All of this is beyond horrific.
Mucking about in the kernel basically bypasses the entire security and stability model of the OS. And this is not theoretical, people have been rooted through buggy anticheats software, where the game sent malicious calls to the kernel, and hijacked to anti cheat to gain root access.
Even in a more benign case, people often get 'gremlins', weird failures and BSOD due to some kernel apis being intercepted and overridden incorrectly.
The solution here is to establish root of trust from boot, and use the OSes sandboxing features (like Job Objects on NT and other stuff). Providing a secure execution environment is the OS developers' job.
Every sane approach to security relies on keeping the bad guys out, not mitigating the damage they can do once they're in.
Unfortunately (or fortunately depending on what side of the fence you live), boot chain security is not taken as seriously in the PC ecosystem as it is on phones. As as a result, even if you relying on os features, you cannot trust them. This is doubly the case in situations where the user owns the kernel (eg Linux) or hypervisor. Attestation would work, but the number of users that you could probably successfully attest are on on a trustworthy setup is fairly small, so it's not really a realistic option. And that is why they must reach for other options. Keep in mind that even if it's not foolproof, if it reduces the number of cheaters by a statistically significant amount, it's worthwhile.
I really thought this might change over time given strong desire for useful attestation by major actors like banks and media companies, but apparently they cannot exert the same level of influence on the PC industry as they have on the mobile industry.
I think it's fortunate that I own at least one of the computing devices I paid for.
Yea, but it'd be real nice if we could trust the software we run on our own devices, no?
Secure boot with software attestation could also be used for good.
Only if I get to set the keys or no keys - under all circumstances.
There should be a physical button inside the case labeled "set up secure boot"
Every sane approach to security relies on checking you are doing permitted actions on the server, not locking down the client.
Which isn't practical for multiplayer action games, so we end up here.
To do real time analysis and interception probably not. But for after the fact analysis, if a player is moving on knowledge he couldn’t have had because it shouldn’t have been rendered yet or something, then you can assume cheating.
I’m not a particularly skilled overwatch player, but I know the cooldowns of probably half the characters to muscle memory. I can hit an ability pretty much perfectly on cooldown 90+% of the time.
The vast, vast majority of skilled FPS players will predict their shots and shoot where they think the enemy player will be relative to the known hit detection of the game. In high level play for something like r6 siege, I’d say it’s 99% shooting before you can possibly know where they are by “feeling”
Doesn’t matter. There’s no world where a multiplayer action game is worth it, and anyway this is a classic example of trying to solve a social problem with technology.
The reason cheating is a problem at all is that instead of playing with friends, you use online matchmaking to play with equally alienated online strangers. This causes issues well in excess of cheating, including paranoia over cheating.
> There’s no world where a multiplayer action game is worth it
To you. I’m perfectly happy to run a kernel level anticheay - I’m already running their code on my machine, and it can delete my files, upload them as encrypted game traffic, steal my crypto keys, screenshot my bank details and private photos all without running at a kernel level.
> trying to solve a social problem with technology
I disagree. I’m normally on the side of not doing that but increasing the player pool and giving players access to more people at the their own skill level is a good thing
This. Also the client knows more than its allowed to show the user, like the positions of enemy players. You can make aimbots and wallhacks without needing to tamper with the game state.
And you can see the player is tracking players through walls way more than by chance.
Are you saying that the solution here is to sell computers so locked down that no user can install anything other than verified software?
I'm still not seeing how that would solve it. These are all multiplayer games. You could intercept the network traffic before it reaches the machine and then use a separate device to give you audio or visual cues. In StarCraft, reading the network traffic with a pi and hearing "spawning 5 mutalisk" is gonna completely change the game.
You can't do anything with a locked-down computer. It can encrypt all its traffic and you can't see anything.
That’s what I want as a gamer. I want a PC that works as a console. Whether I want that for other use cases or this machine doesn’t matter. I’m happy to sandbox _everything else_, boot into a specific OS to game etc.
The thing about gaming is that it’s not acceptable to leave 5% performance on the table whereas for other uses it usually is.
Question for you - why don’t you buy a console? (I agree with you by the way, it’s why I have a ps5)
I never played using a controller and I never will. And I do want a high end PC for other use cases.,
_most_ games now do KBM on console and matchmake separately for it. It's still not perfect, but it's gotten much better.
> And I do want a high end PC for other use cases.,
Right, you don't want two devices (that's fair). How can you _possibly_ trust the locked down device won't interfere with the other open software it's installed side by side with?
Those use cases don't work with completely locked down OS.
Also you can plug a mouse in a console… that's a weird excuse.
I don’t need to game in the same OS that I do other things. But having two sets of hardware seems like a waste.
Having a useless locked down machine isn't a waste?
Not if I can just leave that sandbox when I want to (boot another OS/mode/leave a sandbox etc) no?
Just know that it will still get cracked and cheats will exist. I suspect this is Microsoft's next "console" as they have been developing "anti-cheat" for quite some time.
> it’s not acceptable to leave 5% performance on the table whereas for other uses it usually is.
I think that’s an incredibly rare stance not held by the vast majority of gamers, including competitive ones.
I don’t think a sandbox like a VM would work even if it could be done with only 5% perf hit? Wouldnt any game run in a VM be possible to introspect from the hypervisor in a way that is hard to see from inside the VM? And that’s why these anticheats disallow virtualization?
That would mean those who are concerned about the integrity would want to sandbox everything else instead. And even if people are ok with giving up a small bit of perf when gaming, I’m sure they’re even more happy to give up perf when doing online banking.
Get a console then.
Or we just boot into some console-esque gaming OS or mode to game. I’m not sure why this would be so controversial. The alternative is the one we see here.
But that requires you not owning your computer, which I hope is controversial.
Mid range hardware can run majority of games at high fps. You can easily leave performance on the table.
No. No it can not. Unless you mean a 5070/80 is mid range.
That’s not really incompatible with this? That’s just how secure boot works. You can re-enlist keys for a different root of trust, or disable it and accept the trade-off there.
The idea is that it would require a verified hypervisor, and verified operating system for the game, but you could still at the same time be running an unverified operating system with unverified software. The trusted and untrusted software has to be properly sandboxed from one another. The computer does not need to be locked down so you can't run other hypervisors, it just would require that the anticheat can't prove that it's running on a trusted one when it isn't.
The security of PCs is still poor. Even if you had every available security feature right now it's not enough for the game to be safe. We still need to wait for PCs to catch up with the state of the art, then we have to wait 5+ years for devices to make it into the wild to have a big enough market share to make targeting them to be commercially viable.
But if you can get in before the OS, you can change what it does. You'd need attestation in the hardware itself so the server can know that what's running isn't signed by Microsoft's key, for example.
Attestation is how the user mode anticheat would prove that it is running on a secure system / unmodified game.
No. I'm saying we should all drink the blood of babies to stay eternally youthful. You didn't read between the lines deeply enough.
> Every sane approach to security relies on keeping the bad guys out, not mitigating the damage they can do once they're in.
That’s not true at all in the field of cybersecurity in general, and I have doubts that it’s true in the subset of the field that has to do with anticheat.
You want to eliminate the freedom of running the software you desire for everyone to hopefully mitigate cheating?
>Mucking about in the kernel basically bypasses the entire security and stability model of the OS. And this is not theoretical, people have been rooted through buggy anticheats software, where the game sent malicious calls to the kernel, and hijacked to anti cheat to gain root access.
If you got RCE in the game itself, it's effectively game over for any data you have on the computer.
https://xkcd.com/1200/
>All of this is beyond horrific.
Hot take: It's also totally unnecessary. The entire arms race is stupid.
Proper anti-cheat needs to be 0% invasive to be effective; server-side analysis plus client-side with no special privileges.
The problem is laziness, lack of creativity and greed. Most publishers want to push games out the door as fast as possible, so they treat anti-cheat as a low-budget afterthought. That usually means reaching for generic solutions that are relatively easy to implement because they try to be as turn-key as possible.
This reductionist "Oh no! We have to lock down their access to video output and raw input! Therefore, no VMs or Linux for anyone!" is idiotic. Especially when it flies in the face of Valve's prevailing trend towards Linux as a proper gaming platform.
There's so many local-only, privacy-preserving anti-cheat approaches that can be done with both software and dirt cheap hardware peripherals. Of course, if anyone ever figures that out, publishers will probably twist it towards invasive harvesting of data.
I'd love to be playing Marathon right now, but Bungie just wholesale doesn't support Linux nor VMs. Cool. That's $40 they won't get from me, multiply by about 5-10x for my friends. Add in the negative reviews that are preventing the game's Steam rating from reaching Overwhelmingly Positive and the damage to sales is significant.
I don't understand why do you think that having the option to have secure boot and a good, trustworthy sandbox for processes implies you cant run Linux on a VM or Linux beside Windows etc.
People always freak out when I mention secure boot, and the funniest response usually are the ones who threaten to abandon Windows for macOS (which has had secure boot for more than a decade by default)
I'm not super technically knowledgeable about secure boot, but as far as I understand, you need to have a kernel signed by a trusted CA, which sucks if you want to compile your own, but is a hurdle generally managed by your distro, if you're willing to use their kernel.
But if all else fails you can always disable secure boot.
Secure Boot cuts both ways. The techniques anti-cheat software are allowed to use on Windows machines aren't even remotely allowed on macOS machines.
yes. this is why there's one box for work, & another for play.