After the crowdstrike disaster 3rd party kernel drivers need to be shunned for non critical applications.
Games publishers have been bad actors in this space for a long time now. The genshin impact anticheat was used in a malware campaign. Rockstar was very misleading trying to imply their kernel driver not being compatible with the steam deck was valves fault.
Getting a Steam Deck has done wonders for my piece of mind. I don't need to worry if whatever games I'm installing are malicious, because the machine is airgapped from anything critical.
Ultimately, this is why we have consoles. We can have rootkits, or we can have cheating. Nobody has solved cheat prevention without rootkits. If you can, you’d make millions, if not billions. It’s not like the game creators want to have software on your system that has the potential to brick your system.
The real solution is games designed for playing with friends and treat all non-friend players as potentially malicious.
Early first-person shooter games had this figured out (small servers with 20-30 regular players, the server admin could choose to ban you), RTS games have this figured out, many MMOs have this figured out (interact with non-friends sometimes, but they have to 'join your party', etc.)
Playing with random strangers on the internet who may want to grief/destroy your game, be incredibly toxic, or cheat against you in general.. that's the cost of playing with random people in a completely public forum.
But people largely want matchmaking. They don't want to deal with having to find a server of like-minded players, they want to hop in a lobby with maybe a few friends, pick a map pool, and go.
Nah. Consoles were a decade late to the online gaming party, and online gaming on consoles (counting Xbox Live as the first concerted attempt) has only been around half as long as consoles as a product segment have existed.
Running games in a VM appliance or an immutable container type of environment could be neat. Or some kind of hardware device. Like a console on an expansion card that could enable a secure environment while still letting you use your hardware.
This is a false dichotomy. Genshin is single player. Some people play multiplayer only with friends. The only legit use for anti-cheat is competitive multiplayer with strangers.
Not sure if you're referencing it but there was a recent scandal where it was suspected someone playing against Magnus might have had a wireless butt plug to enable some cheating...
The sibling comment makes a point about anonymity, I find these discussions interesting in comparison with the only online competitive game I play these days. It's Tekken, and neither the current rendition nor the previous one had any real form of anti-cheat. For the current Tekken 8, supposedly some players have been banned after manual review from the company of replay data, which of course doesn't scale. But at the same time it doesn't really matter. Cheaters don't seem to be that prevalent, their ability to spoil the experience of a match is limited by the fact that matches are short, and people can spoil the experience in non-cheating ways like plugging, lag switching, using a weak computer, and for some sensitive players they'll get unreasonably upset by ki charging/teabagging/taunting/continuing an attack after KO. The status of the highest rank is also not that much -- the most status comes from performing well at the big in-person tournaments, where it's going to be harder to cheat and players are somewhat de-anonymized. If the positive incentives to cheat are minimized in the first place, you don't need so many negative incentives like rootkits.
(It always amazes me how custom controllers and even keyboards are allowed in fighting game tournaments, officially certain macros are banned and at least for Street Fighter certain modes of leverless controllers got banned, but it'd be hard to perfectly enforce. And it's been hilarious to see the increasing use of fake buttons or controller-hiding covers/jackets because it was assumed some players were able to see inputs out of their peripheral vision before they were registered in-game and adjust.)
Hmm, here’s a thought I’ve never had (but might be obvious to others).
Could I run windows as a VM guest under Linux and play Fortnite in that (with good GPU performance)? I don’t mind their rootkit running on some dedicated VM - I’ll just consider it my Fortnite unikernel.
(I’m also ok with the host OS being Windows or MacOS).
Running a VM gives the parent the ability to read/write arbitrary memory without [even rootkit] anticheat being able to detect, which can facilitate cheating, and therefore can earn you bans. The whole point of the rootkit is that the game can confirm that you don’t have any way to read/write arbitrary memory.
Isn't Windows running under a hyper-v hypervisor these days anyway?
In practice, I'd settle for a peer Windows OS, like the WSL2 kernel, with the rootkit seperate from my main work one. Can I run two copies of Windows simultaneously as peers?
If you've already put a piece of hardware into your computer made by nvidia, installing a kernel driver also made by nvidia does not increase your risk at all.
Installing some random anti-cheat kernel driver is not the same thing, at all.
But you are not installing a random anti-cheat kernel driver, you're installing anti-cheat kernel driver provided by a game you've already put on your computer. It's very much the same thing.
User space applications can't access hardware or physical memory. They can't bypass permissions enforced by the OS. None of that applies to hardware or kernel drivers.
> This isn’t giving us any surveillance capability we didn’t already have. If we cared about grandma’s secret recipe for the perfect Christmas casserole, we’d find no issue in obtaining it strictly from user-mode and then selling it to The Food Network. The purpose of this upgrade is to monitor system state for integrity (so we can trust our data) and to make it harder for cheaters to tamper with our games (so you can’t blame aimbots for personal failure).
Where did I say they are the same? We have a kernel-space thing (anti-cheat or gpu driver) and a user-space thing ((a game actually talks to both) that talks to a kernel-space thing.
I understood that you were making an analogy between installing a piece of hardware and its associated kernel driver with installing a game and its associated kernel anticheat.
When you install a hardware device you are trusting the manufacturer with full access to your machine, so installing a driver does not give them any more powers. You have already "unlocked the door".
When you install a game that runs on user space you are not trusting the vendor nearly as much as you are trusting a hardware manufacturer. Installing a kernel anti cheat is granting them a level of trust and access to your machine that they didn't have before.
> Most people do install Nvidia’s out‐of‐tree graphics driver
Most people that use Nvidia. I specifically don't buy Nvidia graphics cards or laptops that use them in my Linux computers because they're not in-tree.
- This is an abnormal case. Most hardware will work with in-tree drivers. Indeed, few vendors provide out-of-tree drivers for Linux.
- Nvidia is an established and reputable source. We aren't talking about some small hardware developer who doesn't have the resources to create secure drivers.
- Most Nvidia cards have in-tree drivers. There is a loss in performance, but the option usually exists.
It's a risk, but a very minor additional one - if you trust their hardware with direct access to your PCIe bus, you have already given them the metaphorical keys to the vault.
Can't wait to find out what China hid in Riot's Vanguard rootkit for all their games. It's 100% a conspiracy theory, but nobody can convince me it's perfectly clean, or if it is, that there isn't an easy way to add some power to it quietly.
China's national security assistance law came up in the TikTok hearings. There's no reason to believe that the CCP doesn't have the legal authority to compel Riot to push an update with a backdoor to a few select high value targets.
If it is written in C you can always introduce a buffer overflow or something similar by just adding a little bit of line noise here or there and nobody can prove it was deliberate.
The vanguard drivers are signed by Microsoft, the procedure for which includes a safety audit by Microsoft.
The driver is just what the developers say it is (as with all other anti-cheat). It provides an untempered interface for the userland anti-cheat to use to get info from the kernel. Because modern cheats tend to alter the output of kernel syscalls by running in the kernel themselves.
I really don't see why anyone needs to think it's anything more than that.
If Tencent needed to spy on you so badly there's no reason kernel anti-cheats need anything to do with it...
It says something about Microsoft when they OK a known harmful bootkit that expects your computer to act like an XBox with a fancy keyboard (but not too fancy), requests invasive changes to UEFI that have broken systems, and have an overall opacity that rivals an Arthur C. Clarke Monolith.
Drivers are generally not audited by Microsoft to be signed, you only need to register your EV cert to get it signed. Cheat developers have registered their own/gotten their hands on EV certificates to create a kernel driver cheats. Anti cheat like Battleeye also download anti cheat modules at runtime to obfuscate what they do.
MS usually don't bother with driver audit... They mostly rely on EV certificate to check driver dev is a proper legal entity.
If they audit properly, they should not let the Asus AuraSync driver certified at the first time. (basically opens PORT instruction to every userland app, unristricted)
The level of sophistication that can go into a hack when sponsored by a nation-state is incredible. Just remember Stuxnet all the way back in '06 or whatever it was. Tech was a lot less advanced nearly two decades ago. It's not right, imo, to leave your safety up to this process.
EAC and other kernel-level anticheat software will dynamically load and execute signed payloads at runtime. Does Vanguard do this? If so, does Microsoft check these payloads?
If I wanted to deploy a trojan horse then the last place I would try to hide it is in an anti-cheat driver that will without any doubt be exhaustively analysed by people attempting to bypass it.
There's a ton of gamers that like to figure out how the game itself works. There's a ton of them trying to figure out how anti cheats work, sometimes to cheat, but more often because they're curious, resourceful teenagers taking it as a challenge.
Oh, I know. That's how my career was started. I made invitational in CS: Source (CAL) and then sold cheats to pay for college. My first Real Job was through a teammate.
Far more would have accepted a RAT and been deprived money than expressed genuine interest. Some did... not many. Most wanted the acclaim without the effort.
But also there's parties there with a big interest in circumventing these securities, and have done so for decades. The new release of RDR for PC (shamefully asking $50 for a 14 year old game) was cracked within days, if not earlier, of its releae.
How much shit, and how does it compare to the risk profile of, say, not wearing a five points seat belt and motorcycling helmet while driving, or a bulletproof vest when going to school, or an N95 mask literally everywhere?
Security theorists are always ready to tell us about the horrifying risks of installing kernel-level code from a vendor, but can they actually quantify the likelihood times damage those billions of installations have inflicted on Joe Random's life?
And contrast them to other risks that we regularly take in the name of comfort and convenience?
Funny that you initially used "Joe Ransom" as your example name (before your edit), as that describes one of the possible situations our friend Joe can end up in: malware that encrypts all his data and asks for a ransom to get it back.
I'm not really that interested in chasing this, but a point I do want to make: it isn't just risk.
If you want to participate in a lot of these multiplayer games that place cheating far too highly, you can't use a hypervisor. You must have gaming device and computing device. They cannot be the same.
That's fine for most, but I consider it shit. VFIO makes it possible for a big computer to make a smaller gaming one. Ask me how I know.
My greater point is I don't care if I get cheated out of a finals match. I can actually speak from experience. I prefer autonomy over my devices. I kind of want to eat poop with them. A little.
What do you mean? They burned several high value 0days on a high value target. Why wouldn't China burn a high value backdoor on a target they deem valuable enough.
I mean, they're not rootkits. Rootkits are either to gain root access (thus the name) or to hide something from a user. Anticheats don't do either of these.
They expose a kernel API to allow games to verify the state of the system, and they're knowingly installed by the user.
I'm already counting down the days for eBPF to blow up in our face.
But admittedly, it's the cheapest way of gaining more capabilities and privileges than you need, thus it's here to stay.
That's not really possible as long as the kernel allows the loading of arbitrary user-provided modules. Because the cheater will certainly run the cheat that requires kernel mode. If it's run in kernel mode, the API call can be intercepted.
How does the anticheat then work? Corewars. It's a cat and mouse game between the cheat provider and the game developer.
One would need a secure base layer, where also the MS anti-cheat lives, and all drivers can only run in a layer between this base layer and userland. I think that's already done for most of the graphics stack.
On the other hand, I am not convinced I want a system where I cannot load arbitrary kernel mode code if I choose to do so.
Windows only loads arbitrary modules if you enable some debug mode no? If not they need to be signed. But not a big hoop for cheat developers, they can get an EV cert to sign their own cheat kernel module or abuse a vulnerable kernel module.
Riot games use theirs (Vanguard) to improve detection of cheating software. basically the idea is by being on from the moment the computer is booted up it can validate the environment better.
Here's a recent blog post by riot detailing their recent deployment of the system for league of legends, the biggest online multiplayer game in the world
> The genshin impact anticheat was used in a malware campaign. Rockstar was very misleading trying to imply their kernel driver not being compatible with the steam deck was valves fault.
I mean, nothing of this is new. ESEA, one of the most influential esports leagues, was caught using its anticheat to mine Bitcoin in 2013. [1] This is long out of control, probably since the days BattlEye switched to ring0 in 2012 due to chronic cheating in the DayZ mod, or maybe earlier. Modern anticheats are full-fledged rootkits with extremely complex and targeted payloads siphoning customer data and hijacking all sorts of stuff, and that's not a theory, they actively abuse players' trust and indifference.
If you care about your data and the control of your devices, you should probably avoid them entirely, or at least use them on dedicated gaming PCs on a clean identity, and keep them separate from your LAN and your non-gaming digital life.
I think it's fair to say that a lot of users have no idea they're doing so, hence why changes like the one in TFA are necessary to encourage transparency around these practices
I've ran the installer for Vallorent. I don't remember it telling me it was going to go run code in ring 0. And I would likely have ended the install there if they listed any of the downsides.
For most gamers you'd have to invoke Cloud Strike, to explain whats happening. They play games not study CS.
I agree, we need something that emphasizes that it executes undesired functions. "Trojan horse" would fit better but it's associated with computer virii now. I think I would call it something like "Traitor software".. it generally does the functions you installed it for and pretends to be normal software but then when you aren't looking it betrays you later.
It's quite literally not. Root is technically a user with extra rights (including modifying the kernel, but there is still an API the root user has to go through). This is running as part of the kernel. It's not running in userland "as root".
A rootkit is something that gives other users the power of root.
Crowdstrike isn't even the worst case. The SolarWinds disaster is the worst case scenario.
You have a closed source rootkit designed for finding data in raw memory (like passwords from an unlocked password manager), loaded into many gamer's machines, which many software engineers are. Some anti cheat explicitly support's arbitrary remote code execution by design. Many people mix their personal password vaults with their company's, which means that if you successfully hack an anticheat company and you can read the raw memory of an opened password manager with a program that is already designed to scan all processes memory, you now potentially have extremely valuable credentials. A small portion will even do things like add their 2fac keys into their vaults.
Of course the other problem is the 23andMe problem and enshitification. Even if the data uploaded by anti-cheat isn't used right now, the storage of data alone creates incentive for abuse.
Something slightly related happened recently. A bit of malware that was distributed as a mod for BeamNG was installed by a high up Disney employee, who was also logged in to some internal work stuff. The hackers were able to leak huge amounts of company data.
Back then you could just quit the server/match if somebody was obviously cheating (or they got banned).
With competitive matchmaking cheaters can hold players hostage until the end of the match, as leaving incurs penalties and cooldowns that temporarily ban you from playing.
There are also cheaters on old games (Modern Warfare II (2009)) that will inject code into your client to disable the quit menu, so you have to dashboard. I can't imagine what psyche someone must have to not only cheat, but force people to play against them.
Because those were community servers often built around community. There weren't a lot of them either.
If admins allow cheating - people that want to play would leave the server
If live in a non-metro area, you probably have a handful of server your latency allows you to play on - getting banned would be a big suck
Now you just click "play game" and you get match with some strangers you might never play ever again with. Financially, those privately hosted servers no longer make economical sense for game publishers.
Because games were less common. If you look at community hosted servers now they commonly have more anti cheat, not less. Counterstrike with FaceIT and ESEA. Even FiveM for GTA V rolled out a custom anti cheat before it was added to the official game.
Personally I find both unacceptable: I won't play a game that requires me to install a rootkit, and I won't play a game where cheaters and bots run rampant, ruining the fun for everyone.
So hopefully there's a solution to this that doesn't require a rootkit.
They have problems because they're cheap and don't want to pay to host servers. They don't want to let people host their own authoritative server either because of the $billions in fake money.
Yeah life sucks when everything and everyone has to be untrusted (applies not just video games).
The solution is to build trusted spaces again IMO.
For video games assume that each user is trusted by default. As soon as they violate that trust by cheating, they are banned permanently for that copy of the game. If they want to be trusted again they have to buy another copy of the game to get another license. Make it hard to become a member of a trusted community and easy to be kicked out of a trusted community for violating trust. This would eliminate the vast majority of cheating and bots because most gamers are kids and having to buy a fresh copy will hit hard. If they abuse it enough, make them jump through more hoops like ip bans and computer fingerprint bans.
This is a naive take. Of course these developers already permaban cheaters. Firstly many of these games are free to play so "getting another license" is a non issue. They're doing hardware bans nowadays which are harder to avoid but not impossible.
Half the battle is detection though. If you don't detect cheaters quick enough they ruin enough games that genuine players start getting frustrated and leave. Anti cheats help with this detection.
Probably every anti cheat idea you can think of, in terms of detection, prevention and punishment, has probably already been tried by a large online multiplayer game. It is an extremely difficult problem to solve, a constant arms race.
It's not possible to completely solve this problem with technology.
High level chess players (GMs) can win with just a few bits of information transmitted to them by a cheating accomplice (a cough if it's a critical position to spend extra time on, etc). Similarly, high level gamers only need the slightest of edges to win, and therefore only need the slightest of cheating.
That's why I think trusted user bases are the way to go. My initial ideas were naive, but I think the core idea is solid. If you had to pay $1000 to enter a "trusted club" which uses your hardware fingerprint, and all of your online interactions in a game were guaranteed to be with other people who paid $1000 to be in the club, would that not be a large deterrent to cheating?
That's just elitist though isn't it? These games are enjoyed by players from all over the world, including massive numbers of players in countries with far less average disposable income. Its common in many countries to go to an internet cafe to play these games as they don't own their own hardware even.
It would also massively reduce the number of players. Competitive multiplayer games rely on large active playerbases for fast and fair matchmaking. That's why free to play has become the dominant model for these games. If you have to pay $1000 to play one of these games, they have no chance vs. the competition.
Obviously you can't completely solve this problem, but you can minimize it as much as possible.
Also these sorts of "trusted clubs" do exist for certain games (e.g. FaceIt for CounterStrike) but ultimately it still just relies on anti-cheat to establish that trust.
Money is just one way of establishing "trust clubs". Time is another. For free-to-play games, you could make it so that users are peered with other users who have put in the same amount of time into the system. So if you've gone a whole year without being flagged for cheating in the system, you'll be paired up with other users who have also gone years without being flagged.
If you create a new account, you'll be peered with other new accounts (low trust). Still possible to cheat, but the cost is very high (years of effort to get accepted in the best trust clubs)
CSGO used to have that, more or less. You could play for free but then you were not in the "prime" matchmaking pool. Only by paying, something like 13€, and registering your phone number, which could only be registered once, would you get prime matchmaking. I thought it made quite a bit of sense but I think they scrapped the system in CS2.
It's going on a tangent, but one naive take which continues to amuse me when it comes up is community/third party servers and policing of cheating. As though delegating that responsibility is the goal or that it would scale to handle the size of modern playerbases including the ratio of admins to players to be able to monitor and respond to (alleged) cheaters
But as gaming has grown and become more mainstream, the ratio of enthusiasts who are willing to admin to casual players who don't has changed. Server sizes have changed over time with smaller games like 5v5 becoming way more common.
False positives would very much hurt in that model. But returning to a small multiplayer experience with chosen friends would work: the in/out decision is local and personal.
Talking just about games, this really doesn't work with free games. Even if there is a lengthy 'lockout' period from the real game, many games have rampant and cheap accounts for sale and doing so will make the game experience worse.
If they worked to any acceptable level of efficacy then they could be tolerated. They're only tolerated by people who think they work as well as they claim to work (security theater) but anyone who knows about the performance impacts and/or are tech-savvy enough to understand it is a rootkit and potential exploit (that would fully pwn your device) hates them.
Some cheats are getting rather sophisticated now. There's an ever-increasing number of Pi-devices where the cheating is done externally.
They're also chosen by users when the game is filled with cheater. Counterstrike 2 is an example of this with players moving to FaceIT and ESEA (with kernel anti cheat) as the higher ranks of official competitive matchmaking are filled with cheaters.
Proven by who and what proof? Because Denuvo is the only one outspoken about how it doesn't impact performance despite all evidence to the contrary and they provide no evidence of their own beyond claiming it doesnt. Then saying they'll prove it doesn't and then backing out of proving it.
DRM and anti-cheat aren't the same though. That link is talking about denuvo DRM, not denuvo anti-cheat. Also, just because one implementation impacts performance doesn't mean they all have to.
I'll believe it when Irdeto manages to provide any evidence amounting to more than "Just believe us".
Both the anti-tamper and anti-cheat affect performance and it's incredibly noticeable to anyone who isn't building a new bleeding-edge hardware PC every year or two.
Look at what Apple has done in recent years. kexts (kernel-level drivers) are basically all but unsupported today, and both DriverKit and IOKit are fully userland.
Is it fun to be a non-cheater, and join a multi-player game where there are other players using software cheats that let them easily beat you every single time?
I'm pretty sure I would quickly stop playing that game, and demand the publisher refund my money. That's just not fun.
And that's just as a casual gamer. For people who compete and win prizes, endorsements, etc., the stakes are a bit higher.
I'm not saying kernel-level rootkits installed on everyone's machine is the answer, but letting people cheat isn't going to work either.
Community-run and moderated servers easily fixed this issue decades ago. Maybe video games should be fun centers of community again instead of maximally isolating and atomizing skinner boxes designed to make children addicted to endlessly practicing and competing at worthless skills so the sunk cost keeps them buying loot boxes
Well, the problem is eventual consistency and these games have a hell to consolidate properly.
One user is on a connection with 10ms latency, the other user is on 50 ms latency. Now, if first user does something, and second user can either do something to evade or can do something that actually prevents the first user from acting, how do you consolidate that?
The actual timestamp of when exactly what happened helps immensely, but you have to trust the timestamp. And how can you know that is not manipulated?
But... that's just the surface. Consider: one client uses a rendering that takes 25ms longer to show up and another client does not render textures/shadows etc. That client is faster and the sender can even send "official" response times, but would still give an advantage.
So, I am not sure this can be solved serverside. But... I don't play these games anymore and would never opt for a rootkit to be installed just so I can play. I can imagine plenty of people, though, who would.
Remember that you don't need perfection: you need people to believe that they're likely enough to get caught that they don't want to use a pre-canned cheat, and you need just enough cheat detection mechanisms to make it hard for people to make new cheats. Not all of that has to be technological: you can spread rumours that your cheater ban waves are bigger than they actually are, for example, and that'll keep more people from even trying in the first place.
You don't have to trust the timestamp - and you shouldn't. You can use a bunch of methods to go from untrusted to grudgingly accepted: requiring monotonicity means cheating clients have to be permanently slower rather than selectively slower. Having tolerances for out of order packet rates or accepted deltas before discarding player actions will have some false positives for players on terrible networks, but will also reduce the impact of any possible timestamp-related cheats.
It can't be fully solved server side, not without sacrificing acceptable performance. I reckon it can probably be dealt with enough on server side to keep cheating to a tolerably low level. It's probably cheaper to just license a windows rootkit though.
You might be able to match-make between clients with similar latency and then "enforce" that latency server side by delaying things that "happen faster" then the previously measured latency
No, this implies that actions are in response to something. This is not true. I can shoot my gun at any time, and even randomly. It does not depend on an opponent starting to move.
> (I’d still lean towards expecting game houses to find another way, kernel drivers are still client side trust mechanisms).
Well, this problem simply can't be solved server-side only. Client-side can't be validated without rootkit (and even then it's not enough, but enough to deter majority of cheaters).
Keeping cheating to a low enough level that players don't quit in frustration (or never start playing due to bad press) is critical. Eliminating it entirely is not.
Valve added vote kicks to CS to help keep cheating (and other antisocial behaviours) under control - it seems pretty important to them.
I think the point is that competitive multiplayer games are not critical. Scripting in e.g. league of legends probably doesn't register on 99% of humanities "top 100 most critical things in my life" radar.
Games publishers have been bad actors in this space for a long time now. The genshin impact anticheat was used in a malware campaign. Rockstar was very misleading trying to imply their kernel driver not being compatible with the steam deck was valves fault.