The fourth advantage of in-house production, which is a bit of a non-secuitur, is that it is a new career path. By expanding our response across the entire company from the way we used to respond to each title, we are now able to promote ourselves as specialists. 47 Capcom has a corporate culture that allows us to do the work we want to do. ©CAPCOM 47

In-House Production In-house production has many cost advantages • Third-party protection software is licensed for a contracted period • If the contract period expires, the product loses protection • But if it's made in-house, we can support it permanently In addition, there are wonderful advantages to in-house production These are the four advantages of in-house production, but in-house production also has cost advantages. The majority of third-party protection software is costed over the term of the contract. Once the contract expires, the product can no 48 longer be protected, In-house production can permanently protect and support the product. In-house production has another great advantage. ©CAPCOM 48

In-House Production And that is technique accumulation! That is, of course, the accumulation of new techniques! 49 ©CAPCOM 49

In-House Production If you're an engineer nothing beats that! Nothing else is as much fun as being able to accumulate a large amount of knowledge when you call yourself an engineer. 50 ©CAPCOM 50

In-House Production We recommend in-house production • For the same reason we do for RE ENGINE itself • If you want to produce a large number of titles, it's better to have an in-house engine • RE ENGINE's in-house technology is supported by accumulation of knowledge and techniques The same goes for anti-cheat and anti-piracy measures • Considering the number of titles, in-house production can be very effective! • Bringing it in-house means it needs to be managed These are the reasons why we promote in-house production. It is for the same reason that our game engine, RE ENGINE, is made inhouse. 51 If we are going to make lots of titles, we can cut costs by producing the engine in-house. In addition, the internal technology of RE ENGINE is supported by accumulated technology. The same can be said for anti-cheat and anti-piracy, considering the number of titles, in-house production is something that can be very effective. However, in-house production also means that it must be managed at the same time. ©CAPCOM 51

RE ENGINE Security Module Next, we will talk about the operating form of the internalized protection software, RE ENGINE "Security Module". 52 ©CAPCOM 52

RE ENGINE's "Security Module" RE ENGINE's "Security Module" is the result of in-house production • • • • • A security module that leverages the strengths of generalized engines Built into the engine for immediate adoption in any title A uniform anti-cheating and anti-piracy policy Problems, if any, can be corrected for all titles Even if a module is breached, the next title can strengthen it more As mentioned on the previous page, we operate a general game engine called RE ENGINE. Our in-house protection software is a part of RE ENGINE and is embedded in the engine as a "security module", This is53 a module that takes advantage of the engine's generalized nature and can be immediately adopted by any title. Since it is a module, it can be detached at any time. The Security Module makes it possible to implement a uniform anti-cheat and anti-piracy policy for all titles. The security module is also able to collect information from all titles and send corrections to all titles as quickly as possible. If a countermeasure is broken, it can be immediately addressed in the next patch or title. ©CAPCOM 53

RE ENGINE's "Security Module" Self-hacking of security modules • Verify if you can hack your own creation • Understand the attacker's perspective • This has resulted in actual fixing of vulnerabilities • It does make things harder to debug, though... • Make it a powerful module In addition, the security module is self-hacked using test programs, etc. This is done by looking at the self-hacking module from an attacker's point of view, to verify how it looks and if there are 54 any holes. We actually plugged some holes with this self-hacking, but it was very difficult because it made debugging difficult. This is how we strengthen the security module. ©CAPCOM 54

RE ENGINE's "Security Module" What went into creating the security module • Requested placement in RE ENGINE development as a security specialist • Suddenly claiming to be a security engineer • Acquire basic security skills • x86 architecture, PE, cryptography, information gathering, etc. • Detailed understanding of third-party protection software • Home-built analysis tools Continue the above for 2-3 years • Security module completed and released This is a summary of what went into creating this security module. First, I submitted a request for placement with RE ENGINE development as a security specialist. This was accepted. At this 55 point, I started calling myself a "security engineer", but we had never had such an engineer in our company, so I was met with reactions of "So, what do you do?" From there, I spent about a year researching to learn the basic security skills needed to understand protection software. Understanding the X86-64 architecture, analyzing the PE format, using symmetric key cryptography as a cipher, public key cryptography, and collecting information. I acquired a variety of skills that I thought could be important for security. From there, I actually investigated the operation of the third-party protection software and worked out what was going on and understood the details. I also created our own program analysis tool to pair with the security module. This is used in the aforementioned self-hack. After a couple of years of these efforts, the security module was completed and released. ©CAPCOM 55

RE ENGINE's "Security Module" Aiming to improve the entire company using the security module • Consolidation of disparate security measures for each title • • • • Gather all title experts and make yourself the hub of sharing Visualize the current situation by quickly sharing cheat and tampering information. Provide support for the security module for each title Support third-party protection software adaptation even if in-house production is not used With the release of the security module, I aimed to improve the company's overall anti-cheat and anti-piracy measures centered on the operation of the system. 56 The cheat and piracy measures that had been disparate for each title were now centralized in a single place, with a central hub for all the titles. This allows us to quickly collect tampering information for each title and share it across all titles, letting us visualize the current state of cheating and piracy. Naturally, I provide support for the security module in all titles that implement it. Unfortunately, there are some cases where it is not implemented. In such cases, we introduce third-party protection software as appropriate, to ensure that at least some countermeasures are in place. ©CAPCOM 56

RE ENGINE's "Security Module" Improved anti-cheating and anti-piracy measures throughout the company • Share and accumulate information that changes daily • Increased knowledge and awareness of experts in each title Calling myself a security engineer was surprisingly effective • From the game developer's point of view, it seems like there's an expert around who knows what they're talking about • No cost to research and acquire knowledge from scratch Having provided such support, the fight against cheaters and pirates throughout the company has definitely improved. Sharing and accumulating the ever-changing information on cheats and piracy, has improved knowledge and awareness 57 of the experts in each title compared to the previous situation. Also, by claiming to be a security engineer, title developers see me as an someone who can be asked when information is needed. This saves each title the cost of conducting individual research on anti-cheat and anti-piracy measures and of understanding third-party protection software. ©CAPCOM 57

RE ENGINE's "Security Module" Security must be an ongoing operation. • There is no guarantee that tomorrow will be okay The information gathered will become a technological reservoir and a weapon for Capcom • A head-on challenge to the never-ending security cat and mouse game! However, even with improvements, security must be a continuous operation. There is no guarantee that it will be safe tomorrow, as conditions change on a daily basis. 58 The information we gather becomes a technical reservoir and a weapon in Capcom's arsenal. There is no end to security. We need to use this weapon to face this cat and mouse game head-on. ©CAPCOM 58

RE ENGINE's "Security Module" Logistical crash reporting tools to help with operations • Utilize our knowledge of security module creation • PC environments are so varied that unexpected behavior is possible • QA confirms that everything is fine as far as possible ⚫Difficult to get a report on the customer's environment ⚫ Provide crash reporting tools ⚫ At least, a MiniDump and the operating environment information in one file ⚫Now it's a mainstay in dealing with title glitches too In addition, using the knowledge gained from creating the security module for the operation, we have also released a crash reporting tool for logistical support. 59 PC environments vary widely, and our QA department checks for problems whenever possible, however, unexpected behavior can still occur. That behavior occurs on a specific user's environment, so gathering the information itself can be technically challenging. If a crash occurs due to a glitch of some sort, it is necessary to collect information quickly and reliably. In order to do this, we have developed a crash report tool for RE ENGINE development titles. It's is a tool to compile the minimum necessary information into a single file. It is currently very useful in collecting and resolving title defect information. ©CAPCOM 59

Current Initiatives and Goals Current Initiatives • Operation of security module • Monitoring, analysis, and countermeasures against unauthorized tools • Gather information on new third-party protection software As for the initiatives we are currently working on, continuing to operate the security module and monitor, analyze, and address rogue tools for products currently on the market. Gathering information on third-party protection software that may be newly available for adoption. 60 ©CAPCOM 60

Current Initiatives and Goals Other Initiatives • Activities aimed at raising awareness of anti-cheat and anti-piracy measures within the company • Established a security blog, about 70 posts so far. • Holding CTFs for newcomers • Very well received In addition to this, I also conduct company-wide cheat and piracy awareness activities. As a typical example, I have established a blog focusing on security content, which currently has about 70 posts. We also hold CTF events and other events mainly for newcomers. These events have been very well received. 61 In the security blog, we actually tamper with our products, promoting understanding of vulnerable areas and methods. This is intended to raise awareness on the part of the titles and raise a sense of urgency. We also provide a more detailed version of the contents of this document for internal use. ©CAPCOM 61

Current Initiatives and Goals Top 3 most popular security blog posts within the company • Product Crack Information Bulletin • I actually cracked the product • I hacked the demo version Stories about attacking our own products to find vulnerabilities are popular In addition, these are the top three for viewers of our internal security blog. When a product is actually cracked, we post breaking news, and these articles in particular have a lot of viewers. 62 Technical articles with demonstrations of actual cracks of products are in second place. The fact that it explains the actual cracking method has increased the number of viewers. The third place is the same as the second place, but it is a technical article about hacking a trial version of product. It demonstrated that there was a possibility to play areas other than those intended in the demo version. Of course, I reported the vulnerability to the title when I wrote this article, there is no trial version out there that can actually be hacked. This is why stories like this that actually exploit vulnerabilities in the products are so popular on the blog. ©CAPCOM 62

Current Initiatives and Goals Initiatives for the future • Additional security module functionality • There is still much to do, it's never ending! • Security Module Simplification • Creating a mechanism to make it easier for people to use the module Initiatives to undertake in the future include: Expanding the functionality of the security module. There is still much more to do. At the same time, I‘d like to simplify the security module to make it even easier to incorporate. ©CAPCOM 63 63

Summary Finally, I'll summarize. 64 ©CAPCOM 64

Problems and their solutions (Conclusion) Resolve the lack of cross-title measures, sharing and accumulation. • Instead of being embedded in a title's development team, which is insulated (and eats up budget) we established a separate position to centralize security staff and knowledge. • Titles with a larger budget could manage the cost of having an embedded specialist, but titles with a smaller budget won't have that luxury. • Sharing is very helpful for titles with such small budgets. As for the lack of cross-title support and the lack of information sharing and gathering. By specializing in a different department instead of working for a specific title, information on cheats, piracy, etc., can be compiled, shared, and consolidated. 65 Assigning staff to specific titles was a particular problem; it worked for titles with large budgets; however, for smaller titles, it was an unaffordable luxury. Sharing of anti-cheat/anti-piracy measures across all titles can be very helpful for titles with small budgets. ©CAPCOM 65

Problems and their solutions (Conclusion) Clear the misconception that third-party security software can protect everything. • Provide a technical explanation of what is and isn't protected. • Creation of RE ENGINE's "Security Module" • Proprietary library for cheat detection • Third-party protection software and security modules • Solid protection with complementary and multi-layer protection As for the misconception that third-party protection software protects everything... First, we worked out what is and isn‘t protected from a technical standpoint. 66 Then, through RE ENGINE’s “security module” and third-party protection software, we achieved complementary, multi-layered protection. ©CAPCOM 66

Problems and their solutions (Conclusion) Resolved knowledge sharing about cheaters and pirates • Established a blog and disseminated information to educate about basic attack methods and countermeasures. • Increased a sense of urgency by actually tampering with the company's products and explaining the means in an easy-to-understand manner. • Attack tools are being developed at an ever-evolving pace and the methods in which they are addressed should also be evolving. As for sharing knowledge about cheaters and pirates... We educated people about basic attack methods and the need for countermeasures through the blog and other means. 67 We also raised awareness of the danger of piracy by explaining in simple terms the actual methods used to tamper with our own products. In addition, since attack tools are being developed at an ever-evolving pace, it is necessary to permanently implement ongoing countermeasures. ©CAPCOM 67

Current Initiatives and Goals Make Capcom a company with excellent security Use RE ENGINE to create competitive security technology. Our goal is for Capcom to become a company with excellent security. And we will continue to develop RE ENGINE so that it‘s not only a competitive game development tool, but also a competitive security tool. 68 ©CAPCOM 68

Thank you for your attention. Thank you for your attention. 69 ©CAPCOM 69