2

There are anti-cheat software for Windows that run with really high privileges in order to detect cheats on the users' machine. These anti-cheat claim to run 'on kernel' and scan the user files and memory to detect software that could be interacting with the game (e.g. cheats/hacks).

Recently, I found that some of those companies have their anti-cheat support for Linux games (native ones), which made me wonder how that detection would work. What can these anti-cheat software do on Linux, especially if the game is running on user-mode and not sudo? Would they be able to scan other users' processes/memory and detect a cheat running on another user, for example?

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
rmauter
  • 53
  • 3

4 Answers4

1

TLDR: There is a trust issue here. If the software is from a legal trusted company, they will self limit what they do. If the program runs as a non-administrator user, there is a limited number of things they can do anyway, and if you put it in a container, it is more limited. If the company is trusted, worrying about this is paranoia. If the software is pirated or the company is not trusted,the paranoia is justified.

If the game runs as a user process without any administrative access, it won't be able to modify the kernel or scan the memory of other processes, even within the same user.

It would be able to look at files on the system unless they were protected by permissions that prevented it. Similarly, it could look at what other things were running on the system, but beyond limited things that are published by processes (visible in ps for example), it can't directly access the memory of other processes.

"How dangerous"... is a very vague question. Here are some possible dangers:

  • Danger of cheating being detected: Presumably this would be high, otherwise it would not be very effective as anti-cheat protection.
  • Danger to the health of the system: If it is running as a user and not an administrator, this is low but not zero. However, a bigger concern is if you trust the company that wrote the software. Presumably there would be more legal protection and recourse for the consumer if the company intentionally damaged your system. This need for trust would not be different if the software did have administrator access.
  • Danger to the runtime performance of the system: anti-cheat systems are notorious for affecting system performance. However, this presumably would be temporary and only occur when it was running. And, again, if this danger is real, it might also affect the performance of the game, which would lead to unfavorable reviews and hurt the company in the long run. So this is unlikely, or at least, unlikely to be a long term issue.
  • Danger of information exfiltration: Any program running on the system (user or administrator) that isn't running in a limited container can look through your files and check what software is installed, (within limits) sniff keystrokes, probe your local network, and connect to outside networks. Again, this is a trust issue -- if a company was found to be exfiltrating sensitive data from user systems, it would harm their reputation and become lawsuit material, so most companies will limit what they exfiltrate and likely list it in their license agreement.

In older linux and unix, a process with administrator access would be able to access memory of other processes. However, recent versions of linux have made this more and more difficult, but not entirely impossible. Even if direct memory access is blocked, some access can be obtained with ptrace().

As to what anti-cheat software would do in linux... Unless the company divulges this information, it would be difficult to say. If cheaters were told up front everything the software did, it may be difficult for the software to be effective at preventing cheating.

user10489
  • 1,217
  • 1
  • 3
  • 13
  • since it's anti cheat - and will probably(not in all cases but overall) *most likely* run in kernel space(as VALORANT on mswin) Also; in my opinion - it has to be open source since it will well monitor programs and might interfere with other drivers(In Linux I believe its called LKMS) (which i think it is not going to be) but; yes - if open source - it would be easy to read and circumvent (but which is why open source is also good - since; we can see what it does; not something malicious) (of course; the source and the compiled verison(s) might be changed, or on-the-fly updated; anyway – William Martens Jul 09 '22 at 09:24
  • I agree it seems likely anti-cheat software would likely need to run in the kernel. However, the user started with the supposition it would not have that access. I did try to include that possibility however. – user10489 Jul 09 '22 at 12:56
  • Thanks for your responses, I understand that it is a trust issue, but I prefer to understand what they would be capable of doing technically, in case a bug or hijack happens. So is it safe to assume that (at least for Linux, in user-mode): 1- The anti-cheat is not a "fully proactive kernel-based protection system", and that 2- It is not capable to "detect cheats installed on users' computers" (if the user lacks permission), or even that 3- they are not capable of "scanning of the player’s system...", as it cannot read memory or other processes running? – rmauter Jul 09 '22 at 18:23
  • Actually, first thing I said is that it is likely it _can_ detect cheats. And while it can't necessarily scan memory, it can see what is running on the system. – user10489 Jul 09 '22 at 22:50
  • `@user10489` and @rmauter Yeah I agree with both you; thanks for the feedback of the comment! Have a great day on you both over there! – William Martens Jul 10 '22 at 08:22
  • "legal trusted company" ha! Sony BMG rootkits, Symantec "we don't even know how to uninstall Norton", Lenovo TLS backdoors, and a whole bunch of other incidents show what an incredibly flawed viewpoint this is. Yes, of course any time you install something there's a trust decision involved, but the point of the question is that *game publishers for Windows have specifically proven themselves untrustworthy*, or at least sketchy, with the anti-cheats... and there's every reason to expect that, if Linux gaming gets big, they'll do it there too. – CBHacking Jul 11 '22 at 03:41
  • More generally, the problem with the viewpoint is that you assume the game developer / publisher cares in the least about the security of your computer. They don't. Not a whit. Steam deliberately breaks the trust boundary between users. Nothing but esports games get substantial pentesting or other security review; if you're lucky, the only risk is to your save files, not your whole OS. And sadly, sandboxing isn't a solution... because if you sandbox the installer (doesn't do any good to sandbox just the game) then *it simply won't run* and you can't play the game. – CBHacking Jul 11 '22 at 03:45
  • Legal trusted company: Lenovo has at least pretended to try to fix this. Sony got sued and retracted it. Norton -- meh. I agree it's an optimistic viewpoint, but not a hopelessly optimistic one I think. Lack of review is a concern. I think the best way to sandbox things like this is to dedicate a HD and OS instance to them. – user10489 Jul 11 '22 at 05:04
  • I think reading hte license agreement is important, it might give clues as to how bad their anti-cheat code might be. – user10489 Jul 11 '22 at 05:05
  • Also, trustworthiness of a company is an exercise for the reader. If you don't trust them, why do you give them your money or run any code they produce ever? – user10489 Jul 11 '22 at 22:49
1

Linux as an operating system is wide open for meddling using 1000 ways, so there will be no anti-cheat software for Linux in the nearest future, at least for distros which don't offer some sort of guarantee that the system hasn't been tampered with.

In Windows there are multiple layers of protection which guarantee that you run the pristine Windows installation, including executable files and libraries since almost every executable file in Windows is digitally signed.

In Linux at the moment only the boot loader (GRUB) and the kernel with its modules are signed (and that applies only to a handful of distros including Fedora, RHEL and Ubuntu), everything else is not.

When you cannot guarantee that your system libraries are not modified all bets are off.

What can these anti-cheat software do on Linux, especially if the game is running on user-mode and not sudo?

Everything any application running under user account can do, including reading your files, or even sniffing your passwords. It's pretty trivial to do in X11 (which allows all applications to access all input devices) or using LD_PRELOAD= under Wayland.

If you're concerned about any of this, you should not be running proprietary software ever. I'd even say that you shouldn't even use a normal PC which is rife with proprietary features you cannot control, e.g. UEFI, Intel ME/AMD PSP, GPU, WiFi/Bluetooth, LAN, SSD/HDD, etc. etc. etc.

Artem S. Tashkinov
  • 1,389
  • 5
  • 13
  • "...there will be no anti-cheat software for Linux in the nearest future". Well, they claim to support Linux, at least EAC and BE do have this support. With that said, would you agree that their Linux support is probably much weaker (if not, completely ineffective) when compared with their Windows support? – rmauter Jul 09 '22 at 18:23
  • *much weaker (if not, completely ineffective) when compared with their Windows support* - absolutely. – Artem S. Tashkinov Jul 09 '22 at 20:09
0

High-privilege anti-cheat software will always require high privileges to install (though it does not necessarily need any special privileges to run the game after installation). Linux is no more protected than Windows here. If a game installer installs a kernel module on Linux, that has just as many permissions and can do just as much damage if untrustworthy as a similar kernel module on Windows. What's more, if Linux ever takes off for gaming, you'll see such anti-cheat kernel modules appearing (for e-sports games, at least) for the same reason that they exist on Windows: if you don't have them, the cheat code will go into the kernel where user-mode anti-cheat software can't find it.

One possible difference is that, on Linux, distributing software that links directly into the kernel but is not compatible with the GPLv2 is frowned upon, and the kernel will complain about being tainted with proprietary software. Of course, if you're playing games on Linux at all, there's a decent chance your kernel is already tainted by the proprietary NVidia graphics driver. Also, it's not like the kernel has some magic way to tell whether any given module is open source or not; modules can lie to the kernel about that, and/or after being loaded, they can modify the "am I tainted?" check and flag within the kernel to report whatever they want. Whether such lies or modification would violate the GPL is a question for the courts to decide, but it wouldn't be the first time that proprietary software has pulled such a stunt.

(Or you could make the anti-cheat software open source, but nobody is likely to do that; if the cheat makers can see exactly what the anti-cheat is doing and when, it's way easier to evade or spoof it, and thus immediately win the current round of the cheat-vs-anticheat battle.)

Obviously, cheat-vs-anticheat is a constant game of cat-and-mouse. Anti-cheat software can only look for the kinds of cheats it knows about. Cheat software can - especially if installed before the anti-cheat - modify the anti-cheat software or the kernel itself such that the anti-cheat thinks it's running but can't see the cheat software. The anti-cheat software could potentially try to go even deeper - to the hypervisor, to the firmware, to the hardware (or rather to firmware running on peripheral hardware such as the GPU or network card) - but it can't ever go deeper than the cheat software can in theory go, so there's no way to reliably "win" this contest.

Whether or not cheat vs. anti-cheat is winning in the moment, all of us who don't cheat lose. Installers for games (that we probably don't even play competitively) worm their way deeper and deeper into the system, changing (and potentially breaking or spying on or opening backdoors in) stuff that the user doesn't even know about. Game publishers spend resources on anti-cheat systems instead of gameplay improvements, and OS developers have to accommodate third-party code in unexpected places doing unexpected things, or else people complain that their games stopped working after the last OS update. It's deeply unfortunate.

CBHacking
  • 40,303
  • 3
  • 74
  • 98
  • *"you'll see such anti-cheat kernel modules appearing"* - no, not gonna happen ever, period. Like I said in my earlier answer in Linux you cannot guarantee the system has not been tampered with even if you install the kernel driver. Lastly, absolute most Linux users don't have the kernel-devel package or GCC installed which means you won't be able to compile a kernel module, which means it's futile. It's upsetting how little people know and understand Linux. It's not Windows, never will be. – Artem S. Tashkinov Jul 10 '22 at 12:49
  • @ArtemS.Tashkinov You can't ensure jack on Windows either. It's a little harder to do certain stuff because of e.g. PatchGuard but it's not like PG can't be bypassed with enough effort. The entire concept of anti-cheat is based on "best effort" and you can definitely achieve that. As for the kernel-devel package, installers can easily pull that from repos or even pre-compile for common versions and configurations (the exceedingly vast majority of people just use the kernel that comes with their distro, and, so just targeting Ubuntu kernels would get most of them). – CBHacking Jul 11 '22 at 01:12
  • The lack of a stable kernel ABI does make it slightly more work to ensure you have a suitable module all the time, but... CI/CD systems have rendered this a solved problem for years now. It requires doing something nasty like having an updater that runs elevated and pulls new versions of the anti-cheat, but again, that's literally how it already works on Windows and it's totally doable on Linux too. Besides, I bet the anti-cheat updates more often than the kernel ABI breaks _anyhow_, it's not like you have to recompile every loadable module each time there's a security patch. – CBHacking Jul 11 '22 at 01:14
  • 1. There are so many issues with *"easily pull that from repos or even pre-compile for common versions and configuration"* you seem to have used Linux very little in your life, e.g. if you have a signed kernel and modules, installing a kernel module becomes impossible for 99.99% users out there 2. Linux users prize themselves for running free Open Source software, any forced installed kernel module will be instantly vilified and rejected by the community. Again, mark my words, anti-cheat software in Linux will never use kernel modules, period. – Artem S. Tashkinov Jul 11 '22 at 07:54
  • I've been running Linux since 2005, I've compiled my own kernels, I know the drill. I even game on Linux - major AAA games, not just Wesnoth - which frankly I suspect you do not. The Linux gaming community (small though it is) is mostly people who already run a tainted kernel with a proprietary module that they pull from a frequently updated repository; it's called `nvidia` and I assure you, people who are willing to run that (and Steam, and closed source games in general - in other words, the entire PC gaming community) will put up with whatever it takes to make the next FPS or MOBA run. – CBHacking Jul 13 '22 at 06:01
  • Any company to offer such a kernel module will be literally destroyed by the community. The amount of flak and resentment will be just insane. – Artem S. Tashkinov Jul 13 '22 at 09:01
0

It all depends on how the Anti-cheat software is written.

For example:

  • if it is written like a kernel module. It can wreak havoc on your system, since it will have privileged acces to everything, and is highly dependent on the specific kernel you are running.
  • if it is written as a “snooping” tool, that runs with root privileges, it depends on what sysctl flags you have set.
  • if it is written to utilize the eBPF system, it could monitor and possibly redirect any syscalls done by cheat software… without getting more acces to the system. eBPF software must be open source & have a clear license. And they must be accepted by the kernel Before they can run. (But than they can run even in some cases on a network card for example).

Only the last type (eBPF) is acceptable in my view as a anti-cheat measurement. Since you are restricted to what you can do, while not being restricted what to acces.

And since Microsoft is adding support for eBPF to windows, there is no longer any reason to not use it everywhere for anti-cheat software. (Imho).

LvB
  • 8,217
  • 1
  • 26
  • 43