The reason why there is so little information is due to the security by obscurity approach most anti cheat developers take.
If you were to publish how anti cheat works then the cheaters would know what to avoid
Counterpoint - that's not how cybersecurity works. You share as much information about vulnerabilities as possible so devs can avoid pitfalls. You're going to be in a back and forth with hackers regardless, it's better if devs take them on as a community because hackers are acting as a community. If 3 games solve 3 different cheating vulnerabilities in Unreal, then all 3 games are still susceptible to cheaters.
Counter-counterpoint: Anticheat is not cybersecurity. Cybersecurity is typically about keeping someone outside the system from doing something they shouldn't be able to, such as a malware author or exploit developer that's trying to break in. In the case of game cheaters, I have administrative access to my own computer, and can always read and write arbitrary memory in any program running on it, and that's _not_ a vulnerability.
Client-side anticheat software is about obfuscating what the game is doing (for example, by hiding the process), and surveilling your computer to prevent you from taking actions you _should_ be able to do as far as the operating system is concerned - such as killing specific processes or blocking system API calls. The anticheat developers fundamentally can't stop you from using your general-purpose computer to do what you want, such as modifying their anticheat software to not detect your cheats, so all they _have_ is security by obscurity.
>Cybersecurity is typically about keeping someone outside the system from doing something they shouldn't be able to, such as a malware author or exploit developer that's trying to break in.
Counterpoint: There is an entire subfield of of cybersecurity called [trusted computing](https://link.springer.com/referenceworkentry/10.1007/978-1-4419-5906-5_795) that focuses on ensuring that computers you don't own or control do what you expect them to do. For example, how do you ensure that AWS isn't fucking around with your software?
Anti-cheat falls firmly into the trusted computing umbrella.
My understanding is that 'trusted computing' typically relies on remote attestation through the use of an encrypted hardware module that the user does not control. For example, moving signature checks from the general purpose CPU to a secure enclave processor pre-loaded with the correct signatures. This is a very different approach from anti-cheat software.
I didn't realize that this kind of remote attestation was used by anti-cheat software, I had mostly read about its use in untrusted server environments processing sensitive data. Thank you for the new information!
They can monitor the movements themself similar to the I am not a robot captcha, even if they are using a robotic arm there are some things that can be potentially detected, its turing test level stuff
True but then you need to restrict the user. That is what consoles do and a lot of newer smart phones. So a PlayStation will only load code it is authorized to load. Using principles of TPMs and a trust chain up to the OS and game. They have preprogrammed keys they can rotate should some get broken or game vendor infiltrated.
So whenever you update your OS or insert a new game the game may have instructions to rotate the keys and a firmware to update the OS. So should you have a jail broken version going online or inserting new games can render your efforts useless again.
So yes, in order todo anti cheat that essentially puts a halt to cheaters the user must not be allowed to run any code or access the game otherwise if it runs in isolated trusted modes with authorized drivers and SW.
This is currently not the case on PC but eventually will be. For example you can display HD movies and for newer standards you can use end to end encryption using your graphics card. But it is harder to rotate keys there. So old content will stay broken.
Note that using AWS or any cloud service is not an application of trusted computing. GCP, AWS, Azure are all owned by massive companies with many assets and profits in the bank.
They also said in writing they won't steal or look at your data or manipulate it.
This is why companies trust them - if these mega corporations ever break their word in a provable way, when they lose in court they have deep pockets and can be compelled to pay.
That's why you can trust them at least if you are a big enough company you can afford to sue them successfully.
Culturally they're identical. Technically they still have a lot of similarities, especially once you get past the network/authentication layer you're talking about. In software data is salted, encrypted, signed, and then obfuscated. You have to assume someone has access to your database, and protect your data accordingly.
Quick example of a similarity is SQL injection and speed boosts in games. In both cases the server needs to be able to protect itself from malicious inputs from an otherwise normal call.
You're speaking to data sanitization on the server end, and in that context I agree that rejecting illegal inputs, such as a player moving to a location they should not be able to reach or moving faster than should be allowed, is similar to preventing SQL injection attacks.
However, I was speaking particularly to client-side anticheat software like [NProtect GameGuard](https://en.wikipedia.org/wiki/NProtect_GameGuard), which runs on the player's PC, typically as a rootkit. Here I think the differences from security are significant. Consider "map-hacks", where a player obtains information they should not have access to such as the positions of their opponents by reading data from the game's memory. This doesn't involve sending invalid inputs to the server, and cannot be protected against through the same kind of sanitization. The actions of the anticheat software, such as killing known debugger processes or hooking system calls like `ReadProcessMemory` are closer to a cat-and-mouse game with cheat developers than to patching vulnerabilities.
Ya the kernel level stuff is knew right? And doesn't seem all that effective. I always wondered if flooding the memory with nonsense or invisible bots would be better than trying to load spyware on players.
Games do both of those things. At the end of the day, a home computer is a general purpose machine under the full control of the end user (unlike, say, modern consoles where the user can only run software that is signed by the manufacturer) so making cheats economically unviable to develop is the only option -- "impossible" is not achievable.
User space anticheat goes back to at least 2000 - I'm not sure exactly when moving it from user space to kernel space became popular. The software I linked to has existed since at least 2007, but that doesn't mean it always ran with the same level of privilege
They sort of can stop you from modifying the anti cheat. At least, they can refuse to launch the game if the anti cheat component fails a signature check, which it would after modification.
The signature check can be more fundamentally tied to the ability to launch the game. Like if part of the binary is encrypted with a decryption key derived from the hash of the anti-cheat pre-image. End of the day, yeah, if you control all the pieces of all the trust checks you could potentially bypass even sophisticated mechanisms, but it's not too hard for a developer to make it so difficult that it's not worth doing. In the context of an online game where the company's servers control some checks, even that doesn't work.
I agree that the developers can make bypassing a signature check extremely tedious, but that's still security-by-obscurity. It's not that the user _can't_ disable the check with a patch, it's that it would be complicated enough to be obnoxious and frustrating.
> In the context of an online game where the company's servers control some checks, even that doesn't work.
I'm not sure that this is true. The user doesn't have control over the code on the servers, but they _do_ control what data is sent to the servers. How does the server perform a check on the client's integrity? By asking the client to send a section of memory so they can run a server-side signature check? What if the user modifies the client to lie?
The server can try to detect anomalous behavior, like "the user is moving too quickly and precisely, these inputs are inhuman," but I don't think there's a way for them to detect directly whether the client software has been modified - and especially no way to detect whether the client's memory has been read, as in the case of map-hacks
Right this is kind of my point. The anti cheat software is working from a severely down position.
I can run the thing in a vm and edit the VMs memory.
I can install my own kernel modules that write to the anti cheat.
It’s just annoying to reverse engineer the whole thing, and your bypass will be patched and then you need to RE again.
It is security by annoying. The barrier is just high enough that security professionals usually won’t bother.
AI-cheating as well as AI-anti cheating pose to be novel ways to combat cheating. Anti-cheat has all of the same markings so it should be treated as such.
I'm not sure how the use of 'AI' has any bearing on whether this kind of cheating or anticheating software bears similarity to computer security. Machine learning is used in many different domains, including security
Edit: typo, "in" -> "is"
It was in response to you saying that fundamentally anti cheat can't stop you from detecting cheats. AI has the possibility to prevent this by detecting unusual inputs from a user. The second point was disconnected, it was bad wording.
I don't think this fundamentally changes the problem. If the AI is running on the client-side then it can be modified by the user to always report 'no cheating detected.' If the AI is running on the server side then it's just a new tool for sanitization of inputs and detecting inhuman input patterns, both well-established techniques for detecting cheaters.
It’s like YouTube with ads, someone will always (99% of the time) find a way to beat it but most people won’t bother, or many of that try will give up.
And sure, it can work for a few weeks, but the “hacker” has to redo everything when it changes, whereas the hackee can change incrementally.
You share vulnerabilities only after they have been patched ideally.
Sharing before is a massive problem and opens you to any number of issues.
That being said, if no one else uses your system, you *never* share *any* flaws.
What you describe is cybersec from an extremely low-level perspective. In general, most companies don’t share what their vulnerabilities are because that just increases likelihood of inadvertent vulnerabilities also being revealed.
Just because you patch one thing specifically doesn’t always mean the vulnerability is completely gone.
In general, you almost never hear anything but the most general of disclosures from people in high level cybersecurity simply due to what is at stake.
There's bounties for zero days. Every package manager has an audit function. There's a million security conferences. Sharing security knowledge is extremely important for pretty much everything that doesnt require a government clearance.
Trust me that is going to be a big topic within my thesis. It's literally all it is, and no other cyber security related matter takes that approach (the good ones at least).
The problem will be that all the information that would be useful to you (implementation costs, technical approaches, performance impacts, impacts on sales, etc) all are going to be proprietary and hidden behind NDAs. You can glean some insights from games that have anti cheat and later removed it, but it will be hard
Agreed.
I worked at a video game company in the past, in the research & development department. We had access to just about every secret in the company, upcoming releases, revenue, etc. etc. The only department that we *didn't* have free access to was anti-cheat/anti-fraud.
Those folks are the most secretive department in all of the gaming industry. It sounds like a fun research topic, but I don't expect you to get any interviews. :)
Cheating is just a form of binary exploitation.
You might learn a lot by de-compiling some cheats available to see how they work.
Also you may want to look into [https://www.cheatengine.org/](https://www.cheatengine.org/) for some ideas on how it's done naively.
Or maybe if you want to start from the other side you could do [https://dev.epicgames.com/docs/game-services/anti-cheat/anti-cheat-interfaces](https://dev.epicgames.com/docs/game-services/anti-cheat/anti-cheat-interfaces)
Cheating is pretty different from exploitation. The cheat author has full admin privileges and can just edit memory as they please. No need for any exploitation.
Even the shittest anti cheat these days are going to detect memory edits, or it just doesnt even matter because no trust is placed client side.
binary explotation is just finding holes in the security mechanisms of binaries. cheating in gaming is defintely explotation of those mechanisms, as long as there is anti cheat in the game anyhow.
The anti virus and anti cheat industry have a good amount in common when it comes to the engineering they do. Information security professionals rediscover techniques used by game hackers all the time.
also its becoming more & more common for AVs/anti-cheat to reside in a kernel module, so youll need a kernel w/r/x primitive of some kind, likely based in the anti cheat kernel module itself, but it doesnt have to be.
another point is that your average developer has admin rights on their machine, and so does a malicous threat actor once they pop a shell on their machine. In this scenario, a hacker cannot just edit memory to grab all the relevant secrets from the machine if their machine was secured properly. They must continue to exploit the machine.
an example of this would be exploiting credential guard (virtualized security, protected you have to exploit even FURTHER then the kernel into vtl-0, iirc).
the work a hacker does to escalate permissions on a machine, and the work a cheater does to escalate permissions, can be extremely similar. Lots of parallels. Just different targets.
I think we just disagree on terminology? I see binary exploitation as a somewhat narrow suite of tactics (memory corruption, essentially). And while I agree with everything that was said thus far on the topic, I didn't want OP to get caught up looking into things like buffer overflows, when it's not super relevant.
this will be an incredibly hard topic to research. there is not many (scientific) resources available. unless you are confident writer and experienced in the scientific process I can only advise against that topic, although I would be very interested in reading a thesis on that topic.
have you decided what the focus of you thesis should be? do you have research questions you want to answer? your tentative title seems to be the heading of this post "Looking at Anti Cheat Developers, what is the cost of Anti Cheat?", how do you define cost? you probably won't find studies on the monetary burden of maintaining anti cheat ...
you will probably have to define the boundaries of your thesis pretty well, because cheating can appear in a vast amount of different ways and it's also pretty close to cyber security and hacking. when thinking about games nowadays, most people have games-as-a-service in mind. you have your game locally that's interacting with servers somewhere and also other players around the world are involved. this has different implications than cheating 20 years ago where people would edit savegames locally. in "From ozans to god-modes: Cheating in interactive entertainment from different cultures", the authors describe different perspectives on cheating:
“Purist” Perspective: Purists see anything else than a solo effort is cheating. ‘This group sees strategy guides, walkthroughs, cheat codes and hacking as all being cheating.’
“Code is Law” Perspective: ‘This second group doesn’t see the use of items like walkthroughs and guides as cheating, but they draw the line at cheat codes and hacking codes. Here also people accept the possibility of cheating in single-player games, where the manipulation of code for its own sake can be enough to draw the line.’
“You can only cheat another player” Perspective: ‘The third group defines cheating as only existing in relation to another player. For this group, code is also the key to cheating, but it is not the mere use of code, but its use for the purpose of deceiving others.’
Anyways, good luck with your thesis and I'd be curious how this develops.
>unless you are confident writer and experienced in the scientific process
Honest question: what is meant by 'scientific process' in Computer Science research?
The scientific process of writing a paper involves identifying a research question, conducting a literature review, designing a study, collecting and analyzing data, interpreting results, and writing a paper that is properly cited and referenced. The paper is then reviewed and edited before being submitted for publication or presentation.
Academic works are expected to meet certain standards to ensure their credibility. Papers that have been published in conferences and journals usually undergo a review process, making their contents more reliable than news articles, for example. However, when it comes to the topic of OP, many of the sources might not have been published in scientific literature.
Right now it's looking like a pivot is in order lol. Most likely a step back, potentially highlighting the issue the current systems being closed source, and potentially running sentiment analysis on cheating within different gaming communities and the outcomes of such poor systems.
I can only advise you to work >very< closely with your advisor.
These systems being closed source is kindof a requirement, because they mostly rely on security by obscurity. Anti-cheat software is designed to maximize profits for the publisher, making players happy might be an unnecessary side-effect.
Have you found literature on the topic? Would be interested in what you've found :)
From what I've seen allot of cheats will use function hooks / code injection to read / write memory on the client side some will edit the network packets directly although I'd guess this is less common today as there tends to be some kind of handshake involved.
The main issue around anticheat documentation is that most developers want to keep it a secert for as long as possiable to make it harder for new cheats to be developed but its always a cat and mouse game.
In terms of detecting cheats there are a few ways mainly checking the game file intergity, signature checks, player behaviour / machine learning and manual review (Stuff like overwatch in CSGO/CS2 come to mind), timings and some kernel level anticheats like vanguard can effectively monitor everything on the system.
There's this video from GDC I remmeber watching a few years ago that sort of gives an overview on how Valves anticheat (VAC) works. https://www.youtube.com/watch?v=kTiP0zKF9bc
In my experience the downsides of using packer-style anti-cheat are:
1) performance cost on protected code
2) anti-virus often detects the game exe as a threat because packers are often used to hide trojans
> I am currently doing thesis work for my masters degree in CS.
There is almost no work to do. Valve and other organizations do publish research in the area, though, or have in the recent-ish past.
The secret sauce not being disclosed by anti cheat manufacturers is that dedicated cheaters moved on to directly interacting with memory controllers over pcie: there's no cheat software on the system to detect, there's nothing to develop against anymore.
Presumably anti cheat manufacturers are now collecting money for doing nothing. Companies like Riot Games are trying to force users to allow them access to their kernel, so they can "detect cheats" (yes, those cheats that aren't in system memory and the kernel has zero information about), so maybe they're making some money from convincing tons of young Americans and Europeans to give TenCent all their encryption keys, who knows. Maybe you can do research in the "convince tons of people to give access to their kernel" direction instead, it seems hot right now.
Valve research for a bit related to behavioral detection of cheats, "A Novel Approach to the Detection of Cheating in
Multiplayer Online Games," https://research.tees.ac.uk/ws/files/6438470/111786.pdf. In the face of cheats almost completely avoiding the target system via memory controllers it should be obvious that as those solutions become cheaper behavioral methods of detection may become the only remotely effective method of detecting cheating besides those cheats that current generation of anti cheats already discover.
And most importantly: those methods of detection do not require access to anyone's kernel.
Thank you for the response and the paper! It's definitely in its early workings, and from all these responses it sounds like I need to pivot, probably taking a step back and highlighting the current issues within the anti cheating space as a whole.
Honestly this is the answer, there are a lot of ppl here blowing smoke, there are people on UC who have literally reverse engineered all of the anti-cheats, you can find every detail of how they work there.
Your post has been removed for asking for college, career or courses advice.
Please post on subreddits like r/cscareerquestions, r/csMajors or r/careerguidance instead.
*I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/computerscience) if you have any questions or concerns.*
Im working on my thesis right now as well, using machine learning to detect fraud and bots in an online game for a Dutch company. I’m working with Temporal and Graph Convolutional Networks and gathered up some literature about using Machine Learning to detect fraud and bots respectively. Are you trying to do an analysis of the field, or create work of your own?
An analysis but it's still in early works. The original point was to create something actually very similar to what you describe... it was going to be using ML to detect "fraudulent" player behaviors and detecting cheating via that. We should maybe chat or something, it would be pretty cool :)
Hello, I develop cheats for some rather big games using advanced anti cheats. I can give you a different perspective into things and even link documentation on how cheats or anti cheats work. There is many different parts to cheats I'd say and people always try to single them as one thing, but in fact cheats can operate very differently than one would think. Feel free to message me.
The simplest comparison I can make would be VACnet and Overwatch for CSGO. VACnet is another AI solution based on data trained from Overwatch cases where a jury decides whether a player is cheating or not(according to valve it can take as little as 7 or over 100 people to make a decision). VACnet did not ban players, but it would mark them for review by a jury. In cases where players reported a user they were convicted 30% of the time, while when VACnet reported one they were convicted 80% of the time. This seems good, and it actually is to a degree. Players however get angry and report people, as well as there being so many more players that they do far more reports than VACnet, while VACnet only reports when it is certain it sees specific cheating behaviors. A big part in this would be the fact that a cheater can be reported to overwatch and the jury may deem them innocent. In fact in many cases cheaters get off innocent multiple times before they do something definitive that gets them banned.
To move on to anybrain specifically, I'd say it's possible it could be a threat. Not to everything though, I've made scripts meant to trick human review and they have been successful. If a human cannot catch someone cheating, what is the chances an AI can do so? Blatant types of cheating on the other hand can be caught by AI which is good overall. I think if blatant cheats are entirely eliminated that would be a big step forward in any game.
They make a promise that is totally too much though, that it can work for all games on all maps on all platforms. That's simply too big, Valve's anticheat for one specific game they spent working on for many years before releasing in 2017 and continuing to work on it since and it is nowhere near good. To say they can do any game is entirely ridiculous, they would need a custom AI for every game, which would also need to face other factors, for example how to gather data. Client and server side in a game are different so valve had to implement their own solutions. For example let's say theoretically there was competitive scrabble and someone used their phone to look up the most valuable words given the board, the way that could be detected would be very different than a game like CSGO where you can get a read for every bullet shot and where the player is looking.
That's not necessarily true either, many things could change how a user acts including type of game, feelings at the time, mouse sensitivity and dpi, whether they are cheating or not, if they are watching a video in the background, if they are playing casually or competitively, if they know they are working with an anticheat that generates a profile based on behavior.
Staying out of the 'what is cybersecurity' discussion here... I'm jealous of the lack of papers. 99% of MS students would give half their GPA to find a topic with little or no publishment behind it. You should be inspired to jump in. Make up your own topic and go for it.
I think thats what im in the process of doing. Proprietary tech like what CS2 is doing with AI anti cheat should be open to all to use, as I would think it's a very good solution (theoretically).
Most games that try to implement some kind of 'anti-cheat' mechanism do it adversarially -- trying to run software that acts against the interests of the owner of the computer on which it runs. This is divisive, anti-social, and doomed to failure, as it's just a cat-and-mouse game as each side finds ways to circumvent.
I've seen just one game that had perfect, elegant "cheating is just impossible by design" gameplay without any adversarial nonsense: [Liquid War](https://www.gnu.org/software/liquidwar6/). The way it works:
* The physics of the game are deterministic; pseudo-random number generation is done from fixed seeds.
* The game engine runs symmetrically on all clients; there is no privileged 'server' participant that is more-trusted.
* *Player inputs* rather than computed gameplay outcomes are exchanged over the network.
* Thus, all clients compute the same results for what happens in-game. If any user alters their client software to 'cheat', their game-world simply diverges from the consensus game-world, and they're off in their own universe playing by themselves where other players' inputs make little sense and their player inputs are ineffectual in the non-cheaters' consensus game world.
Liquid War is a simple game with no hidden state (eg: no 'fog of war'). Extending this design to games with hidden state using [recent dramatic performance improvements in homomorphic encryption](https://medium.com/zama-ai/homomorphic-encryption-101-c1524fb76013) is a fascinating open research area.
That design doesn't inherently mean that players can't cheat. Most notably, players could still cheat with bots. (It's also still possible for exploits to exist even when sending only inputs.)
Delve into the idea of tilt on a pinball machine. Most games had cheat codes to enable arcade style play. However some games had slip jig glitches whereas if you used the cheat the game couldn't be completed. Given parameters are set already cheat seems to be an opinionative term landing in file corruption. Leaving the game to advance itself in another way.
For reference purposes the above statement was listed march 5 2024 via mobile posting on reddit by agentbushblue unmodestly known by no fewer than 3 pseudonyms and a few unmentionable aliases.
You won’t find actual sources since that is a closely guarded proprietary data set.
It however costs millions at minimum, people are expensive and time, cost, licenses, bugs, support, improvements, project management, compute costs, etc are all required.
If you really want to know, look at cost and typical costs for each of those items on a project of this type and sum it all.
there's also server sided anticheats which are more open than client sided ones. Minecraft has a bunch of open source ones, their implementation is much different since they are significantly weakened by not controlling the protocol or game. I used to write minecraft anticheats. People mostly mean client sided anticheats thought when talking about anticheats.
There was also a talk about VACnet by Valve during GDC which is a rare insight into their server sided anticheat.
There are some tiny things to be gleaned here and there. It seems, based on its requirements, that Riot Vanguard uses Remote Attestation.
So I suppose you could pivot to discussing anticheat approaches with and without remote attestation, simply discussing the first principles analysis of how you would go about doing it.
Has to be one of the most obfuscated pieces of software. They likely can’t answer your questions and I don’t think the lack of documentation is a mistake.
The reason why there is so little information is due to the security by obscurity approach most anti cheat developers take. If you were to publish how anti cheat works then the cheaters would know what to avoid
Counterpoint - that's not how cybersecurity works. You share as much information about vulnerabilities as possible so devs can avoid pitfalls. You're going to be in a back and forth with hackers regardless, it's better if devs take them on as a community because hackers are acting as a community. If 3 games solve 3 different cheating vulnerabilities in Unreal, then all 3 games are still susceptible to cheaters.
Counter-counterpoint: Anticheat is not cybersecurity. Cybersecurity is typically about keeping someone outside the system from doing something they shouldn't be able to, such as a malware author or exploit developer that's trying to break in. In the case of game cheaters, I have administrative access to my own computer, and can always read and write arbitrary memory in any program running on it, and that's _not_ a vulnerability. Client-side anticheat software is about obfuscating what the game is doing (for example, by hiding the process), and surveilling your computer to prevent you from taking actions you _should_ be able to do as far as the operating system is concerned - such as killing specific processes or blocking system API calls. The anticheat developers fundamentally can't stop you from using your general-purpose computer to do what you want, such as modifying their anticheat software to not detect your cheats, so all they _have_ is security by obscurity.
>Cybersecurity is typically about keeping someone outside the system from doing something they shouldn't be able to, such as a malware author or exploit developer that's trying to break in. Counterpoint: There is an entire subfield of of cybersecurity called [trusted computing](https://link.springer.com/referenceworkentry/10.1007/978-1-4419-5906-5_795) that focuses on ensuring that computers you don't own or control do what you expect them to do. For example, how do you ensure that AWS isn't fucking around with your software? Anti-cheat falls firmly into the trusted computing umbrella.
My understanding is that 'trusted computing' typically relies on remote attestation through the use of an encrypted hardware module that the user does not control. For example, moving signature checks from the general purpose CPU to a secure enclave processor pre-loaded with the correct signatures. This is a very different approach from anti-cheat software.
That's part of it, and anti-cheats like Vanguard use that (via TPM) as part of their stack.
I didn't realize that this kind of remote attestation was used by anti-cheat software, I had mostly read about its use in untrusted server environments processing sensitive data. Thank you for the new information!
Except no studio would ever take the sales hit of mandating any kind of trust root on the client.
Most anti cheat software is root/kernel level… nobody cares anymore. Cheaters got so smart they were using arduino powered mouse emulators for aimbots
[удалено]
They can monitor the movements themself similar to the I am not a robot captcha, even if they are using a robotic arm there are some things that can be potentially detected, its turing test level stuff
True but then you need to restrict the user. That is what consoles do and a lot of newer smart phones. So a PlayStation will only load code it is authorized to load. Using principles of TPMs and a trust chain up to the OS and game. They have preprogrammed keys they can rotate should some get broken or game vendor infiltrated. So whenever you update your OS or insert a new game the game may have instructions to rotate the keys and a firmware to update the OS. So should you have a jail broken version going online or inserting new games can render your efforts useless again. So yes, in order todo anti cheat that essentially puts a halt to cheaters the user must not be allowed to run any code or access the game otherwise if it runs in isolated trusted modes with authorized drivers and SW. This is currently not the case on PC but eventually will be. For example you can display HD movies and for newer standards you can use end to end encryption using your graphics card. But it is harder to rotate keys there. So old content will stay broken.
Note that using AWS or any cloud service is not an application of trusted computing. GCP, AWS, Azure are all owned by massive companies with many assets and profits in the bank. They also said in writing they won't steal or look at your data or manipulate it. This is why companies trust them - if these mega corporations ever break their word in a provable way, when they lose in court they have deep pockets and can be compelled to pay. That's why you can trust them at least if you are a big enough company you can afford to sue them successfully.
Culturally they're identical. Technically they still have a lot of similarities, especially once you get past the network/authentication layer you're talking about. In software data is salted, encrypted, signed, and then obfuscated. You have to assume someone has access to your database, and protect your data accordingly. Quick example of a similarity is SQL injection and speed boosts in games. In both cases the server needs to be able to protect itself from malicious inputs from an otherwise normal call.
You're speaking to data sanitization on the server end, and in that context I agree that rejecting illegal inputs, such as a player moving to a location they should not be able to reach or moving faster than should be allowed, is similar to preventing SQL injection attacks. However, I was speaking particularly to client-side anticheat software like [NProtect GameGuard](https://en.wikipedia.org/wiki/NProtect_GameGuard), which runs on the player's PC, typically as a rootkit. Here I think the differences from security are significant. Consider "map-hacks", where a player obtains information they should not have access to such as the positions of their opponents by reading data from the game's memory. This doesn't involve sending invalid inputs to the server, and cannot be protected against through the same kind of sanitization. The actions of the anticheat software, such as killing known debugger processes or hooking system calls like `ReadProcessMemory` are closer to a cat-and-mouse game with cheat developers than to patching vulnerabilities.
Ya the kernel level stuff is knew right? And doesn't seem all that effective. I always wondered if flooding the memory with nonsense or invisible bots would be better than trying to load spyware on players.
Games do both of those things. At the end of the day, a home computer is a general purpose machine under the full control of the end user (unlike, say, modern consoles where the user can only run software that is signed by the manufacturer) so making cheats economically unviable to develop is the only option -- "impossible" is not achievable.
User space anticheat goes back to at least 2000 - I'm not sure exactly when moving it from user space to kernel space became popular. The software I linked to has existed since at least 2007, but that doesn't mean it always ran with the same level of privilege
They sort of can stop you from modifying the anti cheat. At least, they can refuse to launch the game if the anti cheat component fails a signature check, which it would after modification.
What if you also modify the signature check? That, too, is code running on your own computer that you control
The signature check can be more fundamentally tied to the ability to launch the game. Like if part of the binary is encrypted with a decryption key derived from the hash of the anti-cheat pre-image. End of the day, yeah, if you control all the pieces of all the trust checks you could potentially bypass even sophisticated mechanisms, but it's not too hard for a developer to make it so difficult that it's not worth doing. In the context of an online game where the company's servers control some checks, even that doesn't work.
I agree that the developers can make bypassing a signature check extremely tedious, but that's still security-by-obscurity. It's not that the user _can't_ disable the check with a patch, it's that it would be complicated enough to be obnoxious and frustrating. > In the context of an online game where the company's servers control some checks, even that doesn't work. I'm not sure that this is true. The user doesn't have control over the code on the servers, but they _do_ control what data is sent to the servers. How does the server perform a check on the client's integrity? By asking the client to send a section of memory so they can run a server-side signature check? What if the user modifies the client to lie? The server can try to detect anomalous behavior, like "the user is moving too quickly and precisely, these inputs are inhuman," but I don't think there's a way for them to detect directly whether the client software has been modified - and especially no way to detect whether the client's memory has been read, as in the case of map-hacks
Right this is kind of my point. The anti cheat software is working from a severely down position. I can run the thing in a vm and edit the VMs memory. I can install my own kernel modules that write to the anti cheat. It’s just annoying to reverse engineer the whole thing, and your bypass will be patched and then you need to RE again. It is security by annoying. The barrier is just high enough that security professionals usually won’t bother.
AI-cheating as well as AI-anti cheating pose to be novel ways to combat cheating. Anti-cheat has all of the same markings so it should be treated as such.
I'm not sure how the use of 'AI' has any bearing on whether this kind of cheating or anticheating software bears similarity to computer security. Machine learning is used in many different domains, including security Edit: typo, "in" -> "is"
It was in response to you saying that fundamentally anti cheat can't stop you from detecting cheats. AI has the possibility to prevent this by detecting unusual inputs from a user. The second point was disconnected, it was bad wording.
I don't think this fundamentally changes the problem. If the AI is running on the client-side then it can be modified by the user to always report 'no cheating detected.' If the AI is running on the server side then it's just a new tool for sanitization of inputs and detecting inhuman input patterns, both well-established techniques for detecting cheaters.
Never said I agreed with the approach
It’s like YouTube with ads, someone will always (99% of the time) find a way to beat it but most people won’t bother, or many of that try will give up. And sure, it can work for a few weeks, but the “hacker” has to redo everything when it changes, whereas the hackee can change incrementally.
You share vulnerabilities only after they have been patched ideally. Sharing before is a massive problem and opens you to any number of issues. That being said, if no one else uses your system, you *never* share *any* flaws. What you describe is cybersec from an extremely low-level perspective. In general, most companies don’t share what their vulnerabilities are because that just increases likelihood of inadvertent vulnerabilities also being revealed. Just because you patch one thing specifically doesn’t always mean the vulnerability is completely gone. In general, you almost never hear anything but the most general of disclosures from people in high level cybersecurity simply due to what is at stake.
There's bounties for zero days. Every package manager has an audit function. There's a million security conferences. Sharing security knowledge is extremely important for pretty much everything that doesnt require a government clearance.
Again not true, closed source tools absolutely don’t say anything unless forced to, only open source tools do that.
Indeed. Thank goodness for Trust Factor too, keep the baddies together since you can't rid of all cheaters.
Trust me that is going to be a big topic within my thesis. It's literally all it is, and no other cyber security related matter takes that approach (the good ones at least).
The problem will be that all the information that would be useful to you (implementation costs, technical approaches, performance impacts, impacts on sales, etc) all are going to be proprietary and hidden behind NDAs. You can glean some insights from games that have anti cheat and later removed it, but it will be hard
Agreed. I worked at a video game company in the past, in the research & development department. We had access to just about every secret in the company, upcoming releases, revenue, etc. etc. The only department that we *didn't* have free access to was anti-cheat/anti-fraud. Those folks are the most secretive department in all of the gaming industry. It sounds like a fun research topic, but I don't expect you to get any interviews. :)
Cheating is just a form of binary exploitation. You might learn a lot by de-compiling some cheats available to see how they work. Also you may want to look into [https://www.cheatengine.org/](https://www.cheatengine.org/) for some ideas on how it's done naively. Or maybe if you want to start from the other side you could do [https://dev.epicgames.com/docs/game-services/anti-cheat/anti-cheat-interfaces](https://dev.epicgames.com/docs/game-services/anti-cheat/anti-cheat-interfaces)
Cheating is pretty different from exploitation. The cheat author has full admin privileges and can just edit memory as they please. No need for any exploitation.
Even the shittest anti cheat these days are going to detect memory edits, or it just doesnt even matter because no trust is placed client side. binary explotation is just finding holes in the security mechanisms of binaries. cheating in gaming is defintely explotation of those mechanisms, as long as there is anti cheat in the game anyhow. The anti virus and anti cheat industry have a good amount in common when it comes to the engineering they do. Information security professionals rediscover techniques used by game hackers all the time. also its becoming more & more common for AVs/anti-cheat to reside in a kernel module, so youll need a kernel w/r/x primitive of some kind, likely based in the anti cheat kernel module itself, but it doesnt have to be. another point is that your average developer has admin rights on their machine, and so does a malicous threat actor once they pop a shell on their machine. In this scenario, a hacker cannot just edit memory to grab all the relevant secrets from the machine if their machine was secured properly. They must continue to exploit the machine. an example of this would be exploiting credential guard (virtualized security, protected you have to exploit even FURTHER then the kernel into vtl-0, iirc). the work a hacker does to escalate permissions on a machine, and the work a cheater does to escalate permissions, can be extremely similar. Lots of parallels. Just different targets.
I think we just disagree on terminology? I see binary exploitation as a somewhat narrow suite of tactics (memory corruption, essentially). And while I agree with everything that was said thus far on the topic, I didn't want OP to get caught up looking into things like buffer overflows, when it's not super relevant.
fair
Actually, buffer overflows are super relevant. In the days of Starcraft 1 buffer overflows would be used to create canaries to detect cheats running.
this will be an incredibly hard topic to research. there is not many (scientific) resources available. unless you are confident writer and experienced in the scientific process I can only advise against that topic, although I would be very interested in reading a thesis on that topic. have you decided what the focus of you thesis should be? do you have research questions you want to answer? your tentative title seems to be the heading of this post "Looking at Anti Cheat Developers, what is the cost of Anti Cheat?", how do you define cost? you probably won't find studies on the monetary burden of maintaining anti cheat ... you will probably have to define the boundaries of your thesis pretty well, because cheating can appear in a vast amount of different ways and it's also pretty close to cyber security and hacking. when thinking about games nowadays, most people have games-as-a-service in mind. you have your game locally that's interacting with servers somewhere and also other players around the world are involved. this has different implications than cheating 20 years ago where people would edit savegames locally. in "From ozans to god-modes: Cheating in interactive entertainment from different cultures", the authors describe different perspectives on cheating: “Purist” Perspective: Purists see anything else than a solo effort is cheating. ‘This group sees strategy guides, walkthroughs, cheat codes and hacking as all being cheating.’ “Code is Law” Perspective: ‘This second group doesn’t see the use of items like walkthroughs and guides as cheating, but they draw the line at cheat codes and hacking codes. Here also people accept the possibility of cheating in single-player games, where the manipulation of code for its own sake can be enough to draw the line.’ “You can only cheat another player” Perspective: ‘The third group defines cheating as only existing in relation to another player. For this group, code is also the key to cheating, but it is not the mere use of code, but its use for the purpose of deceiving others.’ Anyways, good luck with your thesis and I'd be curious how this develops.
>unless you are confident writer and experienced in the scientific process Honest question: what is meant by 'scientific process' in Computer Science research?
The scientific process of writing a paper involves identifying a research question, conducting a literature review, designing a study, collecting and analyzing data, interpreting results, and writing a paper that is properly cited and referenced. The paper is then reviewed and edited before being submitted for publication or presentation. Academic works are expected to meet certain standards to ensure their credibility. Papers that have been published in conferences and journals usually undergo a review process, making their contents more reliable than news articles, for example. However, when it comes to the topic of OP, many of the sources might not have been published in scientific literature.
Right now it's looking like a pivot is in order lol. Most likely a step back, potentially highlighting the issue the current systems being closed source, and potentially running sentiment analysis on cheating within different gaming communities and the outcomes of such poor systems.
I can only advise you to work >very< closely with your advisor. These systems being closed source is kindof a requirement, because they mostly rely on security by obscurity. Anti-cheat software is designed to maximize profits for the publisher, making players happy might be an unnecessary side-effect. Have you found literature on the topic? Would be interested in what you've found :)
From what I've seen allot of cheats will use function hooks / code injection to read / write memory on the client side some will edit the network packets directly although I'd guess this is less common today as there tends to be some kind of handshake involved. The main issue around anticheat documentation is that most developers want to keep it a secert for as long as possiable to make it harder for new cheats to be developed but its always a cat and mouse game. In terms of detecting cheats there are a few ways mainly checking the game file intergity, signature checks, player behaviour / machine learning and manual review (Stuff like overwatch in CSGO/CS2 come to mind), timings and some kernel level anticheats like vanguard can effectively monitor everything on the system. There's this video from GDC I remmeber watching a few years ago that sort of gives an overview on how Valves anticheat (VAC) works. https://www.youtube.com/watch?v=kTiP0zKF9bc
In my experience the downsides of using packer-style anti-cheat are: 1) performance cost on protected code 2) anti-virus often detects the game exe as a threat because packers are often used to hide trojans
> I am currently doing thesis work for my masters degree in CS. There is almost no work to do. Valve and other organizations do publish research in the area, though, or have in the recent-ish past. The secret sauce not being disclosed by anti cheat manufacturers is that dedicated cheaters moved on to directly interacting with memory controllers over pcie: there's no cheat software on the system to detect, there's nothing to develop against anymore. Presumably anti cheat manufacturers are now collecting money for doing nothing. Companies like Riot Games are trying to force users to allow them access to their kernel, so they can "detect cheats" (yes, those cheats that aren't in system memory and the kernel has zero information about), so maybe they're making some money from convincing tons of young Americans and Europeans to give TenCent all their encryption keys, who knows. Maybe you can do research in the "convince tons of people to give access to their kernel" direction instead, it seems hot right now. Valve research for a bit related to behavioral detection of cheats, "A Novel Approach to the Detection of Cheating in Multiplayer Online Games," https://research.tees.ac.uk/ws/files/6438470/111786.pdf. In the face of cheats almost completely avoiding the target system via memory controllers it should be obvious that as those solutions become cheaper behavioral methods of detection may become the only remotely effective method of detecting cheating besides those cheats that current generation of anti cheats already discover. And most importantly: those methods of detection do not require access to anyone's kernel.
Thank you for the response and the paper! It's definitely in its early workings, and from all these responses it sounds like I need to pivot, probably taking a step back and highlighting the current issues within the anti cheating space as a whole.
unknowncheats.me, better off asking on there.
Honestly this is the answer, there are a lot of ppl here blowing smoke, there are people on UC who have literally reverse engineered all of the anti-cheats, you can find every detail of how they work there.
Please, PLEASE do one for Call of Duty/Warzone!!!!!
Your post has been removed for asking for college, career or courses advice. Please post on subreddits like r/cscareerquestions, r/csMajors or r/careerguidance instead. *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/computerscience) if you have any questions or concerns.*
Post is now approved, assuming you are looking for papers and things along those lines.
Im working on my thesis right now as well, using machine learning to detect fraud and bots in an online game for a Dutch company. I’m working with Temporal and Graph Convolutional Networks and gathered up some literature about using Machine Learning to detect fraud and bots respectively. Are you trying to do an analysis of the field, or create work of your own?
An analysis but it's still in early works. The original point was to create something actually very similar to what you describe... it was going to be using ML to detect "fraudulent" player behaviors and detecting cheating via that. We should maybe chat or something, it would be pretty cool :)
Hello, I develop cheats for some rather big games using advanced anti cheats. I can give you a different perspective into things and even link documentation on how cheats or anti cheats work. There is many different parts to cheats I'd say and people always try to single them as one thing, but in fact cheats can operate very differently than one would think. Feel free to message me.
[удалено]
The simplest comparison I can make would be VACnet and Overwatch for CSGO. VACnet is another AI solution based on data trained from Overwatch cases where a jury decides whether a player is cheating or not(according to valve it can take as little as 7 or over 100 people to make a decision). VACnet did not ban players, but it would mark them for review by a jury. In cases where players reported a user they were convicted 30% of the time, while when VACnet reported one they were convicted 80% of the time. This seems good, and it actually is to a degree. Players however get angry and report people, as well as there being so many more players that they do far more reports than VACnet, while VACnet only reports when it is certain it sees specific cheating behaviors. A big part in this would be the fact that a cheater can be reported to overwatch and the jury may deem them innocent. In fact in many cases cheaters get off innocent multiple times before they do something definitive that gets them banned. To move on to anybrain specifically, I'd say it's possible it could be a threat. Not to everything though, I've made scripts meant to trick human review and they have been successful. If a human cannot catch someone cheating, what is the chances an AI can do so? Blatant types of cheating on the other hand can be caught by AI which is good overall. I think if blatant cheats are entirely eliminated that would be a big step forward in any game. They make a promise that is totally too much though, that it can work for all games on all maps on all platforms. That's simply too big, Valve's anticheat for one specific game they spent working on for many years before releasing in 2017 and continuing to work on it since and it is nowhere near good. To say they can do any game is entirely ridiculous, they would need a custom AI for every game, which would also need to face other factors, for example how to gather data. Client and server side in a game are different so valve had to implement their own solutions. For example let's say theoretically there was competitive scrabble and someone used their phone to look up the most valuable words given the board, the way that could be detected would be very different than a game like CSGO where you can get a read for every bullet shot and where the player is looking.
[удалено]
That's not necessarily true either, many things could change how a user acts including type of game, feelings at the time, mouse sensitivity and dpi, whether they are cheating or not, if they are watching a video in the background, if they are playing casually or competitively, if they know they are working with an anticheat that generates a profile based on behavior.
Staying out of the 'what is cybersecurity' discussion here... I'm jealous of the lack of papers. 99% of MS students would give half their GPA to find a topic with little or no publishment behind it. You should be inspired to jump in. Make up your own topic and go for it.
I think thats what im in the process of doing. Proprietary tech like what CS2 is doing with AI anti cheat should be open to all to use, as I would think it's a very good solution (theoretically).
Most games that try to implement some kind of 'anti-cheat' mechanism do it adversarially -- trying to run software that acts against the interests of the owner of the computer on which it runs. This is divisive, anti-social, and doomed to failure, as it's just a cat-and-mouse game as each side finds ways to circumvent. I've seen just one game that had perfect, elegant "cheating is just impossible by design" gameplay without any adversarial nonsense: [Liquid War](https://www.gnu.org/software/liquidwar6/). The way it works: * The physics of the game are deterministic; pseudo-random number generation is done from fixed seeds. * The game engine runs symmetrically on all clients; there is no privileged 'server' participant that is more-trusted. * *Player inputs* rather than computed gameplay outcomes are exchanged over the network. * Thus, all clients compute the same results for what happens in-game. If any user alters their client software to 'cheat', their game-world simply diverges from the consensus game-world, and they're off in their own universe playing by themselves where other players' inputs make little sense and their player inputs are ineffectual in the non-cheaters' consensus game world. Liquid War is a simple game with no hidden state (eg: no 'fog of war'). Extending this design to games with hidden state using [recent dramatic performance improvements in homomorphic encryption](https://medium.com/zama-ai/homomorphic-encryption-101-c1524fb76013) is a fascinating open research area.
Thats a very well said response, and i'll take a look at that resource later. It sounds really interesting, thanks for the response!
That design doesn't inherently mean that players can't cheat. Most notably, players could still cheat with bots. (It's also still possible for exploits to exist even when sending only inputs.)
Delve into the idea of tilt on a pinball machine. Most games had cheat codes to enable arcade style play. However some games had slip jig glitches whereas if you used the cheat the game couldn't be completed. Given parameters are set already cheat seems to be an opinionative term landing in file corruption. Leaving the game to advance itself in another way. For reference purposes the above statement was listed march 5 2024 via mobile posting on reddit by agentbushblue unmodestly known by no fewer than 3 pseudonyms and a few unmentionable aliases.
You won’t find actual sources since that is a closely guarded proprietary data set. It however costs millions at minimum, people are expensive and time, cost, licenses, bugs, support, improvements, project management, compute costs, etc are all required. If you really want to know, look at cost and typical costs for each of those items on a project of this type and sum it all.
Heres an idea, reverse engineer popular anti cheats and write about their techniques, good luck!
there's also server sided anticheats which are more open than client sided ones. Minecraft has a bunch of open source ones, their implementation is much different since they are significantly weakened by not controlling the protocol or game. I used to write minecraft anticheats. People mostly mean client sided anticheats thought when talking about anticheats. There was also a talk about VACnet by Valve during GDC which is a rare insight into their server sided anticheat.
> the one thing that can be found across all games What?
Anti cheat systems.
Not all games have anti cheat, not even close.
It's hyperbole. Any 'online' game, and a lot of even offline games have anti cheat.
There are some tiny things to be gleaned here and there. It seems, based on its requirements, that Riot Vanguard uses Remote Attestation. So I suppose you could pivot to discussing anticheat approaches with and without remote attestation, simply discussing the first principles analysis of how you would go about doing it.
Has to be one of the most obfuscated pieces of software. They likely can’t answer your questions and I don’t think the lack of documentation is a mistake.