
Anti-cheat kernel driver - pozibrothers
https://na.leagueoflegends.com/en-us/news/dev/dev-null-anti-cheat-kernel-driver/
======
dmitrygr
> This isn’t giving us any surveillance capability we didn’t already have. If
> we cared about grandma’s secret recipe for the perfect Christmas casserole,
> we’d find no issue in obtaining it strictly from user-mode and then selling
> it to The Food Network. The purpose of this upgrade is to monitor system
> state for integrity (so we can trust our data) and to make it harder for
> cheaters to tamper with our games (so you can’t blame aimbots for personal
> failure).

these guys are pretty cavalier about shoving themselves into the kernel...

~~~
matheusmoreira
Yes. It betrays a fundamental lack of respect for the user of the computer.

They don't think of themselves as guests who have the _privilege_ of being
installed on people's computers. They actually think they _own_ our machines.
In their opinion, the mere existence of cheats is an affront to their divine
authority over _our_ domains. To them, we are merely an adversary who must be
attacked and defeated preemptively before we do something we aren't supposed
to do. Our power, freedom and autonomy must be taken away for the sake of
their security and the integrity of their video game.

This is unacceptable. Game companies don't get to decide what we can or can't
do with _our_ computers. Users are free and they own the machine. If they want
to run client-side cheats, so be it. It's not like they're cracking and taking
over the game company's servers. If they disrespect users by messing with
their computers, they should not be surprised when users show them who's
really in charge.

We have quality and trust issues with drivers written by _hardware
manufacturers_ and we're finally getting them to contribute free or open
source versions. The situation is finally improving. Proprietary cheating
prevention software is the last thing we need running in kernel mode right
now.

Besides, the video games industry doesn't deserve our trust. For example,
capcom.sys had privilege escalation _as a feature_ :

[https://twitter.com/TheWack0lian/status/779397840762245124/](https://twitter.com/TheWack0lian/status/779397840762245124/)

[https://www.theregister.co.uk/2016/09/23/capcom_street_fight...](https://www.theregister.co.uk/2016/09/23/capcom_street_fighter_v/)

The privacy policies and terms of service associated with existing cheating
prevention software don't exactly inspire confidence either. They collect and
transmit _a lot_ of personal information and will even take screen shots. It's
unwise to run this software in anything but a completely isolated environment,
to say nothing of kernel mode. Unfortunately, the ability to run the game in a
completely isolated and controlled environment is exactly what enables us to
hack it and cheat. They're going to have to live with that.

~~~
nitrogen
Have you ever played a multiplayer game when someone else is cheating?

~~~
matheusmoreira
Yes. I don't see how that is relevant though.

It doesn't matter how bad the cheating gets. Sacrificing our computing freedom
and privacy is simply not okay. These principles are far more important than
having an online gaming experience that's free of cheaters. It is better to
crack and remove the game's invasive modules than to let it run freely on our
machines.

The truth is online multiplayer gaming is fundamentally broken. We're playing
with strangers we don't know much less trust. We must play only with people we
know personally and trust.

~~~
stavrus
You don't have to sacrifice your computing freedom and privacy. These anti-
cheating modules tend to be explained to you upon game installation, so if
you're not comfortable with what they do then just cancel the installation.
You're not forced to play the game, but the modules are part of the game's
rules and you have to adhere to them if you want to play it.

All the participants of a game agree to a common set of rules required to make
the game fun, fair, and enjoyable. And this is true of any game, from online
games such as LoL to offline games like poker and soccer. Unfortunately the
prevalence of cheating has made the anti-cheating modules another bullet point
on that set of rules for online games. There's still plenty of games out there
that you can play with people you know personally and can trust, but I
certainly cannot find and organize 59 other people to play Battle Royale
shooters with me within minutes of wanting to play a match on my schedule, so
I'm ok with the trade-offs involved in making that possible. Just please don't
force your principled stance on others.

~~~
matheusmoreira
> Just please don't force your principled stance on others.

I'm not forcing it on anyone. Users are free to install and use the invasive
software if they don't care about the implications. They're also free to
circumvent the software and play the game without it. It's an individual
decision. People shouldn't have to abstain from playing a game they bought
because the game company doesn't have total access to their machine.

The point I'm making is game companies shouldn't be shipping invasive software
at all regardless of what it's used for. They need to come up with better ways
to detect cheaters. Methods that work on the server side. For example, traffic
analysis can be used to detect bots:

[https://www.iis.sinica.edu.tw/~swc/pub/bot_identification.ht...](https://www.iis.sinica.edu.tw/~swc/pub/bot_identification.html)

~~~
stavrus
> They're also free to circumvent the software and play the game without it
> [...] People shouldn't have to abstain from playing a game they bought
> because the game company doesn't have total access to their machine.

Imagine we're playing soccer. We both know the rules. However I don't really
like how those rules restrict me from using my hands when I'm not a goalie.
You could say that I feel like the rules shouldn't have total access to
dictate what I can and can't do with my body. But you want to play soccer and
the rules that go with it. Who should abstain from playing the game _?

_ For the sake of this example, please don't suggest saying that the rules
should be changed by the players to accommodate both. This isn't a possibility
in video games for the players. They can either choose to play with the
existing ruleset or not play at all.

 __If your suggestion is to just avoid players that don 't want follow the
rules, with the game providing this as an in-game mechanism, please be aware
this doesn't really work and is very ripe for abuse. There was a case early on
in Overwatch where they had a top player complaining that they were no longer
getting into games successfully. An investigation revealed that they were so
good at the character they were playing -- a sniper -- that their opponents
didn't want to play against him/her and thus used the in-game avoidance
feature to do so. This had the net result of the match-making system not
finding enough players for him/her to play against anymore.

> They need to come up with better ways to detect cheaters. Methods that work
> on the server side.

But they are coming up with better ways to detect cheaters, and it's through
these kernel drivers. Ultimately, differentiating between a regular player and
a cheater is a matter of how many signals you can analyze. The quality of the
model you can build for identifying cheaters increases as you add more
signals. And with a good enough model you can reach a certainly level that
allows you to comfortably start issuing bans. You can see it with the link you
provided, where the researchers found a way to add more signals to the model
by analyzing the network traffic patterns.

Unfortunately, server-side detection can only get you so far. If a player
turns on a wallhack, what signal can the server use to figure out what's going
on? If my LoL champion has a defensive ability that I can use to dodge
attacks, and my cheat program can detect incoming attacks that'll hurt me and
activate it for me, with it programmed to have a minimum time to activation in
order to pretend the reaction time is human, what can the server do to detect
this?

Ultimately, to answer these questions you have to start asking the client to
assist you by providing more signals, but when the client is under user-
control it's trivial to lie to it. Hence the need to move some of the anti-
cheat code to driver-space.

By the way, server-side detection doesn't really account for the reality of
how cheaters actually cheat. Fancy detection methods like dynamic Bayesian
networks for statistically analyzing shooting accuracy in FPS's sound great in
theory, but aimbots don't really snap to player's heads anymore. Instead they
guide the player's aim when toggled on and only do this gently, so that even
human reviewers have a tough time seeing what's going on. The intent there is
to increase the uncertainty level of the model declaring the player a cheater,
as companies fear banning players accidentally and will only issue bans once
they are positively sure the player is a cheater.

I'm sure Riot and many other game companies are using as many server-side
detection methods as they can, so what exactly do you expect the game
companies to do when they run out of available server-side detection methods
and still have a cheater problem to deal with that affects their bottom line?

~~~
matheusmoreira
> You could say that I feel like the rules shouldn't have total access to
> dictate what I can and can't do with my body.

Depends on what they have total access to. There is no problem with having
total access to the playing field and monitoring it. I would object if they
came up with a brain implant that could figure out whether players were diving
and made it mandatory for every player to wear it in order to play.

> For the sake of this example, please don't suggest saying that the rules
> should be changed by the players to accommodate both.

I'm not saying that. My problem is purely with the invasive detection
software.

> please be aware this doesn't really work and is very ripe for abuse

> This had the net result of the match-making system not finding enough
> players for him/her to play against anymore.

This _is_ a problem but it's a match making problem. People prefer to play
with others of similar skill since being beaten over and over again is too
frustrating. The better the player gets, the harder it is to find others of
similar ability. I don't know the answer to this problem.

In this case people are still playing with strangers they don't know or trust,
players who could be cheating. I think people should play with real life
friends who they know and trust in real life. Much smaller groups that can
police themselves. I've met competitive players who are part of local groups
and who play only with each other so there are people doing this.

> Ultimately, to answer these questions you have to start asking the client to
> assist you by providing more signals, but when the client is under user-
> control it's trivial to lie to it. Hence the need to move some of the anti-
> cheat code to driver-space.

Kernel mode is _still_ under the control of the user. Their detection software
got way more invasive but it _still_ can't make any guarantees.

They are trying to secure their game client against an adversary who has full
physical and logical access to the entire system. Nothing they do can take
control away from the user. They can only make it hard enough to prevent most
people from trying.

> so what exactly do you expect the game companies to do when they run out of
> available server-side detection methods and still have a cheater problem to
> deal with that affects their bottom line?

I don't have an answer. I just hope they can come up with something that
doesn't require me to place so much trust in them.

~~~
AnIdiotOnTheNet
> The better the player gets, the harder it is to find others of similar
> ability. I don't know the answer to this problem.

Make it fun to lose too.

In the before times, in the long long ago, there was a Half-Life mod called
Natural Selection that I played entirely too much of. It was an asymmetrical
FPS/RTS hybrid. In the earlier versions (pre 3.0, I think), Aliens were
considered to have a slight advantage over Marines, however this was ok
because losing as Marines was a lot more fun than losing as Aliens because
they got to roleplay the Alamo by locking down their last base with ludicrous
defensive measures and holding out against wave after wave of Alien attacks.
This strategy would actually rarely result in a sudden turn around in the game
as it was possible for a skilled Marine to escape through the Alien horde and
find a quiet spot to begin construction of a stealth hail-marry base, or get
in position to just barely kill a hive before they could be taken out. For
mechanical reasons, this strategy was not possible on the Alien side and
consequently losing as Aliens was an exercise in waiting to be curb stomped
and no fun at all.

------
JohnFen
I understand why anticheat software exists, and why it's getting increasingly
intrusive (and therefore risky). I'm not arguing that there's anything wrong
with it.

That said, the existence of cheaters is one of the big reasons why I don't
play such games -- and that games include anticheating software is another one
of the big reasons, equal to the existence of cheating in terms of how
objectionable I find it.

From my point of view, this situation is nothing but a massive train wreck.

~~~
matheusmoreira
The fact is online multiplayer games are fundamentally broken. It depends on
trust and that's rare because almost no one knows each other. Everyone's a
stranger. It's just random people playing together. People find ways to cheat
even on trusted platforms like game consoles.

People should be playing online with others they personally know and trust.

~~~
comex
Fundamentally broken in theory. In practice:

\- The percentage of people who want to cheat is not that high.

\- Any cheat that spreads widely enough can be obtained by the developers and
detected. Cheat developers can and do sell exclusive cheats to smaller groups
of people, but fewer people using the cheat also means less disruption.

\- With tactics like delayed ban waves, game developers can make cheating
risky enough to create an effective deterrence, even if they don't actually
catch all cheats.

\- If all else fails, game developers can have players manually review other
players' replays for cheating, like with Overwatch for CS:GO (not to be
confused with Overwatch the game). So obvious cheating will be caught, and if
people make their cheating non-obvious, well, that also makes it less likely
to annoy other players.

These measures can't stop all cheating, but they don't have to; they just have
to deter it enough that it doesn't unduly hamper most players' experiences. In
practice, it seems like most games are able to accomplish this.

~~~
JohnFen
But these games commonly employ intrusive anticheating software, do they not?
Regardless of its effectiveness, that counts as a large part of the genre
being fundamentally broken.

~~~
navjack27
Csgo isn't intrusive at all

------
e2le
It's getting more and more risky to do gaming and everything else on the same
computer. With how intrusive anti-cheat software is becoming, I feel less and
less safe running these games.

------
mkj
I guess next step is for cheat software to run in a hypervisor. Now what're
you gonna do!

~~~
akersten
Yep. The article even smugly tries to boast about how they're _adults_ and
_understand these things_ :

> We haven’t needed both arms yet, primarily because we have the advantage of
> steady paychecks and the lack of strict bedtimes at our immediate disposal.
> But as much as we might like the idea of an ever-escalating appsec war with
> teenagers,

And yet they fail to realize that they're playing in to the very cat-and-mouse
game they deride. I _can 't wait_ until this escalates into "ok, well, now you
need Intel TSX with Secure Enclave to verify that you're using the League
video driver, and our proprietary USB dongle to play our game."

Spoilers: the teenagers will always win; you can never trust a client no
matter how many technical barriers you erect. Look to the entire legacy of DRM
for how this strategy has been tried and has failed. Server-side statistics
are the only hope against serial cheaters - they're barking up the wrong tree
here.

~~~
nebulous1
> Spoilers: the teenagers will always win; you can never trust a client no
> matter how many technical barriers you erect.

I think if we accept sgx type technology onto our systems then they can at
some stage win this battle, at least theoretically. This is assuming that the
sgx-like tech cant be practicably attacked, which isnt currently a valid
assumption but could, at least theoretically, be in the future.

This differs from non-hardware drm which is basically just obfuscation, and
which the method they're currently describing is merely an extension of.

~~~
sudosysgen
Even SGX based methods could be bypassed.

You could do DMA on the video-game memory, you could plug the monitor HDMI
cable into a raspberry pi 5 or 6 camera input and do framebuffer based aimbot,
you could stealthily modify the GPU drivers to give you data before some
processing stages (you could probably do that without leaving anything in CPU
RAM for too long), and so on.

~~~
nebulous1
> could do DMA on the video-game memory

The SGX won't allow you do this as the memory is encrypted

> plug the monitor HDMI cable into a raspberry pi 5 or 6

I don't know if the pi is powerful enough for that or not, and a HDCP type
extension to what's coming out of the SGX could stop it, but ultimately yeah,
you could have a robot play the game for you.

> stealthily modify the GPU drivers

Again, SGX type systems aren't going to allow that. This side of SGX type
systems is all about trying to make your computer act how the developer wanted
it to, regardless of your wishes or a malicious actor's wishes.

------
shmerl
Sounds like malware to me. Justifying this level of intrusion in your system
with "preventing cheating" is unacceptable.

If they want anti-cheats, let them develop AI that looks for non human and
unnatural behavior on the server side. They should have no business snooping
on the user, let alone having kernel access while doing it.

------
Franciscouzo
Permalink: [https://na.leagueoflegends.com/en-us/news/dev/dev-null-
anti-...](https://na.leagueoflegends.com/en-us/news/dev/dev-null-anti-cheat-
kernel-driver/)

If you don't live in north america, you'll get redirected to a local subdomain
and get a 404

~~~
dang
OK, we've changed to that from [https://leagueoflegends.com/news/dev/dev-null-
anti-cheat-ker...](https://leagueoflegends.com/news/dev/dev-null-anti-cheat-
kernel-driver/). Thanks!

------
wrmsr
Back in the day someone figured out that punkbuster blindly scanned physmem
for illegal string literals and banned on detecting them no matter what
process they belonged to. They then posted one of those strings to #findscrim
on gamesurge (or whichever it was at the time) and the channel quickly
exploded with hundreds of people saying they just got pb banned for no reason.
It was magical.

Short of baking it directly into silicon clientside security is an oxymoron.

------
bob1029
Ah yes. A kernel-level security feature provided by a software company wholly-
owned by a Chinese conglomerate.

I do not think I will continue running their software on my machines.

Also, many other posters here have commented that kernel-level mitigations are
futile in the face of hypervisor or hardware attacks. What's to stop me from
altering system memory arbitrarily using a PCIe device I control externally?
How would you even detect this from the perspective of the OS kernel? What if
I compromise the private key in the game's network "security" layer and start
reading & altering packets? Unless you 100% control the hardware (including
mouse, keyboard and monitor, network, internet backbone, etc), you will always
have this problem. The only way to have a cheat-proof gaming experience is to
set up a LAN tournament and have all hardware provided to players (and even
then, you should pour epoxy into the USB ports).

At some point you are going to have to start looking in other directions for
solutions to this problem. I believe other games have started using
statistical and machine learning systems to detect cheaters rather than trying
to match arbitrary binary hashes on my machine (which is what I presume Riot
is going to do here). I feel statistical soft-ban systems are a much more
reasonable way to handle this problem than the 100% confirmed binary signature
permaban systems that seem an obsessive fantasy for some in the industry.
Statistical methods directly deal with the impact of the problem whereas
perfect match only gets at one of an infinite number of possible causes.

~~~
Fire-Dragon-DoL
Problem with those systems are the forums full of completely innocent people
being banned

~~~
zenexer
Completely innocent people also get banned by clientside systems. Accidentally
left some programming tools open from work, particularly for debugging or
reverse engineering? Expect a ban. Tried to run the game on an unsupported
platform, e.g. via WINE? Ban:
[https://www.reddit.com/r/linux_gaming/comments/9uk38b/was_ba...](https://www.reddit.com/r/linux_gaming/comments/9uk38b/was_banned_for_playing_destiny_2_in_wine/)

~~~
bob1029
This is what happened to me on VAC. I was running some memory snooping tool
for experimenting with an entirely unrelated process. It was simply minimized
and I forgot it was running. At some point I then decided to play a game of
TF2. A few days later the permaban hits with zero chance for recourse. I am
far more open to a softer ban system where I can actually appeal a ban if
something goes wrong.

------
qalmakka
Isn't it ironic that this article starts with /dev/null, clearly a UNIX
reference, while they actively ban people running their game under Wine?

~~~
Spivak
I'm not exactly sure what studios to do in this situation -- WINE looks like
cheating. It's not like there's some secret council that's like "mruhahaha
Fortinte will be the destruction of gaming on Linux" \-- it's that having
stronger cheating protections is worth more than the losing the revenue of
Linux gamers.

The number of Linux gamers who can't/won't boot into Windows for a game is a
tiny portion of an already tiny market.

~~~
qalmakka
Don't call your mailing list "/dev/null" then, because it does not sound very
appropriate given the recent policies Riot has chosen to apply? To me, it
makes zero sense to showcase a Windows-specific product by writing a blog post
starting "/dev/null", right after openly saying Linux/macOS/BSD users can go
screw themselves.. It just feels like an improper appropriation of sort.

------
duskwuff
There's a disappointing lack of any detail in this article.

------
comex
So what will they do for Wine users who don't have a Windows kernel to put a
driver in?

~~~
dyingkneepad
Ban them, since they probably don't care about these 5 people.

[https://www.phoronix.com/scan.php?page=news_item&px=Blizzard...](https://www.phoronix.com/scan.php?page=news_item&px=Blizzard-
Banning-DXVK-Wine)

[https://www.bleepingcomputer.com/news/gaming/linux-gamers-
ba...](https://www.bleepingcomputer.com/news/gaming/linux-gamers-banned-in-
battlefield-v-if-using-wine-and-dxvk/)

------
exikyut
Two points:

1\. I'm reminded of the exploitability of the rootkits folded into games like
MapleStory a few years ago. Anybody with the rootkits installed had kernel-
level authority available for the taking. Unfortunately don't remember exact
details, but my vague memory suggests this was unfixed for years.

2\. Link-chaining a bit I got to
[https://www.youtube.com/watch?v=rj6ukLPiY10](https://www.youtube.com/watch?v=rj6ukLPiY10),
"The Norwegian CS Cheating Scandal". I didn't watch the video but I did read
the top comment, which rightfully highlighted the utter inability for software
to detect cheating via DMA (in the noted case over PCI-e, but potentially
theoretically doable over ThunderBolt and FireWire too).

Hopefully these rootkits are a bit better at doing one thing and doing it
better than the iPhone SecureROM ;)

Most seem to not realize that poking PCI-e isn't that expensive, but
thankfully the specialist reverse engineering skills required are still well
outside the 14-year-old script kiddie attention span.

~~~
sudosysgen
You know that most cheats aren't free to begin with? They can actually get
quite expensive. No reason you couldn't buy the device.

Cheat production is a very big and very profitable industry.

------
tomc1985
These horrible analogies make me want to stab the writer with a pen

How about he just writes technically and lets reddit comments translate? I'm
so sick of writers' concerns for illiterate proles (along with, in this case,
a seeming need to maintain the energy and punch of a memetastic for-12-year-
olds YouTuber) ruining perfectly good technical writing

~~~
jitl
I decided to downvote you for both a gate-keeping attitude (how dare a non-SWE
else understand a bit of this stuff?) and for name calling, etc. Please
consider learning some empathy.

~~~
tomc1985
How is desiring technical depth in a technical post "gatekeeping"?

The ananlogies are horribly pained. It is an excess of empathy that ruins
technical writing that could otherwise be quite rich with information. This
attitude of writers having to do all the work needs to end; let the reader do
some of it

edit- its reductivist to think that only SWEs would understand this stuff.
Have you forgotten about the legions of IT professionals and computer nerds
that many SWEs came from? The rich history of hacking, much of which this post
laments? Or is that kind of nerditry simply unfashionable nowadays?

~~~
gclawes
Unfortunately, richness of information is probably something they want to
avoid, lest they give cheat programmers any help.

Not that I'm defending this crap, in my mind it's basically a rootkit that can
snoop on anything in your system. Currently trying to figure out how to run
games in a hypervisor.

~~~
tomc1985
I get that, but it's not like a dedicated attacker can't find relevant
information elsewhere.

If your adversary controls the hardware, you've already lost

Which explains why most of the moneymen in this industry push so hard to
control hardware we've bought and paid for -- and in many cases built.

------
lisk1
On the brights side devs can massively profit from cheaters for example EFT ,
over the past 5-6 months they banned several thousands of accounts for
cheating pretty sure at least 50% of the banned cheaters bought new accounts
until the next time their account will get banned. So it can be profitable cat
and mouse game if the devs play smart.

------
dyingkneepad
I wonder if we'll have a future where it's relatively easy to setup a camera
to record your screen in another computer and a little custom mouse/keyboard
pair to do actions based on the camera input.

~~~
slezyr
Mouse/Keyboard scripts already a thing.

[https://www.reddit.com/r/playrust/comments/c8h81n/please_fac...](https://www.reddit.com/r/playrust/comments/c8h81n/please_facepunch_look_further_into_bloody_mouse/)

------
HelloNurse
I planned to set aside one evening this week to update and play League of
Legends, but I'll uninstall it instead.

------
aey
Why not a trusted boot into a live CD that only runs the game?

~~~
wink
Not sure how good the adoption would be. Laziness wins. It's the number one
reason why my big machine is the only one I run Windows and not Linux on.
Don't want to reboot all the time.

~~~
aey
I think we are getting to an age where reboots could be near instant.

------
madacol
404 response from link

------
crazypython
Title should be changed to "League of Legends to use kernel driver to enforce
anti-cheat." I thought the article had something to do with the device null.

~~~
MuffinFlavored
Does this mean the app will need to run as root while the user is playing?

~~~
outworlder
No but the cheat software will run in the kernel. Which is > than root.

In all likelihood – unless these guys are uncharacteristically careful – it
will stay there even when you are not playing and become an attack vector.

~~~
DoofusOfDeath
> In all likelihood – unless these guys are uncharacteristically careful – it
> will stay there even when you are not playing and become an attack vector.

Might it be an attack vector even _while_ the game is playing?

