Comment by bflesch 2 days ago
As most of you know, these anti-cheat systems are functionally equivalent to rootkits. There is zero visibility into how these privileges are used for targeted attacks. Due to geographic location of the large game companies this has a geopolitical angle. Fingerprinting of devices and the networks they are in provides a lot of metadata that is most definitely fed into their intelligence apparatus.
> if your community is so toxic that
It's nothing to do with a toxic community.
It might not be the sole reason (and most likely isn’t), but toxic communities breed these sort of behaviours, especially in games that are extremely hostile to casual players.
I'm curious, do they have to be? Would it be possible to boot the program + the anti cheat into it's own VM or something? So they know I am running on trusted hardware, but I know that the aren't reading my emails? Genuinely curious and don't know the answer to this.
The anticheat will try to detect the VM and it will give a warning, so that's not a solution. Ideally keep leisure time devices and work devices separate. Consoles are a good solution because you are never tempted to use your emails on those.
But also you need to think about who your adversary is. Other countries have access to all your icloud mail and photos all the time. Something like dropbox and onedrive is scanned and catalogued in the background.
Hardware supply chain is a difficult topic and each layer of abstraction has their own mini operating system in the firmware, and past has shown many of them have backdoors.
Yes, and more than that, the kernel-level-anticheats are unable to spot someone using a Cronus ( hardware aim assist among other stuff [0] ).
I'm never going to play again online on any FPS because that whole incoherent bubble of crap disgusts me.
The multiplayer games community is toxic, and players are focused on success whatever the cost is. And I don't even want to touch the question of match making with a 10-foot-pole. Local, self-hosted or in small community is the best.
>Local, self-hosted or in small community is the best.
It always makes me happy to fire up Quake via Darkplaces or even ioQuake3 and still see servers up and people playing.
Unpopular opinion, but we would be better off with a single open trusted implementation of anti cheat (aka drm) which can attest whatever requirements are desired by the game is met. The only real problem is that it would likely be limited to approved kernel images and someone would need to own that validation and signing infrastructure, but you could imagine having multiple trusted entities have this role.
Kernel anticheat is not really effective because it can be circumvented on the hardware level, for example using direct memory access with a second computer and screen to show the hidden game state.
Cheating is a meat space problem and there is no technical solution to it. Thats why in tournaments there are referees standing behind the players. Ultimately it comes down to checking if metrics like reaction speed are humanly possible, but a rootkit is not really needed for that.
> Cheating is a meat space problem and there is no technical solution to it
Cheating is an arms race - the number of people who are willing to run a second computer with DMA connected to a single machine is vastly smaller than the number of people who are wiling to download a dodgy file from the internet and run it.
> Ultimately it comes down to checking if metrics like reaction speed are humanly possible, but a rootkit is not really needed for that.
If it was that easy, cheating would be a solved problem. An awful lot of play is "I know the reload time is 0.75s, so they're going to appear when they've reloaded" - that's way beyond human reaction time. And that's at "mid level" play - at gold/sliver levels in league of legends knowing cooldowns is considered base knowledge. At higher levels of play, _all_ of your players are statistical outliers.
This hasn't been true for a very long time. The kind of cheats that can survive even very basic anticheat for a long time cost a decent amount of money on subscription basis. Most cheaters by volume pay quite a chunk of change to cheat.
> Kernel anticheat is not really effective because it can be circumvented on the hardware level, for example using direct memory access with a second computer and screen to show the hidden game state.
Incorrect. DMA (direct memory access) is and can be prevented [1] and detected [2].
[1] https://www.faceit.com/en/news/faceit-rollout-of-tpm-secure-...
[2] https://community.osr.com/t/detecting-pcie-dma-based-cheatin...
Once again back to another arms race. Assuming that your operating system doesn't allow any bad drivers (Windows does NOT do this) physical access to the hardware is just a function of time and money to get direct access to the memory
https://x.com/danielgenkin/status/1989003973429268974?s=12
Something like TEE.fail can be used to read encryption keys for network traffic then a MITM proxy can display player information easily on a second PC, you will never be able to reliably detect this
You can still do DMA cheating with IOMMU enabled. There are quite a few relatively widespread bugs with IOMMU that allow you to bypass it, for example https://cloud.google.com/blog/products/gcp/fuzzing-pci-expre.... So to be able to actually do IOMMU DMA protection you need to be willing to ban many popular devices. That may be viable for FACEIT and ESEA but it won't be for 99.9% of anticheat deployments.
The detection for DMA cheating is based on the DMA engines being unable to emulate 1:1 the actual behavior the hardware ID would be expected to have. This can be fixed by simply doing that properly.
But even besides that, DMA through PCIe is just one hardware cheat that fits a separate thread model and therefore has some countermeasures.
There are much more robust methods you can use, for example a PCIe interposer between the OS and GPU, or simply direct memory interposes if you want to do DMA without the protections afforded by the PCIe implementation. There are interposets along with machinery to get along memory encryption and other obfuscations that can be made for around 100$.
This is theoretically possible, but I don't think most cheaters would have the equipment or skill to do this. Cheating is only rampant in games where people can just buy and download cheats... if it requires a lot of skill and hardware, it won't be a big issue.
It's not just theoretically possible, you can buy kits that do this already.
I'm not sure this is an unpopular opinion. I've seen it suggested multiple times, and IF done correctly (open/transparent) would solve most of the complaints with the ring-zero anti cheats. Still won't solve every cheat, especially hardware, social and perhaps good VMs. I would require the app/game to disclose what it requires to be true.
I remember trying to install Valorant for the first time, and its ridiculously invasive anticheat kernel mod (or whatever it's called) gave me my first blue (or was it red??) screen I'd seen on Windows in years.
Immediately uninstalled it and haven't ever played Valorant to this day. Fuck that crap, if your community is so toxic that you need a rootkit to keep cheaters at bay, then maybe it's more of a community problem than a technological one. And yes, if this means that you have to block all of China in order to do so, then that is still a community problem. Put your rootkits on your Chinese servers, separate them out, and let the cheaters fight amongst themselves.