84 votes

Steam games will now need to fully disclose kernel-level anti-cheat on store pages

23 comments

  1. [23]
    sleepydave
    Link
    About time :) It should also come with disclosure about the risks of granting ring 0 access. The fact that Windows fails to adequately distinguish between a standard installation and a ring 0...

    About time :) It should also come with disclosure about the risks of granting ring 0 access. The fact that Windows fails to adequately distinguish between a standard installation and a ring 0 installation to the user at the UAC prompt is appalling and I'm glad we're seeing industry trends heading in the right direction, even if it took an unprecedented international incident to spur it on.

    34 votes
    1. [22]
      Lexinonymous
      (edited )
      Link Parent
      To be honest, I'm a little mystified over why there seems to be so much anger directed at kernel-level anti-cheat specifically. First off, most of the things that an attacker would be interested...

      To be honest, I'm a little mystified over why there seems to be so much anger directed at kernel-level anti-cheat specifically.

      First off, most of the things that an attacker would be interested in are accessible from userland. That "Free Discord Nitro" scam you see doesn't ask for admin access, it can log your keystrokes and upload your passwords and credit cards without having to show a UAC prompt.

      Secondly, every device someone plugs in has an associated driver, and I doubt most users are regarding the computer accessories they purchase with the requisite amount of suspicion. There are the obvious problems with counterfeits off of Amazon, but these days buying peripherals from fly-by-night dropshippers on their fourth company name in five years is more common than you think.

      The real downside to kernel-level access is stability. It is a legitimate concern, and in the case of CloudStrike can have serious consequences. Having said that, in the past decade of my computer use, nearly all of my BSOD's have either been caused by faulty hardware or GPU drivers. I can't recall a single instance of a BSOD pointing at EAC or a Vanguard DLL as the culprit.

      Personally, I can't help but feel like the anger directed at anti-cheat is being stoked by:

      • Well-meaning security professionals whose threat model includes state-level actors.
      • Cheaters.
      • The cheatmakers themselves.
      • Well-meaning individuals whose opinion is shaped by the prior three.

      EDIT: To be clear, I wouldn't mind Microsoft tightening the screws on kernel-level access, but until they introduce something that allows anti-cheat developers to have reliable insight into the machine's Secure Boot state and hardware ID's, as well as insight into what else is running on the machine, kernel anti-cheat is not going anywhere.

      14 votes
      1. [2]
        ogre
        Link Parent
        Linux users unable to play these games :)

        the anger directed at anti-cheat is being stoked by:

        • Linux users unable to play these games :)
        43 votes
        1. Lexinonymous
          Link Parent
          This very much seems like a "Linux needs to be a platform where implementing an anti-cheat is feasible" problem. I wish I knew if the problem was more on the side of "It's possible, but most Linux...

          This very much seems like a "Linux needs to be a platform where implementing an anti-cheat is feasible" problem.

          I wish I knew if the problem was more on the side of "It's possible, but most Linux distros aren't set up like that" or "It's not possible because Linux just exposes too many knobs that a clever hacker can twiddle." But it's not an impossible task on a general purpose computing device. From what I understand, macOS is pretty good at detecting an untrustworthy environment through Secure Boot, and disables software like FaceTime and Messages if you turn off SIP.

          3 votes
      2. [11]
        sleepydave
        Link Parent
        Kernel-level access should only be requested on a basis of absolute necessity, it's the point where there is no barrier preventing the ring-0 process from assuming full control over a system and...

        Kernel-level access should only be requested on a basis of absolute necessity, it's the point where there is no barrier preventing the ring-0 process from assuming full control over a system and can bypass any kind of client-side antimalware protections. It shouldn't have to be explained that it introduces potentially devastating effects if (for example):

        • A security breach allows a bad actor to push a malicious update
        • Poor QA allows a bad update through internal checks and onto client systems (we all should be intimately familiar with this problem by now :P), especially as memory-related bugs can be far more devastating in kernel space than user space
        • Considering Tencent's acquisition of Riot Games and China's adversarial behavior on the world stage, as well as their policy-based ability to railroad a backdoor into any digital system controlled by a Chinese entity, having a vector to assume control of/botnet-ize a significant portion of western client devices would be a highly compelling idea to the CCP if they thought they could get away with it

        Anti-cheat should be conducted via behavioural monitoring systems to detect in-game actions that breach the bounds of human interaction/interfacing, not by assuming kernel-level control and implementing invasive monitoring measures like screening all running processes and memory on the system and taking periodic screenshots.

        18 votes
        1. [6]
          Lexinonymous
          Link Parent
          I apologize, but I think that this sort of view comes from a very naive point of view. Optimizing your game for behaviors that are difficult to cheat considerably limits the design space of what...

          Anti-cheat should be conducted via behavioral monitoring systems to detect in-game actions that breach the bounds of human interaction/interfacing

          I apologize, but I think that this sort of view comes from a very naive point of view.

          • Optimizing your game for behaviors that are difficult to cheat considerably limits the design space of what you can put into your game.
          • Most games have at least a few behaviors that would either not be caught by this kind of monitoring at all, or would result in false positives for people spinning their mouse rapidly or looking at the wrong patch of concrete wall for too long.
          • Hiding information from the client can be error prone, performance-intensive, and is incompatible with modern netcode techniques that rely on determinism - which implies predictability and as much information as pertinent - to reduce visible sources of lag.
          8 votes
          1. [5]
            sleepydave
            Link Parent
            There are emerging and even semi-established AI/ML solutions that address the "uncaught exceptions" particularly well when properly trained, as ML tech is extremely effective at pattern...

            There are emerging and even semi-established AI/ML solutions that address the "uncaught exceptions" particularly well when properly trained, as ML tech is extremely effective at pattern recognition to the point of vastly exceeding human capabilities. It's not as impossible as you might expect.

            However I think we're at odds of priorities here - I'm approaching this from a technological perspective since I don't play multiplayer games, but I understand the true risks involved in allowing this to become pervasive behaviour from software vendors. I understand why non-technical users would have an opposing opinion if they have to deal with cheaters on a regular basis, and rightly so in some ways, but they would only understand what's at risk at the point where it becomes a problem that personally affects them. It's not just an issue of "something could happen", it's that it is an eventuality. Whether it's one of my aforementioned examples, or a memory management vulnerability allows an unrelated process to take advantage of that kernel access in malicious ways, it really is just a matter of time. Anyone worth their salt in the security space will tell you without hesitation that reduction of vulnerability vectors is critical.

            2 votes
            1. infinitesimal
              Link Parent
              "Something happening" is an eventuality, but dealing with cheaters is an actuality. Just compare Counter-Strike and Valorant for effectiveness of kernel-level anticheats like Vanguard. People that...

              "Something happening" is an eventuality, but dealing with cheaters is an actuality. Just compare Counter-Strike and Valorant for effectiveness of kernel-level anticheats like Vanguard. People that don't want to deal with more effective anti-cheat in competitive multiplayer games can just not play. (But I do think the new disclosure policy is good and none of this is necessary for single-player games.)

              5 votes
            2. [3]
              Lexinonymous
              Link Parent
              The creators of the Vanguard anti-cheat used by Valorant and League of Legends already use AI to determine cheating likelihood. However, comparing notes with their kernel scanner, they discovered...

              It's not as impossible as you might expect.

              The creators of the Vanguard anti-cheat used by Valorant and League of Legends already use AI to determine cheating likelihood. However, comparing notes with their kernel scanner, they discovered that informational hacks that did not modify player inputs (such as radars) were undetectable, and even for aimbots only had a detection rate of around 40%. There was also the stated worry that cheats would soon begin using AI to make their assisted aim appear more human.

              Meanwhile, Valve seemed to hitch their wagon to AI cheat detection for Counter-Strike 2. Last I checked, cheating is considered pervasive in that game, with a very embarrassing VAC wave a few months ago when people were banned for spinning their mouse too quickly. There are actually multiple, quite popular third-party services available for CS2 that allow competitive play with a kernel anti-cheat.

              However I think we're at odds of priorities here - I'm approaching this from a technological perspective since I don't play multiplayer games

              That's fair, but without relevant domain knowledge or experience in game networking and anti-cheat, I would caution you about making sweeping generalizations about how anti-cheat should or shouldn't work.

              4 votes
              1. [2]
                sleepydave
                Link Parent
                My primary certs are in networking IT and I'm aware of how most anticheat technology works :)

                ...without relevant domain knowledge or experience in game networking and anti-cheat, I would caution you about making sweeping generalizations...

                My primary certs are in networking IT and I'm aware of how most anticheat technology works :)

                4 votes
                1. Lexinonymous
                  Link Parent
                  To be clear, I don't necessarily disagree with your underlying position regarding kernel access. However, I don't think it's wise to say something prescriptive, like "Anti-cheat should be...

                  To be clear, I don't necessarily disagree with your underlying position regarding kernel access. However, I don't think it's wise to say something prescriptive, like "Anti-cheat should be conducted via behavioural monitoring systems to detect in-game actions that breach the bounds of human interaction/interfacing" without an understanding of the problem space that anti-cheat is trying to solve.

                  2 votes
        2. [4]
          ShroudedScribe
          Link Parent
          Agreed. But then the companies would be required to pay employees to review these reports/alerts. And it's becoming pretty obvious with the implementation of AI absolutely everywhere that...

          Anti-cheat should be conducted via behavioural monitoring systems to detect in-game actions that breach the bounds of human interaction/interfacing

          Agreed. But then the companies would be required to pay employees to review these reports/alerts. And it's becoming pretty obvious with the implementation of AI absolutely everywhere that companies are fine with cutting their workforce in half to bet on AI.

          I mean, I guess an AI could be reviewing these reports too. But that's still another layer instead of just implementing invasive anti-cheat.

          5 votes
          1. [2]
            Eji1700
            Link Parent
            Orrrr they could just let us go back to the LAN days and allow people to host their own servers and moderate them their own way, which you know, worked.

            Agreed. But then the companies would be required to pay employees to review these reports/alerts.

            Orrrr they could just let us go back to the LAN days and allow people to host their own servers and moderate them their own way, which you know, worked.

            11 votes
            1. streblo
              Link Parent
              Cheating is also a lot more sophisticated and widespread but this is probably the best option. That said, it basically involves just living with cheaters being in every game. Server admins can...

              Cheating is also a lot more sophisticated and widespread but this is probably the best option.

              That said, it basically involves just living with cheaters being in every game. Server admins can kick rage hackers pretty easily but anyone who does not want to be caught won't be. If cheat developers can develop cheats that avoid AI detection by mimicking the limits of human cognitive/motor function, some unpaid server admin doesn't really have a chance at making a dent in the cheating population.

              4 votes
          2. sleepydave
            Link Parent
            That's more so a symptom of broader stakeholder/economic pressure than any kind of technological issue

            That's more so a symptom of broader stakeholder/economic pressure than any kind of technological issue

            7 votes
      3. [5]
        CptBluebear
        Link Parent
        That's all assuming there isn't a bad actor in between the user and the administrator (or even a compromised administrator). I do not cheat, I have no stake in this. Yet I can't help but feel sort...

        That's all assuming there isn't a bad actor in between the user and the administrator (or even a compromised administrator).

        I do not cheat, I have no stake in this. Yet I can't help but feel sort of violated by the sheer audacity of these gaming companies their game is so important they need full control over my device to stop a very small minority cheating in something so incredibly low stakes. They're holding a loaded gun to a lot of innocent people that have nothing tangible to gain from it.

        14 votes
        1. [4]
          gary
          Link Parent
          How small of a minority depends on game. I don't play Counter-Strike anymore, but friends do, and I hear about cheaters a lot. One higher elo player estimated that at least 21% of players were...

          How small of a minority depends on game. I don't play Counter-Strike anymore, but friends do, and I hear about cheaters a lot. One higher elo player estimated that at least 21% of players were cheaters, in a sample of 60 games. With the game being a 5v5, that means many games would include a cheater. CS is a game that is so rife with cheaters that two companies built a business model off of "we can offer you an environment to play CS in that is much stricter at catching cheaters".

          As someone opposed to giving kernel access to anti-cheat, I have been contemplating building a strictly-gaming PC or switching to console gaming if I ever want to play multiplayer competitive games again.

          3 votes
          1. [3]
            CptBluebear
            Link Parent
            Perhaps a very small minority was poorly worded on my part, yet 21% is still a minority. And perhaps another poor analogy to boot, but we agreed to stop hanging people because in part we hanged so...

            Perhaps a very small minority was poorly worded on my part, yet 21% is still a minority. And perhaps another poor analogy to boot, but we agreed to stop hanging people because in part we hanged so many innocents. You don't punish the innocent people. Find another way.

            From performance to spying to potential catastrophe, I do not see an upside to force everyone into this deal or no deal. ESEA was opt-in and that's great. Want to deal with fewer cheaters with stricter control? Sure! Want to not deal with stricter control, also fine but you'll get more cheaters!

            6 votes
            1. [2]
              stu2b50
              Link Parent
              The percentage we care about is how many players are negatively affected by cheaters, and if 21% are cheaters, then that percentage is extremely high. You’d have a 1 - (0.79)^9 chance of having a...

              The percentage we care about is how many players are negatively affected by cheaters, and if 21% are cheaters, then that percentage is extremely high. You’d have a 1 - (0.79)^9 chance of having a cheater in your game.

              In the end, it’s a game. You can just not play it. There’s plenty of games out there.

              8 votes
              1. CptBluebear
                Link Parent
                That's not the direction it's going in. More and more games are making it mandatory. I'm worried it's becoming the new normal.

                That's not the direction it's going in. More and more games are making it mandatory. I'm worried it's becoming the new normal.

                2 votes
      4. ShroudedScribe
        Link Parent
        And as in the case of CloudStrike, things only have to go wrong once. I'd compare this to the system that allows Amazon to open your garage door to put packages inside. Except it isn't just your...

        The real downside to kernel-level access is stability. It is a legitimate concern, and in the case of CloudStrike can have serious consequences.

        And as in the case of CloudStrike, things only have to go wrong once.

        I'd compare this to the system that allows Amazon to open your garage door to put packages inside. Except it isn't just your garage, it's the whole house. Sure, it's going to be used for legitimate purposes 99% of the time or (likely) more. But what happens when an Amazon employee is struggling to make rent, is pissed off at Amazon and the world, and decides to swipe your $500 worth of power tools from your garage? That's a serious consequence worth evaluating before opting in to this service.

        Anti-cheat in this comparison would be more like Amazon refusing to deliver packages to you without this service that makes you feel uneasy.

        And when we're talking about most people's computers, it isn't just a small source of value. It's financial data, PII (your social security number is likely in plaintext on any tax returns), other private information (emails), maybe even work-related documents that could cause a meltdown at your company.

        That being said, most things in life are a risk-reward decision, even if you don't think about it. Eating at a restaurant comes with some risk of food poisoning. Walking into your bank comes with some risk of a robbery taking place and putting you in danger. Driving your car comes with a chance of being in a fatal accident. The odds are minuscule, but these things do happen.

        But the risk of your computer being destroyed or exposing your personal information for the reward of playing an online game? That's not worth it to me personally.

        12 votes
      5. Carrow
        Link Parent
        As I recall, the notoriety began when Valorant came out and with it, the release of Vanguard. Early Vanguard caused a lot of issues, with reports ranging from deleting random files and programs to...

        As I recall, the notoriety began when Valorant came out and with it, the release of Vanguard. Early Vanguard caused a lot of issues, with reports ranging from deleting random files and programs to completely bricking computers and frying power supplies. That's around when kernel level anti-cheat entered common parlance, though such anti-cheat existed before without these issues or notoriety.

        Nowadays, I game on Linux and Deck. A kernel level anti-cheat means I can't play a game. Worse, I could be banned just for trying to boot up or log in if I don't look it up myself. I'd like to know that for sure before buying it as the Steam Deck Verified status isn't always reliable or accurate.

        10 votes
      6. parsley
        Link Parent
        Here is an example of what happens when you give root access to big companies: https://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootkit_scandal

        To be honest, I'm a little mystified over why there seems to be so much anger directed at kernel-level anti-cheat specifically.

        Here is an example of what happens when you give root access to big companies: https://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootkit_scandal

        6 votes