44 comments

[ 3.5 ms ] story [ 87.5 ms ] thread
Any bets on how long it will take hackers to find a security exploit in this crap? Anything running at kernel level is going to be a prime target.
If they use remote attestation, it will be basically irrelevant if they do from EA’s perspective.
would this be similar to the way having server-side logic only makes hacking significantly more difficult? Or is it sorta a "game over" from the hackers perspective, at least for awhile?
Given the track record with other games' kernel-level anti-cheat, probably not very long.
Fun fact: Early on into Vanguard, Valorant's Anticheat, some system monitoring software would not run at all - even with Valorant not running, because cheaters used a vulnerable kernel module included with that software to get their code into kernel mode.
> EA says kernel-level protection is “absolutely vital” for competitive games like FIFA 23, as existing cheats operate in the kernel space, so games running in regular user mode can’t detect that tampering or cheating is occurring.

There are soccer games from the 90s that didn't need to run in Ring 0.

Yeah but to be fair, those games were nowhere nearly as popular as FIFA is today both casually and competitively.
Gross. Also a recipe for disaster. However:

As a "gamer", I have to say: We are running out of options for anti-cheat.

The cheaters are EVERYWHERE in games like Destiny 2, Fortnite, CS: GO, New World... any popular online game, the cheaters are in 1/10 matches ruining your fun.

Weather or not a kernel level anti-cheat will help? Probably not. It is unfortunate that a lot of lower information consumers are going to install this crap onto their PCs.

A lot of games already have kernel-level anti-cheat. Was it successful in fixing the cheating problem for any of them?
Valorant's anti-cheat has been very successful (Riot Vanguard) but it is also an early mode kernel driver, so it can load before any potential cheat driver.

I think Microsoft should just ship an anti-cheat API as part of Windows so games stop relying on kernel drivers.

This kind of anti-cheat would contradict the idea of having control over your own computer. It also wont end there in terms of invasiveness.

Instead, they should focus on non-invasive mitigations such as:

- Server-side anti-cheat.

- Pay-once or subscription models to deter cheating.

- Allow gaming coffee shops to authenticate themselves and give their customers privileged access to competitive worlds/instances. Because it’s much harder to cheat at these coffee shops already.

- Shadow-ban repeat offenders or apply punishments without them realising that they’ve been detected.

- Use bulk-banning to avoid giving cheaters a fast feedback loop which would otherwise make them understand what works and what doesn’t.

Escape from Tarkov does all those things apart from coffee shops and shadow banning and still has a massive cheating problem.
Honestly, I’ve never heard of Escape from Tarkov before, let alone know how they’ve implemented their mitigations.

However, I do believe that we’re able to create an entire subfield within CS just to serve the purpose of implementing server-side anti-cheat if we wanted to. Games companies can implement rather sophisticated solutions to fight this issue more effectively while putting less emphasis on controlling every consumer’s computer. It’s all about what our values are.

Valve has the biggest implementation of this with VACNet, but it requires training data (manual reports and a volunteer jury from the community) and a lot of compute. Client side anti-cheat is much cheaper, and Vanguard is generally more reliable than VACNet.
> This kind of anti-cheat would contradict the idea of having control over your own computer. It also wont end there in terms of invasiveness.

I don’t want another player in my game to have control over his own computer to aimbot. I can exit or uninstall Riot Vanguard if I want.

However, it does seem inevitable that any anti-cheat could be overridden with some kind of clever virtualization or an external device that views the screen and sends input either via USB or sleek RGB gamer aesthetic robot fingers.

Then, I suppose, we’ll have to go back to laser tag.

What you describe already exists, a CV driven cheat that uses mouse inputs / screen reading.

Would also work for League of Legends "auto-hit" or "aura" cheats that will automatically trigger an ability aimed perfectly if someone enters a radius around you.

However: This would possibly require a hardware peripheral and you could analyze the inputs a-la captchas.

I mean, a Windows 11 setup with all of the modern security features enabled could very much allow this as a possibility.
They love their DRM. This won't stop programs running outside EA's view of "kernel space". Total waste of time, and opening a new side channel.
Epic games has kernel level anticheat for fortnite and you hardly ever run into a cheater, I honestly cannot recall running into a single one in the last 2 years. Compare that to warzone that is rampant with cheaters. Comes with trade offs, but it is effective. Cheating ruins competitive games.
I'd sooner have real IDs tied to internet personas than this shit
We need total DRM to sell you NFTs^^^uh, I mean player cards!
Elden Ring has kernel-level anticheat and people STILL cheat
This is the kind of thing UWP sandbox, or killing kexts in macOS forbids, but hey lets enjoy the freedom of installing anything.

They manage on mobile devices without kernel level anti-cheat systems.

You have SafetyNet in Android which does the same thing, prevent device or app tampering.
But that's built by the OS developers. I already trusted them. Now I need to trust Riot and EA and Blizzard and EAC to not fuck up basics of kernel module security.
You don't need that on mobile devices because Android and iOS already provide with attestation systems, which Windows lacks (by now)
So run it in a VM and cheat from there?
from a long time already running in VM is automatically detected as cheating. a lot of people lost their accounts because of that (with permanent bans)
Does that include ESXi?
AFAIK it includes most of virtualizations, as if OS is able to detect it's running in vm, so can do ani cheat
Couldn't secureboot disable the kernel anticheat then? Microsoft has verified your kernel and drivers for you.
No. A cheat developer could still just sign a driver like every other developer and load a hypervisor. Then hook everything you want and youre gucci.

Another option: there are a lot of vulnerable drivers, such as intels LAN driver, or capcoms. Of course those are blacklisted and anti cheats usually don’t let you start the game when those are loaded, but you can use exploitable those to load your own driver, and then unload the vulnerable driver.

Other things you can do: DMA stuff, uefi payloads and more.

You will never be able to prevent cheating on user owned hardware which sits under their desk.

Except that all those things you listed are detectable or leave traces and can get you banned on most good anti cheats (EAC or the one that valorant uses)
a properly implemented hypervisor cannot be detected outside of vague timing attacks which can be mitigated
> a properly implemented hypervisor Very hard to do. There so many instructions that can be used to expose a HV. For VM hypervisors, MSRs aren't usually properly populated and all the junk that is exposed through WMI
Bad news for proton / the steamdeck I believe?
Depends on whether EA cares enough about it. Epic did make EasyAntiCheat compatible with Proton so it's not un-doable.

EA at least said it won't be every game either so hopefully if they didn't it won't be a huge problem either way.

If anyone from EA is reading this, please consider this to be a formal invitation to kiss my skinny white ass.
Getting a machine dedicated to games where I don't do much else has been a decision that, although costly and annoying, keeps being correct.