We recently took a dive back into Unreal Engine Network Security and touched on a few key elements as we keep up with the evolving digital landscape. We were proud to look back at the original article from several years ago and see it maintained relevancy. In the new article however, we spoke again about Remote Procedure Calls or RPCs. These are a common concept in every industry and definitely common in gaming as well.
This gives us a great opportunity to talk about the new RPC Validation functionality that has been implemented on Unreal Engine.
What are RPCs?
We understand that most people interested in this topic are already familiar with RPCs but for those who don’t, here’s a quick reminder. Remote Procedure Calls or RPCs are effectively a facilitator for communication between the client side and server-side. Every action performed by a player or end user will trigger an RPC. This then informs both the server and the client of the action that took place. In gaming, RPCs are used for effectively every single action a player takes. Moving, purchasing, trading, attacking, healing, everything. It is the call from player side to server side, delivering the intended action and ensuring the server keeps up with it. In our original article on Unreal Engine Networking and its security, we touched on the Actor channel. Which is where all of these player actions are contained and how it is where we conduct most of our penetration testing. Because of course this procedure call, straight from the player, is where hackers and malicious actors could work most effectively.This is where the new Unreal Engine RPC Validation Functionality comes in!
Unreal Engine RPC Validation
This is new in general, and definitely new to the integrated RPC function that exists within Unreal Engine. The UE5 documentation even still refers to it as recently added! This function now means you can now include “with validation” in the RPC definition.This means that next to the general implementation of the RPC on the server side, there will be an additional step that validates the user input. Every input from the user needs to be validated to ensure a high level of security, server-side validation is something we have often mentioned due to the security concerns without it.
How the UE RPC Validation Functionality Changes Things
Writing validations into RPC functions isn’t a new process but it was an uncommon thing to do. Now, though, we’re lucky to see engines beginning to implement it as a specific functionality. It makes studio or project wide implementation of the validation function far easier. The UE RPC Validation functionality now means writing your validation and enforcing the coding standard of it is far easier.These kinds of functions are not uncommon in backends and in Web APIs. If you had an API architecture, you'd see these validations constantly checking user input. It’s very common in regular software development but it never quite reached the same implementation in gaming. But we hope that might change with this new UE function!
We’d recommend that gaming companies take this coding style on board, as it offers a tremendous boost to security. Even if you have a small script that executes anytime someone commits a change to the code, checking whether there’s RPCs and respective validations in place, can be huge. This has the potential to be a simple automated process that changes the way security is handled.
How Approaching RPC Validation Makes Your Game More Secure
Below, we’ve included an example from the Unreal Engine documentation of an RPC that includes the “With Validation” keyword.
Within, you can see that this function is set to add a number of health points equal to an integer. There’s a simple check that ensures you cannot exceed your max health pool as per the game’s business logic. This is a great example of how simple the validation function works where it vastly increases security. During the early stages of hacking, you must try everything for holes in the defences. But thanks to RPC Validation, it will disconnect the user entirely if the validation returns false! Turning the effort of hacking into a seriously time-consuming task rather.
This also shows us how you can use validation to get you thinking about what the validation needs, it forces you to consider elements you might not have thought of previously.
We asked some of our security engineers and they initially thought it needed some validation of either an item, ability/spell, or vendor. If it’s a resource, the validation needs to check that they have enough of said resource. If it’s an item, do they have it in their inventory. And if it’s a vendor or a healer, are they located correctly and not in an invalid state for healing such as combat? This is just one example that shows how much more you consider thanks to UE RPC Validation!
If you’d like to employ our gold-standard security services for your game, get in touch today! Our online games penetration testing services will ensure your game is as secure as possible against all forms of hacking and malicious activity.