Unpopular opinion, but we would be better off with a single open trusted implementation of anti cheat (aka drm) which can attest whatever requirements are desired by the game is met. The only real problem is that it would likely be limited to approved kernel images and someone would need to own that validation and signing infrastructure, but you could imagine having multiple trusted entities have this role.
Kernel anticheat is not really effective because it can be circumvented on the hardware level, for example using direct memory access with a second computer and screen to show the hidden game state.
Cheating is a meat space problem and there is no technical solution to it. Thats why in tournaments there are referees standing behind the players. Ultimately it comes down to checking if metrics like reaction speed are humanly possible, but a rootkit is not really needed for that.
> Cheating is a meat space problem and there is no technical solution to it
Cheating is an arms race - the number of people who are willing to run a second computer with DMA connected to a single machine is vastly smaller than the number of people who are wiling to download a dodgy file from the internet and run it.
> Ultimately it comes down to checking if metrics like reaction speed are humanly possible, but a rootkit is not really needed for that.
If it was that easy, cheating would be a solved problem. An awful lot of play is "I know the reload time is 0.75s, so they're going to appear when they've reloaded" - that's way beyond human reaction time. And that's at "mid level" play - at gold/sliver levels in league of legends knowing cooldowns is considered base knowledge. At higher levels of play, _all_ of your players are statistical outliers.
This hasn't been true for a very long time. The kind of cheats that can survive even very basic anticheat for a long time cost a decent amount of money on subscription basis. Most cheaters by volume pay quite a chunk of change to cheat.
> Kernel anticheat is not really effective because it can be circumvented on the hardware level, for example using direct memory access with a second computer and screen to show the hidden game state.
Incorrect. DMA (direct memory access) is and can be prevented [1] and detected [2].
You can still do DMA cheating with IOMMU enabled. There are quite a few relatively widespread bugs with IOMMU that allow you to bypass it, for example https://cloud.google.com/blog/products/gcp/fuzzing-pci-expre.... So to be able to actually do IOMMU DMA protection you need to be willing to ban many popular devices. That may be viable for FACEIT and ESEA but it won't be for 99.9% of anticheat deployments.
The detection for DMA cheating is based on the DMA engines being unable to emulate 1:1 the actual behavior the hardware ID would be expected to have. This can be fixed by simply doing that properly.
But even besides that, DMA through PCIe is just one hardware cheat that fits a separate thread model and therefore has some countermeasures.
There are much more robust methods you can use, for example a PCIe interposer between the OS and GPU, or simply direct memory interposes if you want to do DMA without the protections afforded by the PCIe implementation. There are interposets along with machinery to get along memory encryption and other obfuscations that can be made for around 100$.
Once again back to another arms race. Assuming that your operating system doesn't allow any bad drivers (Windows does NOT do this) physical access to the hardware is just a function of time and money to get direct access to the memory
Something like TEE.fail can be used to read encryption keys for network traffic then a MITM proxy can display player information easily on a second PC, you will never be able to reliably detect this
> Assuming that your operating system doesn't allow any bad drivers (Windows does NOT do this)
Windows eventually tends to revoke the certificate of vulnerable drivers. And prior to that, anti-cheats will flag the signature and prevent booting or outright ban for egregious ones.
> Something like TEE.fail can be used to read encryption keys for network traffic
So, encrypt the memory well then? Also, that attack slows down RAM to 3200 MT/S and is infeasible for game cheating. Maybe if you could make a custom ram stick with an ASIC on it, which would cost millions on millions of dollars to keep up with DDR5, you could capture encrypted bits and crash your system pretty often.
I don't consider it an arms race if you can prevent cheating to 10s of people in a million-player game. That's noise at best.
> Windows eventually tends to revoke the certificate of vulnerable drivers. And prior to that, anti-cheats will flag the signature and prevent booting or outright ban for egregious ones.
I have been loading and using the WinIO driver on windows all the way up to the latest version to read and write any memory I want. I also have a few drivers that are lesser known that are not even flagged by most anti-cheats
> So, encrypt the memory well then? Also, that attack slows down RAM to 3200 MT/S and is infeasible for game cheating. Maybe if you could make a custom ram stick with an ASIC on it, which would cost millions on millions of dollars to keep up with DDR5, you could capture encrypted bits and crash your system pretty often.
You are going to have to decrypt the memory eventually. Even TEE.fail can get around AMD SEV and Intel's TEE. Reading memory speed doesn't really matter as long as you can find an encryption key for network traffic. Once you can intercept network traffic and decrypt its game over!
You do not need an ASIC to interpose DDR5 and steal all the traffic, there are FPGAs that are powerful enough. Once PCIE DMA cards go the way of the dino with IOMMU people will just switch to memory interposers with FPGAs
A few years ago, DMA cards cost upwards of $500. Now you can buy cards from china preloaded with pcieleech firmware for around $100. and there are thousands of customers. If you can afford the latest gen gaming gear and afford to spend money on cheats you can certainly fork over a couple hundred dollars for the latest undetected solution
> I have been loading and using the WinIO driver on windows all the way up to the latest version to read and write any memory I want. I also have a few drivers that are lesser known that are not even flagged by most anti-cheats
I can assure you that you will get banned from a game with a modern anti-cheat using that or you won't even be able to launch the game. Also 'flagged by most anti-cheats' means very little. Most good anti-cheats will delay bans or correlate multiple factors prior to a ban.
> You are going to have to decrypt the memory eventually. Even TEE.fail can get around AMD SEV and Intel's TEE.
You don't have to decrypt it on the RAM wire bus. And the reasons TEE.fail is successful is because they screwed up the crypto as far as I can tell.
> Once you can intercept network traffic and decrypt its game over!
Not sure why you are so hung up on this. You still need to access the memory first. That's what they will detect and prevent. They obviously can't prevent or detect network sniffing if the key is known.
> You do not need an ASIC to interpose DDR5 and steal all the traffic, there are FPGAs that are powerful enough. Once PCIE DMA cards go the way of the dino with IOMMU people will just switch to memory interposers with FPGAs
I've made FPGA designs previously, including custom PCIE DMA cards back in ~2018. It would surprise me if you could find an FPGA capable of reliably sniffing DDDR5 6000+ MT/S without crashing the host system. FPGAs are not nearly as fast as CPUs. Maybe you could somehow hack a FPGA DDR memory interface. But finding one fast enough for DDR5 is probably impossible (or terribly expensive). Maybe https://www.amd.com/en/products/adaptive-socs-and-fpgas/vers... is theoretically possible. But you are looking at a 10k+ chip, if not 20k$+. Such a chip is not going to be easily embeddable and likely requires 10s if not 100s of amps of power delivery.
Why do you need to handle DDR5? You can use DDR3 to play the vast majority of competitive video games. It's not hard to find an FPGA that can handle DDR3 or DDR4.
You also don't need to sniff the entirety of the traffic. You just need to introduce aliasing. That is much harder to do for DDR5 but you don't need it to be reliable or stable for a long time, because you won't be sniffing for very long. And you don't need to do 6000+MT/s either.
As far as I know there are very few systems that support Windows 11 with DDR3.
I think his point was more that if you drop the link rate on ddr5 to sniff then the performance penalty will be very bad. DDR5 starts at 3000
> I can assure you that you will get banned from a game with a modern anti-cheat using that or you won't even be able to launch the game. Also 'flagged by most anti-cheats' means very little. Most good anti-cheats will delay bans or correlate multiple factors prior to a ban.
Most of what I said is a large oversimplification on the matter. Anticheats absolutely do make use of heuristic patterns to flag drivers that are correlated with known cheaters. Drivers are pretty well flagged now days by anticheats but Windows does virtually next to nothing to prevent people from abusing these RWEverything drivers
>Not sure why you are so hung up on this. You still need to access the memory first. That's what they will detect and prevent. They obviously can't prevent or detect network sniffing if the key is known.
The point is that you don't need a very complicated or long-lived exploit to yoink those keys if you know where to look.
The overarching idea here is that as long as you have physical access to hardware it is going to be very difficult to prevent these kinds of attacks without serious vertical integration and from who? Microsoft really don't seem to care much, CPU/Motherboard/RAM vendors are benefiting from an open market with shared standards and anti-cheat/games do not have enough purchasing power to push over consumers.
I can't comment much on FPGAs because I don't know a huge amount about them so il take your point. There are also countless side channel attacks and ways to leak data from your memory in completely unintended way eg; cache timing or faulty speculative execution
There are DDR4 interposers you can buy for 50$. The basic thing is that you don't need all of the ram all of the time, you just need to find an address which you can then rewrite to make two valid references to the same physical memory (see: badRAM/battering ram). Then you can use an IOMMU compliant DMA to access that memory.
Or you can use an FPGA to interpose the RAM and intercept the network traffic for a couple hundred bucks.
Indeed, you can buy a piece of fiberglass shaped correctly for 50$. That's not the hard part. Just the probe you are supposed to connect to such a PCB is > 1k USD per pin you need to sample. The oscilloscope / logic analyzer to sample it is likely 6-7 figures.
> Or you can use an FPGA to interpose the RAM and intercept the network traffic for a couple hundred bucks.
What FPGA solution do you have for a couple hundred bucks could interpose DDR4 RAM at any frequency? This number seems completely made up to me.
I do think a large portion of the huge price for this equipment is that it is very niche and only a few mfg's eg keysight/agilent make this kind of stuff.
Im sure if the DMA market goes way of the RAM bus sniffing its will be a year or two before mass produced products are on the market that can sniff the traffic without much reduction in signal quality and maximum data rate.
This is theoretically possible, but I don't think most cheaters would have the equipment or skill to do this. Cheating is only rampant in games where people can just buy and download cheats... if it requires a lot of skill and hardware, it won't be a big issue.
I'm not sure this is an unpopular opinion. I've seen it suggested multiple times, and IF done correctly (open/transparent) would solve most of the complaints with the ring-zero anti cheats. Still won't solve every cheat, especially hardware, social and perhaps good VMs. I would require the app/game to disclose what it requires to be true.
