Discussion
How Kernel Anti-Cheats Work: A Deep Dive into Modern Game Protection
Retr0id: This got me wondering how easy it'd be to automate discovery of BYOVD vulns with LLMs (both offensively and defensively)
metalcrow: >TPM-based measured boot, combined with UEFI Secure Boot, can generate a cryptographically signed attestation ... This is not a complete solution (a sufficiently sophisticated attacker can potentially manipulate attestation)I was not aware that attackers could potentially manipulate attestation! How could that be done? That would seemingly defeat the point of remote attestation.
gruez: The comms between the motherboard and the TPM chip isn't secured, so an attacker can just do a MITM attack and substitute in the correct values.
metalcrow: That's fair, although aren't most TPMs nowadays fTPMs? No interceptable communication that way.
eddythompson80: While I’m not really a gamer, I do think the conundrum of online games cheating is an interesting technical problem because I honestly can’t think of a “good” solution. The general simplistic answer from those who never had to design such a game or a system of “do everything on the server” is laughably bad.
abofh: I think it's somewhere between halting and turing - given infinite resources it's likely solvable, but lacking that it's just narrowing bounds
Retr0id: Until they require fTPMs, an attacker can just choose to use a regular TPM.A more sophisticated attacker could plausibly extract key material from the TPM itself via sidechannels, and sign their own attestations.
edoceo: Can a TPM be faked in a QEMU VM?
karmakaze: Do what Netflix did and run servers at ISPs (or at their providers or Cloudflare points).It's kind of weird that we still don't have distributed computing infrastructure. Maybe that will be another thing where agents can run near the data their crunching on generic compute nodes.
hakkoru: I think from a purely technical viewpoint, cheaters will always have the advantage since they control the machine the game and anti-cheat is running on. Anti-cheat just has to keep the barrier high enough so regular players don't think the game is infested with cheaters.
akersten: > Anti-cheat just has to keep the barrier high enough so regular players don't think the game is infested with cheaters.And even that's the (relatively) straightforward part. The hard part is doing this without injuring the kernel enough that the only sensible solution for the security conscious is a separate PC for gaming.
eddythompson80: I agree, but that’s precisely the interesting ‘technical’ problem. Like bitcoins “proof of work” in 2011 (it took me few years to comprehend) was an eye opening moment for me. While I do believe that it firmly failed to achieve its lofty goals, the idea of “proof of work” was a really captivating and interring technical idea. Can a video game client have a similar zero-trust proof of their authenticity? I personally can’t think of one. I can’t think of a way to have remote random agents (authenticates or not) to proof they are not cheating in a “game”, and like you, I suspect it’s not really possible. But what does that mean?I grew up with star trek and star wars wondering what a “I’ll transfer 20 units to you” meant. Bitcoin was an eye opener in the idea of “maybe this is possible” to me. But it shortly became true to me that it’s not the case. There is no way still for random agents to prove they are not malicious. It’s easier in a network within the confines of Bitcoin network. But maybe I’m not smart enough to come up with a more generalized concept. After all, I was one of the people who read the initial bitcoin white paper on HN and didn’t understand it back then and dismissed it.
Retr0id: What does that have to do with solving the problem?
matheusmoreira: Never forget the risks of trusting game companies with this sort of access to your machine.https://www.vice.com/en/article/fs-labs-flight-simulator-pas...Company decides to "catch pirates" as though it was police. Ships a browser stealer to consumers and exfiltrates data via unencrypted channels.https://old.reddit.com/r/Asmongold/comments/1cibw9r/valorant...https://www.unknowncheats.me/forum/anti-cheat-bypass/634974-...Covertly screenshots your screen and sends the image to their servers.https://www.theregister.com/2016/09/23/capcom_street_fighter...https://twitter.com/TheWack0lian/status/779397840762245124https://fuzzysecurity.com/tutorials/28.htmlhttps://github.com/FuzzySecurity/Capcom-RootkitYes, a literal privilege escalation as a service "anticheat" driver.Trusting these companies is insane.Every video game you install is untrusted proprietary software that assumes you are a potential cheater and criminal. They are pretty much guaranteed to act adversarially to you. Video games should be sandboxed and virtualized to the fullest possible extent so that they can access nothing on the real system and ideally not even be able to touch each other. We really don't need kernel level anticheat complaining about virtualization.
halayli: That doesn't sound accurate. The T in TPM stands for trust, the whole standard is about verifying and establishing trust between entities. The standard is designed with the assumption that anyone can bring in their scope and probe the ports. This is one of several reasons why the standard defines endorsement keys(EK).
kay_o: We don't allow games to run in virtual machines and require TPM. Check TPM EK signing up to an approved manufacturer.It is not "fake", a software TPM is real TPM but not accepted/approved by anticheat due to inability to prove its provenance(Disclosure: I am not on the team that works on Vanguard, I do not make these decisions, I personally would like to play on my framework laptop)
invokestatic: Technically yes, but it would produce an untrusted remote attestation signature (quote). This is roughly equivalent to using TLS with a self-signed certificate — it’s not trusted by anyone else. TPMs have a signing key that’s endorsed by the TPM vendor’s CA.
carefree-bob: Yes! https://github.com/stefanberger/swtpm
istillcantcode: I could have sworn online gambling people fixed this years ago with just wifi. I thought I remembered reading a comment on here about the online gambling for kids no cheating people not talking to the online gambling for adults no cheating people.
matheusmoreira: See this for example:https://tee.fail/Defeating remote attestation will be a key capability in the future. We should be able to fully own our computers without others being able to discriminate against us for it.
eddythompson80: Sorry to day this, but I don’t think you understand how any of this works. Whenever someone’s proposed “edge computing” as a way to solve trust problems, I know they are just stringing together fancy sounding words they don’t understand.What “Netflix did” was having dead-simple static file serving appliance for ISPs to host with their Netflix auth on top. In their early days, Netflix had one of the simplest “auth” stories because they didn’t care.
Charon77: I remember there's a PCI device that's meant to be snooping and manipulating RAM directly by using DMA. Pretty much one computer runs the game and one computer runs the cheat. I think kernel anti cheats are just raising the bar while pretty much being too intrusive
bee_rider: Preventing cheating is hopeless.Anyway, this isn’t the Olympics, a professional sport, or Chess. It’s more like pickup league. Preserving competitive purity should be a non-goal. Rather, aim for fun matches. Matchmaking usually tries to find similar skill level opponents anyway, so let cheaters cheat their way out of the wider population and they’ll stop being a problem.Or, let players watch their killcams and tag their deaths. Camper, aimbot, etc etc. Then (for players that have a good sample size of matches) cluster players to use the same tactics together.Treating games like serious business has sucked all the fun out of it.
theLiminator: The only good long term solution is ML on replays + moderately up to date client side (non kernel) AC (just good enough to deter cheaters).
invokestatic: Actually, it is completely true. The TPM threat model has historically focused on software-based threats and physical attacks against the TPM chip itself - crucially NOT the communications between the chip and the CPU. In the over 20 year history of discrete TPMs, they are largely completely vulnerable to interposer (MITM) attacks and only within the last few years is it being addressed by vendors. Endorsement keys don’t matter because the TPM still has to trust the PCR commands sent to it by the CPU. An interposer can replace tampered PCR values with trusted values and the TPM would have no idea.
invokestatic: The privacy points in general are valid, but what irritates me is using this rationale against kernel mode anti cheats specifically.You do not need kernel access to make spyware that takes screenshots. You do not need a privileged service to read the user’s browser history.You can do all of this, completely unprivileged on Windows. People always seem to conflate kernel access with privacy which is completely false. It would in fact be much harder to do any of these things from kernel mode.
Grimblewald: Kernel access is related to privacy though, and its the most well documented abuse of such things. Kernel level access can help obfuscate the fact that it'a happening. However, it is also useful for significantly worse, and given track records, must be assumed to be true. The problem is kernel level AC hasnt even solved the problem, so the entire thing is risky, uneccesary and unfit for purpose making an entierly unneccesary risk to force onto unsuspecting users. The average user does not understand the risks and is not made aware of them either.
karmakaze: There's different levels of cheating. We can avoid the worst cases by not putting the game state in the users computer which basically makes it like an X Server.It would add a bit of latency, but it could be opt-in for those that care enough for all players in a match to take the hit.
eddythompson80: Unfortunately that has been proven to not work.Matching based on skill works only as long as you have an abundance of players you can do that based on. When you have to account for geography, time of day, momentary availability, and skill level, you realize that you have fractured certain players far too much that it’s not fun for them anymore. Keep in mint that “cheaters” are also looking for matches that would maximize their cheats. Maybe it’s 8PM Pacific Time with tons of players there, but it’s 3 AM somewhere else with much limited number of players. Spoof your ping and location to be there and have fun sniping every player in the map. Sign up for new accounts on every play, who cares. Your fun as a cheater is to watch others lose their shit. You’re not building a character with history and reputation. You are heat sniping others while they are not realizing it. It may sound limited in scope and not worth the effort for you, but it’s millions of people out there tht ruin the game for everyone.Almost every game I know of lets players “watch their kill cam”, and cheaters have adapted. The snipped people have a bias to vote the sniper was cheating, and the snipers have a bias to vote otherwise. Lean one way or the other, and it’s another post on /r/gaming of how your game sucks.
matheusmoreira: There is no need for irritation. I condemn all sorts of anticheating software. As far as I'm concerned, if the player wants to cheat he's just exercising his god given rights as the owner of the machine. The computer is ours, we can damn well edit any of its memory if we really want to. Attempts to stop it from happening are unacceptable affronts to our freedom as users.I single out kernel level anticheats because they are trying to defeat the very mitigations we're putting in place to deal with the exact problems you mentioned. Can't isolate games inside a fancy VFIO setup if you have kernel anticheat taking issue with your hypervisor.
Thaxll: All the games that use kernel anti cheat have the simulation running on the server.You can't make a competitive fps game with a dumb terminal, it can't work because the latency is too high so that's why you have to run local predictive simulation.
raincole: To quote the parent comment:> The general simplistic answer from those who never had to design such a game or a system of “do everything on the server” is laughably bad.
nichch: The "just wifi" is about getting your true geolocation so regulated gaming platforms can operate legally. Ironically, I bet whatever API they use can be intercepted by a kernel level process.They also have VM checks. I "accidentally" logged into MGM from a virtual machine. They put my account on hold and requested I write a "liability statement" stating I would delete all "location altering software" and not use it again. (Really!)
raincole: The solution is purely cultural. We should collectively think people who cheat online are losers.(Not being sarcastic.)
Thaxll: Game compagny have to have those kernel anti cheat because MS never implemented proper isolation in the first place, if Windows was secured like an apple phone or a console there wouldn't be a need for it.Anti cheat don't run on modern console because there is not need for to, game dev assume that the latest firmware on a console is secure enough so that they know we can't temper the console.
Morromist: The only solution that seems to work well that I've seen is having very active and good server admins who watch the gameplay and permaban cheaters. Requires a lot of man hours and good UI and info for them to look at, as well as (ideally) the ability to see replays.That solution only works on servers hosted by players - I've never seen huge game companies that run their own servers (like GTA) have dedicated server admins. I guess they think they can just code cheaters out of their games, but they never can.
ryeguy: This take sucks. The anticheat software in this context is for competitive games. No one cares about people cheating in isolation in single player games. The anticheat is to stop 1 guy from ruining it for the 9 others he's playing with online.You can argue about the methods used for anticheat, but your comment here is trying to defend the right to cheat in online games with other people. Just no.
chrisfosterelli: Well it is a professional sport -- there's tournaments worth tens of millions of dollars. But honestly it is probably easier to catch cheaters in that environment. The real issue is that cheaters suck the fun out of the game, and matchmaking doesn't fix this because cheaters just cheat the matchmaking (smurf accounts, etc) until they're stomping regular players again. I don't think throwing our hands up and letting the cheaters go on is a real solution.
jrockway: I still don't understand why people don't cheat in FPSes by looking at the video stream and having a USB mouse that emits the right mouse movements. (The simplest thing is to just click when someone's head is under your crosshair, in games with hitscan weapons.)
Morromist: That would be interesting if they did.looking at cards is a way easier problem than rendering a 3d world with other players bouncing around. I imagine you could just send the card player basially a screenshot of what you want them to see and give them no other data to work with and that would mostly solve cheating.But gambling can be way more complicated than just looking at cards so maybe there's a lot more to it.
throw10920: I would love to see a modern competitive game with optional anticheat that, when enabled, allows you to queue for a separate matchmaking pool that is exclusive to other anticheat users. For players in the no-anticheat pool, there could be "community moderation" that anti-anticheat players advocate for.It'd be really interesting to see what would happen - for instance, what fraction of players would pick each pool during the first few weeks after launch, and then how many of them would switch after? What about players who joined a few months or a year after launch?Unfortunately, pretty much the only company that could make this work is Valve, because they're the only one who actually cares for players and is big enough that they could gather meaningful data. And I don't think that even Valve will see enough value in this to dedicate the substantial resources it'd take to try to implement.
Cyph0n: > I would love to see a modern competitive game with optional anticheat that, when enabled, allows you to queue for a separate matchmaking pool that is exclusive to other anticheat users. For players in the no-anticheat pool, there could be "community moderation" that anti-anticheat players advocate for.This is roughly what Valve does for CS2. But, as far as I understand, it's not very effective and unfortunately still results in higher cheating rates than e.g. Valorant.
throw10920: Huh. When you say that "it's not very effective" do you mean the segmentation between the pools, or the actual anticheat isn't very good? (I'm assuming the latter - I've heard that VAC is pretty bad as far as anticheat goes)
z0mghii: Community alternative (faceit) requires kernel level access. The actual anticheat matchmaking is essentially unplayable
Cyph0n: Oh sorry - I misread your suggestion! I thought you were talking about separate matchmaking logic for known cheaters, but you're asking about opt-in matchmaking for those willing to use invasive anticheat.The example still kind of applies. In the CS world, serious players use Faceit for matchmaking, which requires you to install a kernel-level anticheat. This is basically what you're suggesting, but operated by a 3rd party.
cortesoft: I have never worked on AAA games, but I have developed software for 35 years and play many competitive online games regularly.I have always wondered why more companies don't do trust based anti cheat management. Many cheats are obvious from anyone in the game, you see people jumping around like crazy, or a character will be able to shoot through walls, or something else that impossible for a non-cheater to do.Each opponent in the game is getting the information from the cheating player's game that has it doing something impossible. I know it isn't as simple as having the game report another player automatically, because cheaters could report legitimate players... but what if each game reported cheaters, and then you wait for a pattern... if the same player is reported in every game, including against brand new players, then we would know the were a cheater.Unless cheaters got to be a large percentage of the player population, they shouldn't be able to rig it.
raincole: They do. Cheats that read rendered pixels are nothing new.
nemothekid: >This way, if cheating gives god-like behaviour, you play with other godlike folks.Anti-cheat is not used to "protect" bronze level games. FACEIT uses a kernel level anti cheat, and FACEIT is primarily used by the top 1% of CS2 players.A lot of the "just do something else" crowd neglects to realize that anticheat is designed to protect the integrity of the game at the highest levels of play. If the methods you described were adequate, the best players wouldn't willingly install FACEIT - they would just stick with VAC which is user-level.
nawgz: > kernel level AC hasnt even solved the problem> There are far better ways to detect cheating, such as calculating statistics on performanceAsk any CS player how VAC’s statistical approach compares to Valorant’s Vanguard and you will stop asserting such foolishnessThe problem with what you are saying is that cheaters are extremely determined and skilled, and so the cheating itself falls on a spectrum, as do the success of various anticheat approaches. There is absolutely no doubt that cheating still occurs with kernel level anticheats, so you’re right it didn’t “solve” the problem in the strictest sense. But as a skilled player in both games, only one of them is meaningfully playable while trusting your opponents aren’t cheating - it’s well over an order of magnitude in difference of frequency.
LiamPowell: > As far as I'm concerned, if the player wants to cheat he's just exercising his god given rights as the owner of the machine.By this same logic: As far as I'm concerned, if the game developer only wants to allow players running anticheat to use their servers then they're just exercising their god given rights as the owner of the server.
throw10920: Wait, so the "community alternative" is also kernel-level anticheat? I think that's different from what I'm proposing - I'm suggesting a comparison between an anticheat and no anticheat (with community policing of lobbies and handing out of penalties).
matheusmoreira: > The anticheat is to stop 1 guy from ruining it for the 9 others he's playing with online.Don't play with untrusted randoms. Play with people you know and trust. That's the true solution.
matheusmoreira: This is just yet another example of the remote attestation nonsense where your computer is only "trusted" if it's corporate owned. If you own your machine, you "tampered" with it and as a result you get banned from everything. You get ostracized from digital society.My position is this is unfair discrimination that should be punished with the same rigor as literal racism. Video games are the least of our worries here. We have vital services like banks doing this. Should be illegal.
quotemstr: And if we embraced instead of feared remote attestation and secure enclaves, the days of game companies having this level of access would come to an end.
srjek: It is correct, the measurement command to the TPM is not encrypted. So with MITM you can record the boot measurements, then reset and replay to any step of the boot process. Secrets locked to particular stages of boot are then exposed.There is guidance on "Active" attacks [1], which is to set up your TPM secrets so they additionally require a signature from a secret stored securely on the CPU. But that only addresses secret storage, and does nothing about the compromised measurements. I also don't know what would be capable of providing the CPU secret for x86 processors besides... an embedded/firmware TPM.[1] https://trustedcomputinggroup.org/wp-content/uploads/TCG_-CP...
matheusmoreira: Consoles and phones are "secure" because you don't own them. They aren't yours. They belong to the corporations. They're just generously allowing you to use the devices. And only in the ways they prescribe.This is the exact sort of nonsense situation I want to prevent. We should own the computers, and the corporations should be forced to simply suck it up and deal with it. Cheating? It doesn't matter. Literal non-issue compared to the loss of our power and freedom.It's just sad watching people sacrifice it all for video games. We were the owners of the machine but we gave it all up to play games. This is just hilarious, in a sad way.
jack_pp: That is not the solution if you want to play competitively of whenever you feel like it.Kernel level AC is a compromise for sure and it's the gamers job to assess if the game is worth the privacy risk but I'd say it's much more their right to take that risk than the cheaters right to ruin 9 other people's time for their own selfish amusement
piotrkaminski: By and large we do. Unfortunately, the losers don't care unless you identify them personally. For them, the thrill of cheating and griefing others easily overcomes some generalized cultural zeitgeist.
bee_rider: Smurf accounts are a real problem, but they are a real problem whether the person stomping beginners is using cheats or is just experienced. The target should be preventing smurfing in the first place.
YetAnotherNick: > Anyway, this isn’t the Olympics, a professional sport, or Chess.Yes, its prize pool is order of magnitude higher than either of Olympics sports or Chess.
