Thanks! I had no idea it was already being used in the wild. It's a good case study for why shipping signed drivers with exposed IOCTLs and weak authentication is such a liability, even if (especially if) the developer never bothers to even load them.
Anti-cheat drivers have indeed turned out to be major security risks on Windows. But I think the blame should not be on game developers because kernel-mode anti-cheat is still one of the only methods that’s reasonably effective — and realistically, you can’t expect every game studio to have the expertise to write secure, reliable kernel drivers.
If Microsoft wants Windows to be more stable and secure, they should provide built-in anti-cheat support in the OS. That would reduce the need for third-party kernel drivers in the first place.
> you can’t expect every game studio to have the expertise to write secure, reliable kernel drivers.
If someone wants to sell something that comes with a driver, the driver needs a modicum of care applied to it. This is of course also on Microsoft for signing these things, although that ship sailed ages ago.
Yes, I wouldn't expect every studio to need their own team - game studios can buy anti-cheat middleware, and the middleware can compete on not being total junk (which is how the industry already works, with a side helping of these more obscure awful drivers and a few big studios with their own).
> If Microsoft wants Windows to be more stable and secure, they should provide built-in anti-cheat support in the OS.
I guess they could have users approve a set of signed applications that would get some "authenticated" way to read address space and have an attestation stapled to it? It's actually kind of an interesting idea. The hardest part here would be that each anti-cheat tries to differentiate with some Weird Trick or another, so homogenizing the process probably isn't appealing to game developers really.
Anti-cheat could go the opposite direction, with basically a "fast reboot" into an attested single process VM sandbox, but this has issues with streaming/overlays and task switching which are a bit thorny. I've always thought that this might be the way to go, though - instead of trying to use all kinds of goofy heuristics and scanning to determine whether the game's address space has been tampered with or there's a certain PCIe driver indicating a malicious DMA device or whatever, just run the game in a separate hypervisor partition with a stripped down kernel+OS, IOMMU-protected memory, and no ability to load any other user code, like a game console lite.
> they should provide built-in anti-cheat support in the OS.
As much as I dislike anti-cheat in general (why incorporate it instead of just having proper moderation and/or private servers? Do you need a sketchy third-party kernel level driver to police you to make sure you're "browsing the internet properly in a way that is compliant with company XYZ's policies", or even when running other software like a photo editor, word processor, or anything else? It's _your_ software that you bought.) something similar is already happening with, e.g, Widevine bundled in browsers for DRM-ed video streaming.
I agree that having some first-party or reputable anti-cheat driver or system, is probably preferable than having different studios roll out their own anticheat drivers. (I am aware there are studio-level or common third party common anti-cheat solutions already, such as Denuvo or Vanguard. But I would prefer something better)
> why incorporate it instead of just having proper moderation and/or private servers?
No one wants to become a moderator, they do it out of necessity. So it's pretty much the other way around: a lot of anticheats were, and are, originally developed by community members for private servers (because you're not deploying a 3rd party anti-cheat onto first party servers). BattleEye was originally for Battlefield games. Punkbuster for Team Fortress. EasyAntiCheat for Counter Strike. I even remember Starcraft Brood War 3rd party server ICCUP with a custom 'anti-hack' client requirement.
You still see this today with Counter Strike 2 private servers Face-IT: they have additional anti-cheat not less. Same with GTA V modded private server, FiveM have anti-cheat they call adhesive.
And then game developer saw that players are doing that, so they integrate the anti-cheat so that players do not have to go downloading/installing the anti-cheat separately. Quake 3 Arena added Punkbuster in an update for example.
Would that not create the issue that you would only need to find one bypass for said official anti-cheat that then works for all games out there?
I heard with Denuvo reverse engineering work needs to be done for each individual target to unprotect it, but I'm not sure how this will be the case with a first party anti-cheat driver.
> I agree that having some first-party or reputable anti-cheat driver or system, is probably preferable than having different studios roll out their own anticheat drivers. (I am aware there are studio-level or common third party common anti-cheat solutions already, such as Denuvo or Vanguard. But I would prefer something better)
Only Apple really has enough platform lockdown to achieve that. Whatever Microsoft ships would have more holes than swiss cheese (not that I'm opposed to that or anything).
>why incorporate it instead of just having proper moderation and/or private servers?
Because game studios these days are all about global matchmaking. Private servers aren't really a thing any more except in more niche games. Instead you (optionally with a party) queue for matchmaking. Every game has to have a ranked ladder these days, it seems.
I miss the days of Tribes 2 or CS1.6 when games had server browsers
> Because game studios these days are all about global matchmaking
Why not have moderation then? When participating in an online forum, you are essentially "matchmaking" to a topic or corner of the internet with similar interests. Have some moderators (be it members of the community, or staff) ban players on obvious hacking/cheating or rule-breaking behaviour, and allow members to report any instances of this (I believe this is already a thing in modern video games, I have seen videos of "influencers" getting enraged when losing and reporting players for "stream sniping").
Sure, this might cause the usual issues of creating an echo chamber where mods and admins might unfairly ban members of the community. But you could always just join a different server in that case.
I believe Minecraft has a system similar to what I described; you enter the URL of a server to join, each hosted on its own independent instance (not necessarily hosted by Mojang, the studio behind Minecraft) each with their own unique sets of rules and culture, and being banned in one server does not ban you from every other server. Incidentally, Minecraft also does not have kernel level anticheat, and still very successfully manages to be one of the most popular games around (By some accounts, the top-selling game of all time).
> I miss the days of Tribes 2 or CS1.6 when games had server browsers
>I believe Minecraft has a system similar to what I described
Except every big server has to run an anticheat. Some servers required clients with client side anticheats even. Some servers required you to screen share with a moderator and they would go through the files on your computer to look for cheats. Exploiting people for free labor to moderate servers was never enough to stop the issues cheating had. Even with these volunteers anticheat was essential for see what players were flagging checks to know who to watch over.
> Except every big server has to run an anticheat. Some servers required clients with client side anticheats even.
I am fine with anticheat on the server-side to help volunteers/moderators find issues, since it does not force the user to install any sketchy kernel-level software. As for the servers that require client-side anticheats, I was unaware there are Minecraft servers that do this (though I do not doubt you, and believe you when you say they exist), and can't speak to it.
> Some servers required you to screen share with a moderator and they would go through the files on your computer to look for cheats.
I was not aware this is a practice that some servers do. It is beyond ridiculous to ask to screen share just to verify no cheats were involved imo, and is a major invasion of privacy. The only scenario I can see this being okay, is in a physically hosted event, where players are playing on devices provided by the event organisers, so there would be no expectation of privacy in any case, in the same way you do not have an expectation of privacy on a work device.
In both cases, you could always find a different server that does not run anticheat, or even start your own server (if you were willing to do that). This isn't something that can even be done in other modern games that employ anticheat drivers and only allow connecting to their single official server.
Re: exploiting people for free labor to moderate servers
Nobody is forcing them to do it, I imagine they do it because they enjoy it and want to give back to the community, the same way someone would contribute to open source or moderate a forum in their spare time. In any case, is it always "free labor"? I have heard of paid-transactions and/or donations, sponsors, or servers being hosted by streamers who have other sources of income to pay for moderators. Though admittedly, I am not familiar with Minecraft in particular and if this is actually the case in most servers.
>the same way someone would contribute to open source or moderate a forum in their spare time
It would be like open source business where the owner makes millions of dollars a month off the software and then tries to get people to work for him for free to make him even more money. The volunteers do all the work and the owner makes all of the money.
Exactly, which is why Microsoft should be writing the one writing the kernel code needed for ensuring integrity of games. Microsoft needs to develop ways to allow games to run in an isolated VM that is hardware protected from the main operating system and ensures strong hardware security so cheaters can not simply attach malicious devices to the PCI bus to DMA sensitive data.
For this theoretical feature Windows would do it automatically for apps that would opt in.
For debugging you would either not have this feature or enabled, or you would build a custom build that included a debugger in the secure environment. If you needed to connect to production servers you could whitelist your account to be ignored by the anticheat since your server would know you are not playing with an official build.
It is not realistic to expect every game developer to invest a lot of money into security. It's like asking every apartment building to run its own fire department.
The responsibility of securing a platform should not fall on application developers anyway.
Yes it is, and liability across the industry is already late.
By the way, in some countries apartment buildings need several licenses, including one from fire department, before been allowed to have people living on them.
This is a great writeup.
It looks like this driver is being actively used in malware, too: https://www.fortinet.com/blog/threat-research/interlock-rans...
Thanks! I had no idea it was already being used in the wild. It's a good case study for why shipping signed drivers with exposed IOCTLs and weak authentication is such a liability, even if (especially if) the developer never bothers to even load them.
Some of games are releasing versions without copy protection and/or anti cheats when they are reaching end of their useful life for developers.
I don’t know about that particular game, but it could be the case that the devs intentionally ripped off the driver from it.
Love this type of post, thanks for the writeup.
So could you delete the account from inside the game at the end or it requires contacting the customer support?
Not related to the main contents of the post, but
> For the life of me, I couldn’t find a way to do it without having the game installed. There was no web portal and no obvious support route.
They have am email in their privacy policy, which is generally where you should look if you want to delete your account
Anti-cheat drivers have indeed turned out to be major security risks on Windows. But I think the blame should not be on game developers because kernel-mode anti-cheat is still one of the only methods that’s reasonably effective — and realistically, you can’t expect every game studio to have the expertise to write secure, reliable kernel drivers.
If Microsoft wants Windows to be more stable and secure, they should provide built-in anti-cheat support in the OS. That would reduce the need for third-party kernel drivers in the first place.
> you can’t expect every game studio to have the expertise to write secure, reliable kernel drivers.
If someone wants to sell something that comes with a driver, the driver needs a modicum of care applied to it. This is of course also on Microsoft for signing these things, although that ship sailed ages ago.
Yes, I wouldn't expect every studio to need their own team - game studios can buy anti-cheat middleware, and the middleware can compete on not being total junk (which is how the industry already works, with a side helping of these more obscure awful drivers and a few big studios with their own).
> If Microsoft wants Windows to be more stable and secure, they should provide built-in anti-cheat support in the OS.
I guess they could have users approve a set of signed applications that would get some "authenticated" way to read address space and have an attestation stapled to it? It's actually kind of an interesting idea. The hardest part here would be that each anti-cheat tries to differentiate with some Weird Trick or another, so homogenizing the process probably isn't appealing to game developers really.
Anti-cheat could go the opposite direction, with basically a "fast reboot" into an attested single process VM sandbox, but this has issues with streaming/overlays and task switching which are a bit thorny. I've always thought that this might be the way to go, though - instead of trying to use all kinds of goofy heuristics and scanning to determine whether the game's address space has been tampered with or there's a certain PCIe driver indicating a malicious DMA device or whatever, just run the game in a separate hypervisor partition with a stripped down kernel+OS, IOMMU-protected memory, and no ability to load any other user code, like a game console lite.
What does built–in anticheat support looks like to you? A whitelist of apps you can run? Debuggers not being allowed?
They do, on XBox OS, which while based on Windows, it isn't exactly the same.
As for plain Windows, lets see how Crowdstrike changes will reflect on anti-cheats.
https://www.theverge.com/news/692637/microsoft-windows-kerne...
People could also behave, and then no anti-cheats would be needed anywhere, but that is utopia.
> they should provide built-in anti-cheat support in the OS.
As much as I dislike anti-cheat in general (why incorporate it instead of just having proper moderation and/or private servers? Do you need a sketchy third-party kernel level driver to police you to make sure you're "browsing the internet properly in a way that is compliant with company XYZ's policies", or even when running other software like a photo editor, word processor, or anything else? It's _your_ software that you bought.) something similar is already happening with, e.g, Widevine bundled in browsers for DRM-ed video streaming.
I agree that having some first-party or reputable anti-cheat driver or system, is probably preferable than having different studios roll out their own anticheat drivers. (I am aware there are studio-level or common third party common anti-cheat solutions already, such as Denuvo or Vanguard. But I would prefer something better)
> why incorporate it instead of just having proper moderation and/or private servers?
No one wants to become a moderator, they do it out of necessity. So it's pretty much the other way around: a lot of anticheats were, and are, originally developed by community members for private servers (because you're not deploying a 3rd party anti-cheat onto first party servers). BattleEye was originally for Battlefield games. Punkbuster for Team Fortress. EasyAntiCheat for Counter Strike. I even remember Starcraft Brood War 3rd party server ICCUP with a custom 'anti-hack' client requirement.
You still see this today with Counter Strike 2 private servers Face-IT: they have additional anti-cheat not less. Same with GTA V modded private server, FiveM have anti-cheat they call adhesive.
And then game developer saw that players are doing that, so they integrate the anti-cheat so that players do not have to go downloading/installing the anti-cheat separately. Quake 3 Arena added Punkbuster in an update for example.
Would that not create the issue that you would only need to find one bypass for said official anti-cheat that then works for all games out there?
I heard with Denuvo reverse engineering work needs to be done for each individual target to unprotect it, but I'm not sure how this will be the case with a first party anti-cheat driver.
> I agree that having some first-party or reputable anti-cheat driver or system, is probably preferable than having different studios roll out their own anticheat drivers. (I am aware there are studio-level or common third party common anti-cheat solutions already, such as Denuvo or Vanguard. But I would prefer something better)
Only Apple really has enough platform lockdown to achieve that. Whatever Microsoft ships would have more holes than swiss cheese (not that I'm opposed to that or anything).
> Whatever Microsoft ships would have more holes than swiss cheese
The current execution environment with IOMMU and TPM requirements is changing this rapidly.
Try disabling Windows Defender - good luck.
This is done for the benefit of Hollywood.
>why incorporate it instead of just having proper moderation and/or private servers?
Because game studios these days are all about global matchmaking. Private servers aren't really a thing any more except in more niche games. Instead you (optionally with a party) queue for matchmaking. Every game has to have a ranked ladder these days, it seems.
I miss the days of Tribes 2 or CS1.6 when games had server browsers
> Because game studios these days are all about global matchmaking
Why not have moderation then? When participating in an online forum, you are essentially "matchmaking" to a topic or corner of the internet with similar interests. Have some moderators (be it members of the community, or staff) ban players on obvious hacking/cheating or rule-breaking behaviour, and allow members to report any instances of this (I believe this is already a thing in modern video games, I have seen videos of "influencers" getting enraged when losing and reporting players for "stream sniping").
Sure, this might cause the usual issues of creating an echo chamber where mods and admins might unfairly ban members of the community. But you could always just join a different server in that case.
I believe Minecraft has a system similar to what I described; you enter the URL of a server to join, each hosted on its own independent instance (not necessarily hosted by Mojang, the studio behind Minecraft) each with their own unique sets of rules and culture, and being banned in one server does not ban you from every other server. Incidentally, Minecraft also does not have kernel level anticheat, and still very successfully manages to be one of the most popular games around (By some accounts, the top-selling game of all time).
> I miss the days of Tribes 2 or CS1.6 when games had server browsers
I do too.
>I believe Minecraft has a system similar to what I described
Except every big server has to run an anticheat. Some servers required clients with client side anticheats even. Some servers required you to screen share with a moderator and they would go through the files on your computer to look for cheats. Exploiting people for free labor to moderate servers was never enough to stop the issues cheating had. Even with these volunteers anticheat was essential for see what players were flagging checks to know who to watch over.
> Except every big server has to run an anticheat. Some servers required clients with client side anticheats even.
I am fine with anticheat on the server-side to help volunteers/moderators find issues, since it does not force the user to install any sketchy kernel-level software. As for the servers that require client-side anticheats, I was unaware there are Minecraft servers that do this (though I do not doubt you, and believe you when you say they exist), and can't speak to it.
> Some servers required you to screen share with a moderator and they would go through the files on your computer to look for cheats.
I was not aware this is a practice that some servers do. It is beyond ridiculous to ask to screen share just to verify no cheats were involved imo, and is a major invasion of privacy. The only scenario I can see this being okay, is in a physically hosted event, where players are playing on devices provided by the event organisers, so there would be no expectation of privacy in any case, in the same way you do not have an expectation of privacy on a work device.
In both cases, you could always find a different server that does not run anticheat, or even start your own server (if you were willing to do that). This isn't something that can even be done in other modern games that employ anticheat drivers and only allow connecting to their single official server.
Re: exploiting people for free labor to moderate servers
Nobody is forcing them to do it, I imagine they do it because they enjoy it and want to give back to the community, the same way someone would contribute to open source or moderate a forum in their spare time. In any case, is it always "free labor"? I have heard of paid-transactions and/or donations, sponsors, or servers being hosted by streamers who have other sources of income to pay for moderators. Though admittedly, I am not familiar with Minecraft in particular and if this is actually the case in most servers.
>the same way someone would contribute to open source or moderate a forum in their spare time
It would be like open source business where the owner makes millions of dollars a month off the software and then tries to get people to work for him for free to make him even more money. The volunteers do all the work and the owner makes all of the money.
This is a lost battle, you have cheaters on console which are more locked down than PC ever will be. You can't remove cheating with software.
Sorry game companies, the answer is paid moderation, I know it cost money and I know you don't like to pay but there's no way around it.
Or small–group servers. You cheat on the internet because you're a nobody. You don't cheat with your friends because your friends will disown you.
If a surgeon does not have the expertise to perform a surgery, they probably shouldn’t cut into you.
If the company lacks the competency to write secure driers, they should outsource the work or have it validated externally.
These things could be solved by spending money. Stop excusing dangerous actions performed in the name of greed.
Exactly, which is why Microsoft should be writing the one writing the kernel code needed for ensuring integrity of games. Microsoft needs to develop ways to allow games to run in an isolated VM that is hardware protected from the main operating system and ensures strong hardware security so cheaters can not simply attach malicious devices to the PCI bus to DMA sensitive data.
As an indie game developer, how do I get my game into this system and how do I debug it?
For this theoretical feature Windows would do it automatically for apps that would opt in.
For debugging you would either not have this feature or enabled, or you would build a custom build that included a debugger in the secure environment. If you needed to connect to production servers you could whitelist your account to be ignored by the anticheat since your server would know you are not playing with an official build.
> attach malicious devices to the PCI bus to DMA sensitive data
How do you do this in modern system with TPMs and IOMMU enabled?
You pretend to be a device with a driver not compatible with IOMMU
Sadly not all Windows machines are able to use kernel DMA protection, so for those machines nothing will stop you.
It is not realistic to expect every game developer to invest a lot of money into security. It's like asking every apartment building to run its own fire department.
The responsibility of securing a platform should not fall on application developers anyway.
Microsoft could easily secure windows by blocking all rootkits/"kernel anti cheat". At this point that's probably the best option.
Games should never have kernel level access.
Yes it is, and liability across the industry is already late.
By the way, in some countries apartment buildings need several licenses, including one from fire department, before been allowed to have people living on them.
The problem is that general purpose computing platforms are not supposed to be secured against the user. That's a WONTFIX.
User ownership of their devices has been fixed on every platform except PCs.
It’s not the nurses job to perform surgery either, that’s why they don’t.