this trend in gaming makes me very concerned.
HTML-код
- Опубликовано: 25 окт 2024
- I hate kernel level anticheat. It should not be allowed
🏫 COURSES 🏫 Learn to code in C at lowlevel.academy
🛒 GREAT BOOKS FOR THE LOWEST LEVEL🛒
Blue Fox: Arm Assembly Internals and Reverse Engineering: amzn.to/4394t87
Practical Reverse Engineering: x86, x64, ARM, Windows Kernel, Reversing Tools, and Obfuscation : amzn.to/3C1z4sk
Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software : amzn.to/3C1daFy
The Ghidra Book: The Definitive Guide: amzn.to/3WC2Vkg
🔥 SOCIALS 🔥
Come hang out at lowlevel.tv
wow thats crazy anyway go learn to code at lowlevel.academy its based and cool
Bro just "Wow that's crazy" 'd himself
Do Not Lie to groom Newbies for clicks! The Epstein/Y2K company of Microsoft had OS level WIFI RCE (Remote Code Exploit), proposed a keylogger feature named after a dystopian film "Total Recall" and thereafter auto turned on one-drive to further data theft. Crowdstrike even in failing to carry such impotent freeloaders of government grant money did well to hault the flagrantly arrogant sh*tstorm that is M$ nerds. Putting out freebies and xbox console to pander for mercy among consumers is not the place of honest systems development.
Is it true Microsoft was hacked yesterday or somethin
I think WebGPU is going to blue screen people's machines and steal their data.
the signup submission state is broken. The server response is missing a "data" property, triggering an error
This is Ed. Ed is a cybersecurity specialist by day, a gamer by night. We still don't know when he makes videos, science is still trying to figuring out.
He’s also a father!
Read that as the Stanley Parable narrator voice
@@rawallonnow I can't unhear him, thanks 👍
Glowie running that weighted crysis management language.
@@rawallon This is the story of a man named Ed
Valorant's anticheat literally made my computer get stuck in a boot loop because it kept terminating an important driver thinking it was a cheat. Needless to say, I don't play Valorant anymore
Need to demand better consumer protection laws. Anticheats shouldn't be allowed to stick their nose outside of game they are protecting.
I hate the fact that i still play LoL, and Vanguard is now required. I keep a Windows installation *just* to play LoL, and mostly am using Linux because i don't wanna run the risk of a driver potentially killing my installation
@@test-rj2vl Well to be fair on their part, they literally need to because not all cheats traditionally inject themselves into the game. Some (like ones that evade vgk) are drivers that send a usermode application some instructions like where the enemies are in the world and what their health is. Say you inject that usermode application into Discord and get it to render all the information that the driver is telling it, you now have a cheat with a working overlay; to anticheats this generally looks like two separate programs with different use cases: a random driver on your system and a random usermode application injected into discord. Although it is trivial to detect this certain method of cheat, it's generally how most cheats work that aim to bypass kernel stuff. This is assuming you don't use DMA.
@@aoqiathe valorant anti cheat is incompatible with pretty popular software like Virtualbox from day one upto today. If a gaming company cannot fix that in years they should not write kernel code period. If they cannot fix stupid things in years they are just incompetent to play with such power.
@@chinesepopsongs00 they could fix it, they just don’t care enough or deem it a security risk.
I've been saying this for a long time: single points of failure on a grand scale should be examined with heavy scrutiny and skepticism.
Don't worry, adversaries are definitely examining the many single points of failure none of us have noticed.
This point is so spot on.
@@ajk251 It's also very limited common sense.
Well MS have come out and began the discussion about preventing security vendors from going Kernel level. Quote from the Verge article - "Now, the software giant is calling for changes to Windows and has dropped some subtle hints that it’s prioritizing making Windows more resilient and is willing to prevent security vendors like CrowdStrike from accessing the Windows kernel." Perhaps make a new gap in the CPU protection rings and put the code above Kernel level but below app level. Either way I'd agree that the LAST thing anti-cheat vendors should be doing is fking around in Kernel space.
100%, My PC blue screened after closing a game that uses EasyAntiCheat EOS because of an IRQL fault.
Literally, the only thing that I did was close the game and then my PC blue screened 5 seconds later, This would not be an issue if the driver functioned as intended.
The layer is already there, its called Virtualization Based Security and all gamers switch it off because it saves them a little bit of FPS. If there was a way to ensure trusted boot and environment, sure, but also we live in the world where UEFI SecureBoot keys got leaked, so who knows what future brings :) I think mainstream cheating through memory operations and internal code injection will slowly be on its way out with more and more platform security, especially when some will become mandatory to play online. People will still cheat, but it will be more expensive, rare and often primitive, although im sure some smart ones will bypass protections no matter the cost
Yeah, I'm really hoping MicroSoap does something about this. I bet hackers are salivating at the thought of using that Vanguant anticheat from Rito as a backdoor to turn literally a hundred million computers into zombies.
@@JuliaYamYam The year is 2045, MegaSoft has solved the problem of cheats, their newest operating system, Walls, securing the world from exploits by simply not running any code. This has introduced a new cheating problem, robots physically playing instead of the person. Because of this rising level (0.001%) of players cheating. Reeking Games just released their newest full biology level anticheat. In order to play their popular game, League of LLMs, you must have a chip implanted inside your brain to verify that you are playing the game.
that's some good news. No game should have kernel access.
"When they got the update they either BSOD'ed or couldn't play League. Not a great place to be."
This is absolutely a great place to be.
Denial of League attack.
@@kiseitai2DDOLOL
I deleted the League, just because Vanguard. I don't care you as Game Company had to protect your game so you can access my everyshit and do anything that regular user can't find. That is not normal and acceptable. 0 fck given about game company's trust score, data is data. They still didn't explain why they took screenshot of other apps on your computer, yet it blocks whole kind of shit and mess with non game cheat programs. No game worth this mess 😂
Can we just go back to the days when people could host their own servers?
Server hosts decide who plays on their server. Servers can be modded to tailor gameplay to that niche.
If cheaters enter the server, community admins remove them.
I miss these simpler times.
totally agree, cheating is a people's problem, not a computer one. sometimes it can even be fun to allow mods that would count as cheats of that is what the players of a specific server enjoy, but these companies are control freaks, if they allow that, they can't extort money from players like they do today 😢
I totally agree , it also would stop this trend of games going offline, effectively making the game extinct , because games hosting eventually becomes an expense the games maker does not want to continue paying for.
"simpler times" lol.
Yeah but then you can't sell cosmetics using microtransactions and gacha mechanics.
@@phenom957 This is what I want as well. Play with people you know IRL. No need for anti-cheat. That's all.
The more fundamental problem is games as services. There will absolutely never be a silver bullet for cheaters in games; you should just aim to minimize the impact cheaters have. The only reason kernel-level anti-cheat appeals to these devs is because they start from the assumption that the matches you play should be you paired with 9 strangers that you'll never see again, and in that environment, some cumbersome, labor-intensive system where strangers are audited and judged days or weeks after they've already ruined games for people is the only approach available. This is no solution at all, and the only ACTUAL comprehensive solution is for multiplayer-first games to move back to a model more similar to what we used to have: servers you can run and manage yourself, so that when a cheater rears their head, an admin can just ban them immediately and everyone can go about their day.
I was watching a video about how people bypass Vanguard, and the person who made it made a really good point: smurfing is probably more of a problem than cheating now, and that's an entirely different problem
Ye that shouldn't happen and won't happen. Most games are online competitive games, so you won't have servers most of the time, because why?
What if it's a game with more transient multiplayer though? Take something like Elden Ring for example, where as you play through the game other players can dip in and out of your session for coop and pvp; a setting where a traditional server like for an FPS game is impossible. You gotta have something in place.
Badmins were just as much of a problem back in the day of self-hosted servers
all online services have this problem lol. they really think they can just have hundreds of thousands of servers with no moderation at all and not have people break their rules unpunished. delusional.
I feel like we had this conversation back in Windows NT 3.5. Microsoft wouldn't allow for Ring 0 drivers, but then IOMEGA had a fit that their parallel port ZIP drive wouldn't work without it. Microsoft backed off and allowed Ring 0 drivers... and let the genie out of the bottle.
Also MS wanted to close off basically the antivirus market to be them only, and that became a monopoly problem. They backed off, and most importantly just dropped the ball there and did not tidy up and provide a universal, good-enough-but-not-ring0 level access method that both their own and competitors could use.
So you telling me some short-lived fad opened the gates of hell?
(Yeah I know it was a big deal but in hindsight they ended being a blip in my radar, skipped from floppy straight to burnable cds and pendrives, hopefully Crowdstrike is the cork that seals the genie back and "no more layer 0 code!")
@@nagi603 I mean, OS security is one aspect that should be the sole responsibility of the operating system itself, not a third-party anti malware.
@@aarong9378 Oh man, ZIP drives! Now that’s a memory.
I just refuse all games that use Kernel Level Anti-cheat. Pretty easy if you refuse to play multi-player games. Single-player games are pretty comfy.
@@Rheeve Or just play with friends
but what if you want to play multiplayer? I don't see another way devs can't prevent cheating. even kernel drivers can't prevent hardware cheats.
To be comfy is to be weak. I seek struggle and improvement. Unfortunately, the best challenges are people. You also lock yourself out of tons of genres
I don't get this comment, singleplayer and multiplayer are completely different.
Kernel vs Admin anti-cheat is kind of a red herring, because the damage that can be done is pretty interchangeable.
If VAC ever gets hacked there are a hundred million PCs that are now compromised with an Admin level RCE. Blank Clients like VAC are a at least a big a risk as kernel mode because they are walking, talking admin RCEs. And everyone seems perfectly OK with it.
No really, that is how VAC works. The server sends your client code and VAC executes it as admin on your machine. If that is ever compromised it'll make crowdstrike look tame.
Any one else remember when Sony shipped music CD's that installed rootkits on peoples computers? A tale as old as time.
I remember the guy who programmed autorun started making videos for a while on RUclips. Nice guy, usually. He talked about the challenge that Sony created, but got extremely hostile to me in the comments when I told him how unacceptable autorun was at the time, attacking Linux, for some reason.
I stand behind my statement. Autorun on CDs was the worst decision Microsoft ever made.
@@edwardallenthree but its so convenient! having to click a button after i insert a cd is soooo tedious... /s
@@edwardallenthree I think the concept of autorun is a good idea, but it could have been implemented far better.
Think about all of the tech illiterate. They insert a CD, and then now what? The tech illiterate won't know how to then run the disc if there is nothing that auto-magically loads the content.
Watch the most tech illiterate person in your family on a computer and see how they struggle with the most basic of activities - even those that were once good with computers eventually lose it.
@k1ngjulien_ even then, having to manually insert a cd is tedious, just push it to my machine while I sleep at night so I can wake up to the code running with a blue screen.
Didn't they get an anti-terror lawsuit, because they were suspected to have attacked the computer infrastructure of the USA.
These root kits have always been a sin but it took grounding all the planes for anyone to notice. Smh.
Is it affects our users?
Too bad.
Is it prevent us from making money?
OH NO LETS BLOCK IT
I made a similar parallel in a popular game subreddit and my post was taken down by their moderators with the reason being: "Not relevant to the subreddit", although that game uses a kernel level anti-cheat on a popular platform. Not trying to complain about it, just trying to say that there is a lot of ignorance on this matter, due to lack of technical literacy.
If one person can do it, imagine what governments can do. Btw, what tools are u using?
Kernel mode software is like buying a safe, and letting your neighbor's gardener replace parts of the lock.
We know nothing about competency of people we give unrestricted access to our things, with high chances of them not even understanding what they are working with, because that was never a part of their job description.
Yeah its crazy. Theyre basically saying, "here is our game. For u to have fun we need power of looking through and potentially controlling everything in your pc" 70 bucks pls
The joys of never playing competitive multiplayer: I don't have to deal with those kind of BS
Don't worry, you're only missing out on balding 30+ year old men with the mentality of teenagers blaming you for every lost game. There's a reason #FixTF2 took off, and it's because TF2 was one of the last PvP multiplayer games to prioritize actually having fun.
@@AlexMax2742 As a 1200 hour tf2 player (relative beginner) i have tried cs2, valorant (big mistake) and a few other competetive games. Their just not fun, i was bad at them but they were unenjoyable because they were just shit. Your right on the money on why fixtf2 took off, tf2 is just so GOOD
tf2 is like the smash of shooters
really fun casually, but given enough tweaks and removing some weapons that throw balance for shit xd, then you get a really fun competitive game (whether its 6v6, 9v9 highlander, etc.)
VRChat isn't a competitive game, yet has kernel level anticheat as well for some dubious reasons
This is exactly what I was thinking about as soon as the crowdstrike event hit my company, “aren’t gaming companies demanding kernel level access for cheat detection now, too? this all must be reversed”
We're talking about GAMES here. A form of ENTERTAINMENT. Kernel mode should NOT be a thing here!
Yeah, game developers have no bussiness writing kernel level code.
It kind of tells you, but its so shady the way they do it. Some TOS agreements pop up, but that's after you bought the game and installed it. 95% of people just agree because they're already mentally and financially invested in playing the game.
unfortunately we live in a world where the vidyagames industry is a half trillion dollar industry
I think it would be fair to require it for professional level play tbh. But it's a bit extreme for just average gamers. That said, some might still prefer it to cheaters.
@@Jutastre No, professionals should play on audited machines in a secure network environment. Preferably on provided hardware. If you really want a level playing field, that is how it should be. You can't guarantee it otherwise. People will literally decompile the binary and program their stuff in if you give them enough of a chance otherwise. I don't think that Game studios have the actual time or expertise to actually write high level security.
the games industry already was.
Starforce DRM crashing computers.
Starforce is still installed on products under a different brand for games. There are a few dictatorships out there using DRM on popular gaming software they promote. 🤔
Gamers now: "we all gotta give Chinese owned Riot games full access to our PCs because of hackers in matchmaking"
Gamers then: *disconnect and join another server*
In hindsight I didn't realise how good we had it. Coming home from school and joining the same server day after day was great. We didn't need to go to Reddit to find little pockets of community, right there in the games, and the server regulars would recognise eachother. For the most part it was all decentralised. Good times.
Minecraft Java still has this going for itself. Decentralized servers are epic.
@@gitstautusgitstutasgitstatus gamers now: "wow another cheater in my lobby not getting banned despite the kernel mode anticheat time to leave" *gets banned for leaving*
Gah, those times were great. I think Team Fortress 2 was the last time I did that. We even had cross-team voice open cause everyone knew each other. The whole assembly line-ing of matchmaking took away all of the best parts of multiplayer(except lazy convenience).
Im subbing just off the fact that I also agree with forcing people to install software they don’t understand. Because these companies are also not educating end users
See but here's the thing, users likely _don't_ want to learn. Hell, developers don't even read the docs for the libraries they use, and you expect the average Joe to read an explanation of the software stack, let alone understand it?
(I agree with Ed though)
@@XxZeldaxXXxLinkxX no but at least make it clear that this driver can cause a blue screen if it fails (that's enough)
careful - Clownstrike is copyright striking folks for using the bird logo.
If the logo is not owned or the content creator was not given explicit permission then there is something called fair use. Fair use: Using logos for criticism or commentary under fair use laws.
@whambalamp yeah but you need to sue them to get the video back. They will probably settle though since they're likely bracing for upcoming lawsuits.
@@whambalamb Even then, it can't be a copyright strike. It would need to be a trademark lawsuit, which they would lose, because it is being used, correctly, in reference to them.
@@whambalamb Yes, but they also have the cheat-code called "more than enough money to throw at lawyers to bankrupt you in court"
@@whambalamb Fair use is an argument you can make in court and you then need to defend that argument. It’s not some automatic benefit of doubt that you get.
Additionally, RUclips is a private entity and can be held liable for the content on their site. As such, their policy is always going to be to avoid potential legal issues.
I would NEVER install kernel mode code to play game.
It doesn't require bug from game developer, Microsoft makes big changes 1-2x year and behavior change can break those.
There are no game that is worth to have that kind of messing.
I'm struggling to find reasons for game devs to not write solid server-side validation other than that it's tricky to do. If you're validating data coming from the clients properly then who cares what's going on in their kernel, just ignore it if it's impossible or violates the game's rules
You have never seen a pro playing a shooter. The speed at which they aim seems inhuman. You can't just ban all the best players. SC2 guys reach 600 actions per minute, that's 10 clicks per seconds. Filter that!
@@landlubbberHad the same thought. Doesn't work against aimbots and other client-side stuff though.
It costs slightly more money in server upkeep and design vs slapping in some pre-made privacy nightmare "solution"
@@АндрійКозак-у4ьYeah, take for example wallhacks:
If the server is sending player location to every client, you can easily extract this information.
And if you hide this info, how do you decide if the client should get this info? You need to see the enemy after all.
@@АндрійКозак-у4ь For aimbots it might be tricky and I'd imagine they'd do it statistically, for client side stuff like wall hacks the obvious solution is to not send player positions to clients who can't see the player in question. Regardless, I'm sure these things could be worked out if all the brainpower being put into the spyware that is kernel level anticheat were diverted to server side anticheat
the solution is what apple implemented a while ago, they dont allow kernel modules anymore, instead they expose the kernel api through driverKit, and if code that uses it messes up, the machine is still stable and wont panic.
Windows is offering that too, its just that they also let devs make bootstart code that the system will not boot without.
@@hightidesed MS blamed the EU for preventing them for implementing that a decade ago.
@@minirop There were a lot of anti-virus companies that were against that too, iirc McAfee
That's a tradeoff worth making on Apple hardware because macOS has been using Secure Boot for years and is actually quite good at validating the integrity of its operating environment. Windows does not have that luxury.
You can still disable SIP and do pretty much anything
We need a Russian roulette game in kernel mode that bricks your PC when you lose.
Let's call it "Crowdstake"
Crowdstrike: Global Offensive
`[[ $((RANDOM % 6)) -eq 0 ]] && rm -rf --no-preserve-root /`
I don’t play multiplayer games because it’s become so bad that you give up your kernel, then you still get cheaters in game it’s not a good compromise
This is exactly what I've been trying to tell my friends who "don't care"
the boot-start part just floors me...
i don't understand and will never understand how anyone let a third party ship updates on mass to 8million devices and have boot start privileges...
Because all the difference between big company and small is that big has a lot more of its operation dedicated to penny pinching. Unless something breaks, there will be no testing. No QA. No checks. And if it did not break for a significant enough time, and/or may cause any issue for a manager ambitious enough, these mechanisms *will* absolutely be removed afterwards.
@@nagi603 Google blew that door open for me. no way one Red teamer touched AI overviews before shipping. but apparently thousands in testing loved it....
@@nagi603 no he means why let a 3rd pary even have a bootStartDriver i would implment a DriverOrder and sure you can be first in that order but really BootStart
@@GamePlays_1230 EXACTLY!!! so many other ways to be "first" without being more critical than the os itself!!! NUTS
Cause you can also write certain drivers like file system drivers, which need to load before anything else.
I've given up on any "cloud-based" video games, which means anything where there's a competition and thus a strong temptation for *some* users of the game to cheat. If games start playing around at the kernel level, then there's no game which is "fun enough" to justify the headaches it will eventually cause on *my* computer. I bought it. The game company didn't buy it.
Could you imagine if we gave random Android games Root?
4:13 "that thing" is/was called recall. it almost made my friends not use windows anymore, but they changed it a bit, and my friends no longer care.
You make excellent points! Keep it up!
If everyone has ring 0 access, no one has ring 0 access.
If everyone has ring 0 access, there is no ring 0 anymore...
That's why we need ring 0.5
@@-1_void We already have Ring -1 (Hypervisor) and Ring -2 (SMM).
I have a few concerns about this as well, primarily I don't want to run any kernel mode code written by tencent... But also I have some probably unjust paranoia about the possibility of a bad actor sneaking in a backdoor into an anti cheat kernel mode driver. Like if a developers system or repo access gets compromised.
I mean anti cheats have in the past been caught snooping on browser data to decide if a player was cheating based on their search history so I'd say it's fair to just not trust the code itself.
This is why I feel unfortunately the whole dedicated gaming pc route is the only solution that doesn't leave you a left out hermit because consumer protections are so weak.
@BeefIngot yup, I have a separate drive I boot into to play games mainly for this reason (and it also helps me not get distracted while trying to focus)
you dont even need to have the game in question installed, so your paranoia is not unfounded.
the anticheat for genshin impact, the signed driver had an exploit, you didnt even need to have the game, you just needed to get served that driver and because it was signed by microsoft, come on in, do whatever you want in my machine
I always found the conversations surrounding Tencent to be weird. Most of your device drivers are written by chinese third parties, and CloudStrike is an American company.
Any kind of anti cheat running at kernel level should come with a warning like 18+ stuff.
100% agree with you. A game is a game. Especially single player game has no valid reason to put up kernel level access. So any anti cheat like Denuvo is an automatic NO for purchase no matter how attractive a game it is.
Thank you for those pills for farts, works like a charm
yw
is
*granny takes the bait, installs and boots up Mahjong Tiles*
"we got her, boys(feds). take her offline."
5:30 the arms race exists even now when the code is proprietary
id love a detailed explanation on why a VM can't simulate whatever hardware checks these anticheats are using
There are a bunch of tricks that you can use to detect if you're running in a VM. However, the big "checkmate" move that Valorant uses is requiring the presence of a TPM chip and Secure Boot.
You can emulate a TPM chip, but you can't pretend to be the TPM chip of a specific manufacturer without knowing the contents of a bundle of signing certificates that the end user would simply never have access to. An anti-cheat can simply whitelist TPM responses from known hardware manufacturers and blacklist keys used by virtual machines or ones they don't recognize. Of course, you could yoink the contents of your computers' TPM chip and use it in a VM, but if you get banned then you just burned your actual PC at the same time.
It's a concept that makes a lot more sense if you've ever used SSH or used any form of public/private key authentication. If you have someone's public key you can verify a message was sent from a particular user, but you can't generate messages and pretend to be them without having their private key. It's the same concept with TPM chips. If you want some search terms to research, try "endorsement key", "storage root key", and "attestation identity key."
@@AlexMax2742 thanks for the write-up, that helps a lot. Really unfortunate that things are setup in that manner, best thing I can think to combat this is somehow externally harvesting TPM's and transforming into something hot-swappable, but I doubt that's even close to possible without a 5 billion dollar lab. Is there anything in place for a "remote" TPM farm? i.e. a bunch of cheapo laptops that just take in and push out TPM requests
@@AlexMax2742 thanks. I have multiple follow up questions and ideas but youtube helpfully threw the comment into the void without informing me 👍
edit: my reply re-appeared randomly o_O
I have no idea if my original comment is showing up or not, but just in case, the short answer is that the TPM chip used by secure boot has certificates in it that are kind of like SSH public keys. If you have someone's public key, you can verify its authenticity, but you can't generate new public keys unless you have access to the private key.
So you can emulate a TPM chip, but you still need a certificate to go with that TPM chip, and an anti-cheat will blacklist certificates from hardware companies it doesn't recognize or who make devices capable of cheating. If Vanguard detects cheating, it bans using TPM-verified hardware ID, and since you have no way to generate a new valid hardware certificate, it's a "checkmate" situation.
The only trick is that you have to ensure that the OS is accurately reporting the contents of the TPM chip. Some OS's, like macOS, are actually pretty good at this as long as you have SIP enabled, but Windows is REALLY bad at this, which is why Vanguard has to run on boot.
You can simulate it, I can run vanguard on my VM without issues. Its not straight forward and requires a lot of changes to kvm
Yey for gaming on Linux :D
I have been on Linux for a bit over a year now and gaming on here has worked quite great. Linux for gaming is no longer hard. Linux in general is not that hard to get started I would say. I am on a quite weird distro (NixOS) and use Nvidia GPU and even with that it has been almost no issues. Sure, I have had to stop playing LoL and maybe some other games, but I haven't really missed them and anytime I have looked up any other game I wanted to play on ProtonDB the support has been really great. If I really wanted I could probably had gotten LoL to work (until they started their new kernel level anti-cheat I guess) but I was quite happy to have a reason to quit playing that game.
You're delusional if you think these kernel drivers don't exist in Linux too. Cloudstrike alone has already brought down two distros of linux with the exact same kind of bug vector, and gaming companies are going to put less effort in on Linux given how much smaller a market it is compared to Windows
@@aenguswright7336 Why be so aggressive right off the bat? I am well aware that it is my own decisions of what I allow to run on my machine that protects me more than anything when it comes to this. I already remarked that I stopped playing LoL because I moved OS and because of their new anti-cheat. I would not allow any kernel level software updates that would not be represented in my NixOS config - meaning NixOS rollbacks would protect me from crash looping BSOD. I use tools that would not allow situations like this to happen on my machine - which to me is the opposite of delusion. And I am happy that this still means gaming is possible without having to make any large sacrifices in what I want to play. That was the message of my previous comment.
Cut brutally concise. Kudos!
Kernel mode drivers for games turns your computer into a console. It completely breaks the idea that you have control of your computer.
using windows already turns your pc into a pseudo console. installing kernel mode software on it makes it even worse
Agreed, especially with the game industry’s habit of rushing stuff!
There will always be people that are skilled enough to play these cat and mouse games. They can‘t stop them by putting everyone else in danger.
5:30 no security through obscurity!
We should totally make our anti cheats open source!!!!!! #FOSS
client side anticheat can only be achieved thru obscurity
Anti-cheat is not about security. People cheating on games isn't a security problem. Anti-cheat software may be a security problem, though.
@@__christopher__ I don't think you got the reference. As much as there is no security through obscurity, similarly there is no anti-cheat through obscurity.
I feel the same way you do about proprietary EL1/kernel/driver code produced and distributed unaudited for a userland app. I don't actually care if someone cheats at cards or any game where money isn't on the line (which makes it not a game), but I absolutely care if someone has a backdoor in my computer. Since when have people been accepting this trade-off? I haven't gamed for a long time myself. Edit, context: I'm writing the bootloader (SPL/UBoot) for WiFi7 from (*censored t1 isp*)
I was thinking about this after the Crowdstrike incident occurred as I remembered that some video game anti-cheat systems have kernel-level access. Super cool to see we both had the same thought!
Anti-cheating must be on the server side.
@@ChristopherGray00 1 is incorrect, just do not send info to players about players who can not be seen, afaik old games used to do that at least in some cases. Still, it can only be done to point, close to corners generally servers send position to "smoothly deal with network lags" The follage thing however it cant be done. As well as just texture changes. I.e. in q2 times, some people would just change all env textures to solid colors. Still generally I'm willing to accept such cheats, as only the most egregious - aim bot in my eyes are super duper detrimental (provided 1 one is implemented on server, which I'm not fuckin sure why multi million dollar companies can not do it). But indeed aim bot is also mostly client side, and you'd need some expensive real time analytics and maybe some trickery to try to detect just from server side.
There is debate and testing going around with AI Anti-cheat where it goes against other AI cheats as well as even DMA/Hardware level cheats. Hopefully AI anti-cheat is server side since it would just gather data from the server than the players themselves.
@@ChristopherGray00
1) This is a fog of war issue, don't send clients (players) information that they shouldn't know about. You have to deal with the side effect of pop-ins, but that's worth the cost. Developers have got to stop storing information on the client. If the client shouldn't know something, then they should not be sent that information.
2) Don't put features like this in the game, make obstructions hard obstructions or not at all. If you want a smoke grenade to do its job you need to design it to prevent information from being sent rather than just being drawn on top of known information to 'hide' what's underneath. Cheaters can scrub that off, so you can't rely on that. You simply cannot trust the client with information, that is the only way to avoid this.
You also don't address aimbots which is a much worse problem than either of these issues. While you can somewhat mitigate it by forcing aimbots to have 'human-like' reaction times (eg: you can't zero on someone's head in 2ms), as well as by recording input data from clients and logging data that looks suspicious to be reviewed by other players/moderators (eg: a headshot that's within the realm of possibility, but highly unlikely gets recorded and can be replayed after the match for review). These can help reduce it, but you're never going to get rid of aimbot entirely, unless you design your game around reaction time/aiming never being relevant.
If your game doesn't rely on reflexes/timing, it might instead be turn based, like chess or Go etc. However, note that while reflexes in this example doesn't give a cheater an advantage (because they can't take advantage of a computer's speed), it can still also be an issue because you can design an AI that trounces humans when it comes to strategy and have it suggest moves/play the game. eg: Have a supercomputer play against other chess players. If you design your game well enough that it can't be analyzed quickly enough and it has enough of a depth of strategy and options that AI get overwhelmed and can't keep up with human players, then this can be countered, but that requires an extremely good design, but will eventually be solved by AI/supercomputers (though hopefully after people have stopped playing the game and the devs have gotten their money's worth).
The biggest barrier to proper multiplayer serverside authentication is that its hard to design and code, and gamedevs are never given enough time by publishers to plan out and implement the game in a way that doesn't trust the client. Its usually lack of budget/time, and laziness that ends up putting information on the client and making client-side cheating possible. If we want this to change, we have got to stop buying games that 'fix' their multipalyer issues by slapping an anti-cheat band-aid on their bad design.
@@ChristopherGray00Number 1 it is perfectly possible to cull entity information when they can't be seen through physical obstructions. You can raycast from each client towards other clients from their viewport frustrum and see if they are completely obstructed. Number two is kind of difficult to deal with. Checksums can be spoofed and if the player is using external software overlays then that's also moot. Game streaming would be one solution but that's just bad.
A rule against shipping code the consumer doesn't understand is unworkable.
Most people don't really understand the internet (my mom doesn't understand the difference between search and navigation or what a domain is) or the cloud and certainly don't understand encryption.
So no encrypting hard drives, end to end encrypted communication, no web browser marking sites as secure or untrusted -- maybe no web browser at all -- no secure backup to the cloud. And all these are places where not understanding can screw them over. If they have sensitive data not understanding cloud backups and secure communication could have huge ramifications (might get subpeoned or accessed by a foreign government in some circumstances) not to mention phising and scams.
It's always a cost benefit calculation. And you can't avoid that by saying no code the consumer doesn't understand.
Thank again Valve
Yeah, I uninstalled League, too. So sad they won't even let us access TFT without installing Vanguard, had my hopes up that they had a separate launcher coming to Epic.
It's already an arms race between anticheat and cheat developers. At least, with open-source anticheat, people with a stake in it can support it.
I go so far as to say it doesn't even have to be open source, as long as a security team at Microsoft is reviewing it if it is going to go into the Microsoft kernel. Perhaps we need an open standard, so Microsoft can design one for their kernel, the community can design one for Linux, and Apple can copy the one for Linux and claim the day develop their own.
open-source anticheat only help cheat developers
@@vilian9185 lol. Tell me about the successful history of security through obscurity. By the way, I've got a bridge in Brooklyn to sell you.
open source anti cheat is such an incredibly dumb idea
@@ggeilokowskihow, you think there aren’t are nefarious actors reading other open source code like OpenSSL trying to find exploits? It’s not like closing off the source makes exploits impossible to find
i'm 100% with you, I work for a company that had a major cybersecurity incident nd i'm tired of the zillions of attack surfaces which make it feel impossible to secure, let alone a kernek mode driver for a game! crowd strike is one thing a game just isn't worth the risk.
Anti cheat is one of the biggest useless piece of sh*t. It doesn't even deter dummies because they just buy some cheats that are hidden behind a paywall and the devs cant keep up with it, it always was and will be a cat and mouse game. Leave my ring 0 in piece. Do server side analysis and shadow ban cheater's accounts by putting them into a lobby where only other cheaters and bots are. I once got banned because I had visual studio debigging my app in the background (because I forgot to close it) and tech support told me I was using a debugger in an app that does global key hook for CUSTOM SHELL SHORTCUTS (has nothing to do with the game). Bruh who tf allowed them to analyze my code? They ruined PC gaming for me and since then I barely ever play video games and if I do only on Xbox. Wild that I can't have privacy and even get accused by an algorithm where the human review will see everything and will tell me to close my devenv while playing. Who tf are these corpos? I pay, you receive money, let me game.
For now, bugs leading to boot loops may indeed be the biggest concern. But once the use of kernel-mode drivers for anti-cheat engines becomes more widely adopted, APTs will of course also try to infiltrate the companies that create them. Sounds like a good way to distribute your backdoors.
the idea of anticheat is stupid. You can write kernel mode cheat that can bypass kernel mode anticheat and thats exactly what is happening atm. You don’t need to buy a licence to run a kernel mode cheat in your own computer with self signed certificates etc. We need to invent something else entirely
That's the worst part. It is trash invasive malware and it doesn't even works well for the problems it's trying to solve.
Do it. Try to bypass Vanguard with a self signed kernel driver.
@@GC-jm9bt YT deletes my comments but, there is a certain channel explained how they did it but yeah not with kernel driver at least for vanguard. This also proves my point. Anti cheat sofware is stupid. It does not stop the game getting hacked. They just prevent majority from cheating but only some capable people can do. Because of that you will never know who is cheating and it will always ruin the game.
It does work, lol. Its objective is to reduce mainstream cheating and monitor for cheat devs and their techniques of bypassing. Like you say, 100% cheating prevention isn't realistic, but stuff like vanguard raises bar way way way higher than games which are practically open to cheating like cs2, they work for they want them realistically to do. Rest of work is up to Microsoft to make Windows more secure and legal teams to harass people who make cheats
@@gordonfreimann with that logic, why even have an anti cheat if people will still cheat. Might aswell not have any ac. What a great idea!
Agreed. Manufacturers should be held responsible for bad code
Let him cook 🎉🎉🎉
Everyone gangsta till Null Pointers show up in Kernelspace 😂😂
I don't enjoy games that need to run a cheat-prevention software at kernal level, that's just installing a root-kit without it doing a good job.
My example, Battleye for Planetside 2.
kernel*
Okay but most people don't care, why would they care about a minority?
It's this simple. There is ZERO reason for an ENTERTAINMENT PRODUCT to require kernel level access to anyone's computer.
the funny thing is that u can actually put a lot of detection on the server side , + the kernel anticheats are useless when u have simple board emulating the mouse or something more sophisticated (pci memory access for example , i dont support cheating , but if u can have the hardware and the knowledge , chance is that u will do it or be temped to do it).
But they rather will save on server costs , rather than respect users privacy , and act like they dont "borrow" some data.
The most dramatic similarity with CrowdStrike is that a game, which you normally would have control over by deciding when it starts or doesn't, is kinda transformed into a system service with a driver component, which I hate, your OS is officially running for that anti-cheat, as the anti-cheat is now a part of it, making your PC a dedicated machine for that game, and that doesn't make sense. The OS needs to be a standalone self-sufficient platform at startup and only then you decide what its purpose is, which may be more than one but with the ability to revert to that initial stable state.
1. Vanguard is one of the only ACs that require boot drivers, the rest all start only when the game starts and end when the game ends
2. Comparing infrastructure critical servers with some gamers home machine is quite a far fetch
3. Game companies have different departments, security departments hire completely different people than the people who write the games
4. Companies pushing code people dont understand? Do people understand how my graphics driver works or how chrome is executing js in a sandbox? There are legal bounadaries of what public registered companies are allowed to do, stealing personal user data is not one of them
5. Stop with the anti-cheat trend? Do you even know how many companies are out there selling cheats and how many people buy that stuff? No anti-cheat will make the game unplayable just like csgo used to be for years.
6. Open source anti cheat? The point of the AC is that it takes cheaters an extremely long time to know what exactly it is doing so they have a hard time bypassing it. Open sourcing it is like asking the thief if they also want to take the TV...
7. There are drivers much worse than ACs and you use them daily. CPU-Z? Yep. Busted driver. Your RGB control software? Yup that one is busted too. Your Fan Speed control software? Thats another one busted.
State of the art AC like EasyAntiCheat and Vanguard are pretty good at what theyre doing and they are pretty secure too. Should they be a boot driver? Probably not but it improves security against cheaters by quite a bit. Tencent AC and AC from companies like Capcom or miHoYo (Genshin Impact) is a different story.
Also remember: Malware doesn't need a driver to steal all your data.
Thor of Pirate Games fame said that when he worked at Blizzard they managed to create anti-cheat code that worked perfectly fine without being kernel level. Like you said it's all profit driven, so it's easier for management to go to Easy Anticheat and whoever else to cast a wide net at the kernel level and pay them a ton of money than it is to hire more devs to make better and safer code.
The fact the kernel is written by Microsoft is already worrisome enough. I use Arch BTW
I also use arch btw
Me too, Arch with Mate is awesome!
Parts of the Linux kernel now are also written by Microsoft.
@@__christopher__ yeah, but I am sure our Lord and Savior Linus Torvalds personally reviews all of their commits with the greatest care. :D
This is an excellent point of view from a security expert. If you touch base with anyone in the CoD/Warzone community you would find out that they wouldn't care where the code for the anti-cheat runs if it would do its job properly. Most of them wouldn't care if their PC crashed because of it once a week if it would mean that the anti-cheat would work. What we have right now is anti-cheat that doesn't work running with the highest privileges. I guess my question is: do you think you (or any anti-cheat company) can develop an effective anti-cheat that wouldn't need to run at the driver level? We can even take a step back and just think about a non intrusive system to handle cheaters. Something that wouldn't just involve a piece of software running on your PC, but a whole ecosystem that would care to this (report system, ML for stats that seem off, etc.). Another thing that I would like to add is that the game company isn't developing their own proprietary anti-cheat as far as I know. The teams that are responsible for developing and delivering the game work independently from the anti-cheat developers. That does not mean they don't collaborate, it just means that their deliverables aren't synced. Again, I might be wrong about this.
Everything being online is a big part of the problem.
- ex game programmer
I 100% agree. The eternal arms race of detecting malicious action by being in a higher place of authority is at its end (or at least should be). We need a new anticheat that uses machine learning to analyze gameplay and detect if the actions a player takes are inhuman.
For example, if the reaction time of a player in certain situations is uncommonly consistent, that is cause for suspicion. or if there are inputs to the mouse that are so small a human wouldn't be able to consistently make those movements. Etc. Using just game data to detect computer assistance in a game is almost certainly not near as hard as making clever kernel mode drivers to detect if people are using even a second computer to interface with the current device (which surprisingly is a real strategy for more wealthy cheaters).
Kernel level code should be exclusively systems level requirements. Like a USB driver, or drivers for custom electronics devices. Things that directly physically interface with the hardware. Programs running inside the system (almost) never need to be able to access the level of power the kernel ring containis.
Gamedev here. This is one of the reasons i moved all the critical game logic onto a dedicated server/servers. Having anticheat not only is iffy on the client side but a colossoal waste of clock cycles.
Its timeconsuming to code on the server side. But man is it fast and a lot more fair and balanced (compared to client side checks, if you think of all the tricks cheaters/hackers use in games).
Another upside is i can make the client more performant by skipping the boat. And if a user wants to modify the client in anyway or make a new one from scrach, it has no affect to others playing the game.
I am the developer of Advanced BAT to EXE Converter and been watching your channel for many months. I was wondering if we can chat about some tech stuff somehow.
I used that before
100% agree with you. I am running Linux as my daily system, and I have a Windows VM to play my games. However, most anti-cheat don't like that, so they kick me out of the game with any proof what-so-ever that I cheat. Fortunately not all anti-cheats do that, so I am able to play most of my favorite games. That doesn't mean though that in a future update, I won't be kicked.
I made a post lately in Reddit, about that and unfortunately, most members didn't agree with me, and were saying that Kernel Level Anti-cheat is important, and few (at least not the majority) were asking to let Linux Kernel allow that software!
Activision started suing cheat companies and I think that is the best practice. They sell cheats for money. If you make them pay millions in fines, then their business model would have a negative outcome, therefore no profit, end of business.
Not every company tries to implement their own anticheat, even big studios just rely on Easy Anti Cheat, which isn't totally "cheat proof" and does use a kernel mode driver, but at least the company's focus is security, not publishing a game with absurdly expensive cosmetics. There are some exceptions like Riot (that you mentionned) or Activision with their Ricochet anticheat. On one side I want to agree with you on the fact that we should all use one anticheat engine that can be publicly audited, and make the whole world contribute to its reliability, but thinking a single anticheat could work for every game out there is just fiction. And then the anticheat becomes a single point of failure, the moment a malicious actor finds a vulnerability (which inevitably happens) all games fall with their anticheat.
I ended up getting another computer for the sole purpose of playing league on it.
The problems with games and security go far beyond antI cheat. As a rule, the games industry does not sanitize inputs. Attacks on game clients will come for games, if they aren't already being quietly compromised.
That said, I agree with everything you said here. Also, you don't need to be in the kernel to monitor behavior. All kernel mode offers is that user mode cheats can be more easily observed. But nothing prevents kernel mode cheats.
Preach . . .
Kindest regards, friends and neighbours.
You are absolutely right about not allowing ‘everyone’ to write to the kernel 👍 How to implement this I don’t know…
You said it: the problem with anti cheats is that it's a mouse and cat game, an arms race. Even Vanguard doesn't prevent people from cheating. Why are they still trying to combat cheating like that? I remember seeing a company saying they had things cracked down by instead analyzing mouse movement with AI models and could detect cheating (aimboting at least) very quickly and with a high confidence. I don't know if their claim was real tho, because I don't understand why it wouldn't be used in every major game already.
Yeah. It's a dangerous trend for companies that produce non-critical software to keep wanting to put software at the kernel level and for it to be a start-boot driver is even worse. Unfortunately the only ones we can really count on to stop this practice is Microsoft or the government.
I think an open source anticheat is one of the few areas where the cathedral OSS model would work, or an alternative spin on it to help prevent big egos from taking over the project. Keep the in-progress code and discussions around it hidden from the public, but still release the source code for the stable versions the end-users actually get.
If cheats have access to the kernel, anti cheats should have access as well. There's no other way. See CS2, Valve doesn't want to make a driver anti cheat, and the game is literally unplayable right now if you don't use a third party server with AC. Out of the 6 matches I played in casual mode, 5 had a wall hacker or aim botter. You can say anything about Vanguard in valorant, but their shit is effective as fuck. Yeah there will always be cheaters but if you can reduce the rate people face them from 8 out of 10 matches to less than 1 out of 10 that's a huge gameplay quality boost.
Can't agree more. I uninstalled all games that involve Vanguard as soon as it was implemented.
Mahjong tiles is actually a good example here. Often you're not downloading a single game but a game platform (like a discount steam) thats bloatware thats pre bundled with the PC
i see what you’re saying entirely, and the idea of an open source anti virus was pretty interesting. after i thought about it some more yes, what you said was true, in the fact that it’s going to be open source so the people that want to help stop cheaters are going to be able to contribute but that means the cheaters will be able to see the code as well and find vulnerabilities, and i mean if it were to actually be implemented im pretty sure at first it’d be pretty bad because of the amount of bypasses there would be but overtime it would be amazing because then you’d essentially have this kind of library of all patches for exploits and there would be a point in time where most wouldn’t even be able to exploit anymore because they’ve all been patched.
As someone who has worked in a vast variety of game studios during the past 11 years, I totally agree with you.
Most game studios shouldn't be trusted that much.
Hey man, as someone who does red teaming. I don’t think you can take away security vendors ability to perform functions as the kernel level. If you put everything in user land the security vendors code can be messed with. Take user land hooking as an example. It is basically ineffective unless you don’t know what you’re doing.
Yeah, I'm noticing this pattern where people are getting so rushed and pushing out less-than quality code/products and we run into problems as a result. Hard to push back some times. If the powers that be are sensible and listening, they can be swayed, but that's not always a thing. Tough stuff.
My favorite part about Riot introducing Vanguard to league was that they did have "testing" in the form of PBE. It was causing pretty significant issues with peoples PCs yet they still went ahead with the patch and caused an even more widespread issue. Their model is worse than "not having good security practices". They will actively harm peoples computers to get the results they want.
The problem is, you can't fight modern cheats without kernel level drivers, anyone who says you can is underestimating what hack developers can do. All modern hacks run kernel level, there are entire drivers that simply sandbox any non-kernel anticheat. We have hacks that are loaded into the firmware of a mouse that without the deep access, can't be verified. So what's your solution to all this? Just let everyone suffer cheaters? It isn't a good solution, yes, but one of the few we have.
Vanguard has been a concern for a very long time. I remember back before I get into college, Ragnarok Online used Vanguard (iirc) and people were worried.
The easiest solution could be releasing games exclusively in special hardware (e.g. console, steam decks) so the data is separate from the more important data.. but this isn't perfect either.
Best approach is to make those cash-strapped game companies to care about safety.
For me League anti cheat made me quit the game altogether. It's so scary letting so many scripts (games, antiviruses etc) running at kernel mode..
Technically CrowdStrike in gaming has already happened, with Street Fighter 5 and Genshin Impact. Luckily, both have different anti-cheat now and actually run on Proton without third-party workarounds needed.
I feel like SBMM, F2P monetization, and Peer 2 Peer netcode always invites cheaters to ruin the fun for everyone else. TF2 didn't have the hacker situation until the Meet Your Match update, GTA V's hacker problem is thanks to their terrible netcode and now Rockstar is lashing out on the PC playerbase.
Many eyes make all bugs shallow--including security deficiencies. If anything, the open source systems that get adopted by millions have a better track record at being uncircumventable than their closed-source counterparts.
As someone who games a lot and is starting to get into cybersecurity, I highly appreciate the topic you opened up here. Thx
Anticheat should track player stats on the company side and in- game. Cheaters quickly build abnormal stats, and the anticheat can easily spot stats that stray out of the normal ranges. Also they need to implement a block button along with the report button so the game won't match you in lobbies with players you suspect are cheating.
Should be pointed out that for some users, this day is already here. There is an issue with how Easy Anti-Cheat interacts with certain thunderbolt controllers that cause a BSOD about 5 minutes after launching a game using it. You have to mess with some power settings to get around it, but how many users are actually going to figure that out?
An adversarial open source kernel level anti-cheat (or as i like to call it aosklac) would be awesome! Generally speaking, the idea is that a process shouldn't be able to mess with data that another process is using. Give it a couple of years, and we'd end up with the best kernel level memory protection.
Cheating in multiplayer games has become something of a plague, especially in free to play games. In the various examples I'm familiar with, the blame is put 100% on the developer. I wonder if there is realistically a fix for this problem. League, for example, already hides game state from the client, but you can't hide everything. It's too easy to just look at the memory of the game and get information you're not supposed to have. What is the solution?
Thanks for this man. You have a deeper understanding than me, but i couldnt stop thinking how they were connected. Mostly because of your anti-cheat content made prior. But as soon cloudstrick happened, this has been nagging at me