alt Hacker NewsHow kernel anti-cheats work
Comments
I would love to see a modern competitive game with optional anticheat that, when enabled, allows you to queue for a separate matchmaking pool that is exclusive to other anticheat users. For players in the no-anticheat pool, there could be "community moderation" that anti-anticheat players advocate for.
It'd be really interesting to see what would happen - for instance, what fraction of players would pick each pool during the first few weeks after launch, and then how many of them would switch after? What about players who joined a few months or a year after launch?
Unfortunately, pretty much the only company that could make this work is Valve, because they're the only one who actually cares for players and is big enough that they could gather meaningful data. And I don't think that even Valve will see enough value in this to dedicate the substantial resources it'd take to try to implement.
There is a solution to cheating, but it's not clear how hard it would be to implement.
Cheaters are by definition anomalies, they operate with information regular players do not have. And when they use aimbots they have skills other players don't have.
If you log every single action a player takes server-side and apply machine learning methods it should be possible to identify these anomalies. Anomaly detection is a subfield of machine learning.
It will ultimately prove to be the solution, because only the most clever of cheaters will be able to blend in while still looking like great players. And only the most competently made aimbots will be able to appear like great player skills. In either of those cases the cheating isn't a problem because the victims themselves will never be sure.
There is also another method that the server can employ: Players can be actively probed with game world entities designed for them to react to only if they have cheats. Every such event would add probability weight onto the cheaters. Ultimately, the game world isn't delivered to the client in full so if done well the cheats will not be able to filter. For example: as a potential cheater enters entity broadcast range of a fake entity camping in an invisible corner that only appears to them, their reaction to it is evaluated (mouse movements, strategy shift, etc). Then when it disappears another evaluation can take place (cheats would likely offer mitigations for this part). Over time, cheaters will stand out from the noise, most will likely out themselves very quickly.
While I’m not really a gamer, I do think the conundrum of online games cheating is an interesting technical problem because I honestly can’t think of a “good” solution. The general simplistic answer from those who never had to design such a game or a system of “do everything on the server” is laughably bad.
> Modern kernel anti-cheat systems are, without exaggeration, among the most sophisticated pieces of software running on consumer Windows machines. They operate at the highest privilege level available to software, they intercept kernel callbacks that were designed for legitimate security products, they scan memory structures that most programmers never touch in their entire careers, and they do all of this transparently while a game is running.
Okay, chill. I'm willing to believe that anti-cheat software is "sophisticated", but intercepting system calls doesn't make it so. There is plenty of software that operates at elevated privilege and runs transparently while other software is running, while intentionally being unsophisticated. It's called a kernel subsystem.
>TPM-based measured boot, combined with UEFI Secure Boot, can generate a cryptographically signed attestation ... This is not a complete solution (a sufficiently sophisticated attacker can potentially manipulate attestation)
I was not aware that attackers could potentially manipulate attestation! How could that be done? That would seemingly defeat the point of remote attestation.
The real “competitive” game is not players playing against other players, but hackers playing against anti-cheat. “Billiards is not as good a game as Physics”
i've said it before, but is anti-cheat mechanisms needed on consoles? If not, (presumambly due to their locked down nature), what's the problem with having a locked down mode (trusted secure boot path that doesn't allow other programs to run, ala "the xbox mode" that microsoft has started to implement), that is similar to a console.
This seems much more doable today than in the past as machines boot in moments. Switching from secure "xbox mode" to free form PC mode, would be barely a bump.
Now, I see one major difference, heterogenous vs homogenous hardware (and the associated drivers that come with that). In the xbox world, one is dealing with a very specific hardware platform and a single set of drivers. In the PC world (even in a trusted secure boot path), one is dealing with lots of different hardware and drivers that can all have their exploits. If users are more easily able to modify their PCs and set of drivers one, I'd imagine serious cheaters would gravitate to combinations they know they can exploit to break the secure/trusted boot boundary.
I wonder if there are other problems.
It's AI-assisted content, but has good reference links.
Never forget the risks of trusting game companies with this sort of access to your machine.
https://www.vice.com/en/article/fs-labs-flight-simulator-pas...
Company decides to "catch pirates" as though it was police. Ships a browser stealer to consumers and exfiltrates data via unencrypted channels.
https://old.reddit.com/r/Asmongold/comments/1cibw9r/valorant...
https://www.unknowncheats.me/forum/anti-cheat-bypass/634974-...
Covertly screenshots your screen and sends the image to their servers.
https://www.theregister.com/2016/09/23/capcom_street_fighter...
https://twitter.com/TheWack0lian/status/779397840762245124
https://fuzzysecurity.com/tutorials/28.html
https://github.com/FuzzySecurity/Capcom-Rootkit
Yes, a literal privilege escalation as a service "anticheat" driver.
Trusting these companies is insane.
Every video game you install is untrusted proprietary software that assumes you are a potential cheater and criminal. They are pretty much guaranteed to act adversarially to you. Video games should be sandboxed and virtualized to the fullest possible extent so that they can access nothing on the real system and ideally not even be able to touch each other. We really don't need kernel level anticheat complaining about virtualization.
This got me wondering how easy it'd be to automate discovery of BYOVD vulns with LLMs (both offensively and defensively)
I feel like this whole problem is just made up. Back in the day, when I played lots of Counter Strike, we had community servers. If a cheater joined, some admin was already online and kicked them right away. I'm sure we hit some people that were not actually cheaters, but they would just go to another server. And since there was no rank, no league, no rewards (like skins, drops, etc.), there was no external reward for cheating. It annoys me that cheating in competitive video games seems like a bigger problem than it has been in the past for no good reason.
I still don't understand why people don't cheat in FPSes by looking at the video stream and having a USB mouse that emits the right mouse movements. (The simplest thing is to just click when someone's head is under your crosshair, in games with hitscan weapons.)
[flagged]
I could have sworn online gambling people fixed this years ago with just wifi. I thought I remembered reading a comment on here about the online gambling for kids no cheating people not talking to the online gambling for adults no cheating people.
Kernel level anti cheat is really the maximum effort of locking down a client from doing something suspicious. But today we still see cheaters in those games running these system. Which proofs that a game server just cannot trust a random client out there. I know it's about costs, what to compute on client and what to compute in server side. But as long as a game trusts computation and 'inputs' of clients we will see those cheating issues.