would this be similar to the way having server-side logic only makes hacking significantly more difficult? Or is it sorta a "game over" from the hackers perspective, at least for awhile?
Fun fact: Early on into Vanguard, Valorant's Anticheat, some system monitoring software would not run at all - even with Valorant not running, because cheaters used a vulnerable kernel module included with that software to get their code into kernel mode.
> EA says kernel-level protection is “absolutely vital” for competitive games like FIFA 23, as existing cheats operate in the kernel space, so games running in regular user mode can’t detect that tampering or cheating is occurring.
There are soccer games from the 90s that didn't need to run in Ring 0.
As a "gamer", I have to say: We are running out of options for anti-cheat.
The cheaters are EVERYWHERE in games like Destiny 2, Fortnite, CS: GO, New World... any popular online game, the cheaters are in 1/10 matches ruining your fun.
Weather or not a kernel level anti-cheat will help? Probably not. It is unfortunate that a lot of lower information consumers are going to install this crap onto their PCs.
Valorant's anti-cheat has been very successful (Riot Vanguard) but it is also an early mode kernel driver, so it can load before any potential cheat driver.
I think Microsoft should just ship an anti-cheat API as part of Windows so games stop relying on kernel drivers.
This kind of anti-cheat would contradict the idea of having control over your own computer. It also wont end there in terms of invasiveness.
Instead, they should focus on non-invasive mitigations such as:
- Server-side anti-cheat.
- Pay-once or subscription models to deter cheating.
- Allow gaming coffee shops to authenticate themselves and give their customers privileged access to competitive worlds/instances. Because it’s much harder to cheat at these coffee shops already.
- Shadow-ban repeat offenders or apply punishments without them realising that they’ve been detected.
- Use bulk-banning to avoid giving cheaters a fast feedback loop which would otherwise make them understand what works and what doesn’t.
Honestly, I’ve never heard of Escape from Tarkov before, let alone know how they’ve implemented their mitigations.
However, I do believe that we’re able to create an entire subfield within CS just to serve the purpose of implementing server-side anti-cheat if we wanted to. Games companies can implement rather sophisticated solutions to fight this issue more effectively while putting less emphasis on controlling every consumer’s computer. It’s all about what our values are.
Valve has the biggest implementation of this with VACNet, but it requires training data (manual reports and a volunteer jury from the community) and a lot of compute. Client side anti-cheat is much cheaper, and Vanguard is generally more reliable than VACNet.
> This kind of anti-cheat would contradict the idea of having control over your own computer. It also wont end there in terms of invasiveness.
I don’t want another player in my game to have control over his own computer to aimbot. I can exit or uninstall Riot Vanguard if I want.
However, it does seem inevitable that any anti-cheat could be overridden with some kind of clever virtualization or an external device that views the screen and sends input either via USB or sleek RGB gamer aesthetic robot fingers.
Then, I suppose, we’ll have to go back to laser tag.
What you describe already exists, a CV driven cheat that uses mouse inputs / screen reading.
Would also work for League of Legends "auto-hit" or "aura" cheats that will automatically trigger an ability aimed perfectly if someone enters a radius around you.
However: This would possibly require a hardware peripheral and you could analyze the inputs a-la captchas.
Epic games has kernel level anticheat for fortnite and you hardly ever run into a cheater, I honestly cannot recall running into a single one in the last 2 years. Compare that to warzone that is rampant with cheaters. Comes with trade offs, but it is effective. Cheating ruins competitive games.
But that's built by the OS developers. I already trusted them. Now I need to trust Riot and EA and Blizzard and EAC to not fuck up basics of kernel module security.
from a long time already running in VM is automatically detected as cheating. a lot of people lost their accounts because of that (with permanent bans)
No. A cheat developer could still just sign a driver like every other developer and load a hypervisor. Then hook everything you want and youre gucci.
Another option: there are a lot of vulnerable drivers, such as intels LAN driver, or capcoms. Of course those are blacklisted and anti cheats usually don’t let you start the game when those are loaded, but you can use exploitable those to load your own driver, and then unload the vulnerable driver.
Other things you can do: DMA stuff, uefi payloads and more.
You will never be able to prevent cheating on user owned hardware which sits under their desk.
Except that all those things you listed are detectable or leave traces and can get you banned on most good anti cheats (EAC or the one that valorant uses)
> a properly implemented hypervisor
Very hard to do. There so many instructions that can be used to expose a HV. For VM hypervisors, MSRs aren't usually properly populated and all the junk that is exposed through WMI
44 comments
[ 3.5 ms ] story [ 87.5 ms ] threadThere are soccer games from the 90s that didn't need to run in Ring 0.
As a "gamer", I have to say: We are running out of options for anti-cheat.
The cheaters are EVERYWHERE in games like Destiny 2, Fortnite, CS: GO, New World... any popular online game, the cheaters are in 1/10 matches ruining your fun.
Weather or not a kernel level anti-cheat will help? Probably not. It is unfortunate that a lot of lower information consumers are going to install this crap onto their PCs.
I think Microsoft should just ship an anti-cheat API as part of Windows so games stop relying on kernel drivers.
Instead, they should focus on non-invasive mitigations such as:
- Server-side anti-cheat.
- Pay-once or subscription models to deter cheating.
- Allow gaming coffee shops to authenticate themselves and give their customers privileged access to competitive worlds/instances. Because it’s much harder to cheat at these coffee shops already.
- Shadow-ban repeat offenders or apply punishments without them realising that they’ve been detected.
- Use bulk-banning to avoid giving cheaters a fast feedback loop which would otherwise make them understand what works and what doesn’t.
However, I do believe that we’re able to create an entire subfield within CS just to serve the purpose of implementing server-side anti-cheat if we wanted to. Games companies can implement rather sophisticated solutions to fight this issue more effectively while putting less emphasis on controlling every consumer’s computer. It’s all about what our values are.
I don’t want another player in my game to have control over his own computer to aimbot. I can exit or uninstall Riot Vanguard if I want.
However, it does seem inevitable that any anti-cheat could be overridden with some kind of clever virtualization or an external device that views the screen and sends input either via USB or sleek RGB gamer aesthetic robot fingers.
Then, I suppose, we’ll have to go back to laser tag.
Would also work for League of Legends "auto-hit" or "aura" cheats that will automatically trigger an ability aimed perfectly if someone enters a radius around you.
However: This would possibly require a hardware peripheral and you could analyze the inputs a-la captchas.
They manage on mobile devices without kernel level anti-cheat systems.
Another option: there are a lot of vulnerable drivers, such as intels LAN driver, or capcoms. Of course those are blacklisted and anti cheats usually don’t let you start the game when those are loaded, but you can use exploitable those to load your own driver, and then unload the vulnerable driver.
Other things you can do: DMA stuff, uefi payloads and more.
You will never be able to prevent cheating on user owned hardware which sits under their desk.
EA at least said it won't be every game either so hopefully if they didn't it won't be a huge problem either way.