The issue of anti-cheat on Linux
73 points by Aks
73 points by Aks
I feel like cheating is just going to move to devices that exist outside the main computer. I expect with computer vision techniques continuing to improve, that eventually you’ll just have a second computer that essentially plays the game for you, either partially or fully.
I find the anti-cheat situation frustrating, because despite what the article says there really is no reason to trust these people and corporations. They will create bugs, and those bugs absolutely will be exploited. The software is generally indistinguishable from malware, even (especially?) when it’s working as designed.
I would much rather have the ability to play amongst specific sets of pre-vetted friends and family members who mutually agree not to cheat, and just avoid playing with random people.
Best anticheat is still pinging server admin on IRC at 3am and they come ban the loser.
I have not seen anything as effective as that yet, and I have played multiplayer FPS games almost my whole life.
Matchmaking made games worse.
There’s not really cheating in this, but that’s kind of how VATSIM (an online flight-sim network) works. You can just ping an admin if someone is fucking around instead of being serious and they’ll come either get temporarily kicked or actually banned. Obviously there, there isn’t anything competitive going on, so it’d only be for people disrupting things, but it still works nicely like you said.
I feel like cheating is just going to move to devices that exist outside the main computer.
I thought I remembered friends talking about some PCIe DMA based cheats for Counterstrike a few years ago and just found https://github.com/EngineOwningSoftware/pcileech-webradar, based on https://github.com/ufrisk/pcileech which seems to be almost a decade old at this point.
It’s also extremely detected by anti-cheat vendors.
Interesting, do you know how? I don’t play Counterstrike nor do I have an interest in cheating per se, but I would have thought that that kind of DMA would be really hard to detect.
They are PCI devices usually pretending to be a network card or something. The amount of real devices is limited and very often the DMA cheats do not emulate the device correctly, so you can detect it by talking to it or seeing it is configured in an unusual way. There are also other methods, but I am not familiar enough with them to go into detail.
fingerprinting of PCI devices makes sense. But, at least theoretically, if someone got a real PCI network card with customizable firmware to do the DMA access and send interesting bits of memory to a second PC, that could be circumvented again, right? I do believe it will pretty much stay a cat-and-mouse game forever, just curious on how it progresses
It is of course a cat-and-mouse game, but there other detection mechanisms outside of fingerprinting that are more robust (timing related discrepancies, IOMMU virtualization). From my (limited) understanding all DMA-based cheats are completely detected by Valorant’s AC driver, but again I am not familiar enough with the technology to understand how the detections work exactly.
There is also HPTT that can inject DMA requests into a legitimate PCIe device traffic.
I don’t think timings are a reliable detection vector on modern multi-core system. Resource isolation and hardware attestation are the way to go, but they are not widespread on PCs.
https://x.com/itsgamerdoc/status/1958935350916915647?s=46&t=0Ven6DWZeNPcGOTNyWx89g apparently they just added IOMMU restrictions on Valorant and all DMA cheats are dead.
I feel like the only solution for this is some kind of server side anti-cheat evaluating player actions. Simply because the user doesn’t control that end. But maybe I’m naive.
That’s exactly what Valve is doing with VACnet. They’re also clever enough to not just do bans all the time, but also match likely cheaters to other likely cheaters so they waste more time on each other.
even friends cheat. You have know soemone for years and then that friend turns out to be cheating or started cheating and you wont know. I do pray and hope that when these companies such as riot games, push updates to their anti cheats, that they be extra careful. Might sound like hopium but i do believe that atleast riot is being careful with updates to their anti cheat, after all, theirs is the one that works the best and is kernel level. (Careful to avoid another crowdstrike)
Ultimately.. if you do notice something amiss.. they’re your friends, you can talk to them about it! And if you don’t notice.. ultimately, who cares? It’s just a game.
who cares? It’s just a game.
Me, the guy who just spent 50 minutes sweating and screaming at his computer to win instead of lose (because losing usually isn’t fun). Sure, “it’s just a game”, but I try to waste my time with things that make me feel good (winning), not things that make me feel worse (losing 50 minutes of my life to someone unfairly winning).
Me, the guy who just spent 50 minutes sweating and screaming at his computer to win instead of lose (because losing usually isn’t fun).
Win or lose, I’d rather play against the cheater than with the person “screaming and sweating” through the entire thing.
You’re always going to lose some fraction of the time. If you’re playing a matchmade game, that fraction will be as close to 50% as the size of the game’s playerbase allows.
You enjoy games as you do, I’ll enjoy games as I do. I have fun when I tryhard and have to mute to shout obscenities into my screen before unmuting and telling my teammate “nice try, nice try”. If you enjoy sinking time into something that makes your future matchmaking less fun, go for it.
Literally, This is the reason i play competitive shooters. If i win yipee, if i lose im bummed out. But if i a lose to a cheater then im livid.
I just always expect to be in the losing team.
Sorry if this sound harsh but with that mental, you wont win.
Oh i win enough. The thing is, when i know we’re losing, im doing my best to make it difficult for the other team.
i implore you to watch the video i linked. Sometimes YOU don’t notice i your friends are cheating. and also sometimes it’s not just a game.
edit: There are timetstamps, during the video they pc check the cheater, with the friends in the call aswell, and you can just hear how they feel betrayed and devastated.
Even with anti-cheat, getting matched with players that will give you an enjoyable game is infrequent, in my experience. Plus, the social aspect of gaming is important, so playing with friends might be best anyway. The issue is that on top of having spare time, you must coordinate your spare time, which makes it harder.
(Lately, my most enjoyable gaming is Gartic Phone and Codenames with people at work, and learning simplified Mahjong with the inlaws.)
…
When not considering the solution of “just play with people you enjoy playing with” (and that’s a pretty big “when not considering X”), then I think really anticheat is unavoidable. Controlling the client should not be required on most things- why the fuck I cannot use a banking app on my phone if I have root on it and everything is on PirateBay already, idiots- and I hate it, but is there any other viable solution other than controlling the client on games?
is there any other viable solution other than controlling the client on games
There’s certainly some amount that can be done - validate player movement server-side, avoid sending data for e.g. positions of enemies behind walls, apply heuristics for anyone playing “too perfectly”, etc. I think I read that someone, maybe Valve, gets decent mileage with these sorts of approaches? But I assume there’s a consensus among developers that it’s not enough.
Minecraft has had server side anticheats for a while. They are weak in comparison to client sided anti cheats. You can search up Hypixel and their server side anticheat for example.
Yeah. DRM in general causes me a lot of pain, but… I don’t know, I’d be more or less OK to game mostly on consoles with heavily-locked in environments. Maybe it’s just I don’t game so much, but I need “freedom” on a computer for doing stuff, but gaming… it’s a different thing.
(E.g. DRM on streaming services causes me much more pain.)
You sound like you’d like to game on something like a console but with a keyboard and PC-like play? Which honestly seems to me like it could be a niche for a product.
I guess. I mean, I don’t like at all general purpose computing devices and OSes to be locked down. It bothers me significantly to use operating systems that require me to think if I cannot install them to a computer or not. Android applications that do not work on a rooted device bother me. And a long etcera.
An appliance that is only useful to play games? Well, of course I’d like to mod, reverse engineer, tinker with stuff… but it’s fine.
edit: I think also what you’re referring to could be a Steam Deck hooked to some devices. Or the old Steam Machines. Of course, if I can have my workstation play games instead of having to use a second device, that’s nice, but… my main issue is that I like the idea of forever games, and except for Steam… the consoles do not offer this at all. I’m still playing games I bought ages ago on Steam.
I’m shocked by how many people think letting Riot own your computer is a reasonable thing. If you want to run a proprietary kernel just run Windows, no need to install Linux and then voluntarily infect it with rootkits.
More generally, playing with cheaters sucks but I don’t think accepting restrictions on what you can do with your own computer is a reasonable price to pay. I would like to have the right to use mobile banking on a rooted device against the will of my bank, and that seems to imply other people should have the right to load unauthorised game mods.
I think we need to wait for people to start having chips in their heads before lawmakers will be ready for this kind of discussion.
There are really interesting approaches to server-side anticheat. In the game Trackmania, a replay file is just a set of inputs, and the server post-validates replays by simply running the inputs and checking if the output (i.e. the final time/position) matches the metadata. This is nice because you, as a player, don’t have to wait for this validation, as it happens in the background.
They also detect TAS/slowdown-hacks by checking for rapid, superhuman keyboard inputs, however, the more elaborate approaches could be detected via Bayesian modeling or something.
I think this is the future of anticheat: If you have thousands of players, you have a lot of data that you can use as reference to detect irregular patterns. Then it doesn’t matter if the cheater deploys out-of-machine methods. Obvious hacks, like speedhacks, can be approached with a mix of JIT and post-validation (treating the gameplay just like a replay in Trackmania, and it’s proof this can work nowadays on-server). The more subtle things, e.g. wallhacks, could be approached with the aforementioned statistical methods.
If you watch gameplay of a wallhacker, as a human, you can see this right away, because the player reacts to otherwise invisible things. There must be a way to do that in an automated fashion, and not with AI, but classical data analysis.
as far as it’s publicly known, this is almost what VACnet(or VAC Live now, I’m not sure what the correct name is) is doing - using ai to detect anomalies in gameplay. it still seems to be in the works according to some findings, but cs2 is one of the most cheater-plagued games as of rn, especially in higher ranks. where I think someone recently checked that ~700 out of 1000 top players on the leaderboard are obviously cheating or have obviously cheated before.
i do wonder how much of the outrage regarding cheaters in cs2 is real however, as cs2(and csgo prior) does have a trust factor system, where a large amount of reports and other factors including number of accounts gets you a lower trust factor, matchmaking you with people that also have a low trust factor. given that the loudest voices in the cs2 community are pretty good at the game, they could just be getting false reported and then sent into a lower trust factor based on these false reports. that’s a disadvantage of the system that ig could’ve been predicted and avoided, but i do frequently hear from regular people playing the game, even at a relatively high level, that they face cheaters very rarely
I think Valve have made the experience decent for the average player. Trust Factor seems to do an okay job of filtering out the rotten eggs when the player pool is large, but for high rated players the matchmaker can’t be as picky without queue times becoming frustratingly long.
The experience is very different across different skill ranges. Cheaters tend to bubble to the top pretty quickly, so high rated players rightfully complain on forums about the game being unplayable for them. The misguided outrage is born from average players who think they’re playing the same game as the top 1% of players.
That said, just by looking at my own anecdata from csstats.gg, 20% of my tracked games (N=279) in CSGO had a player retroactively banned. That’s absurd.
This article was great, but honestly, I found the “or you are a JavaScript developer” link even more interesting.
I’m kind of curious what people here will think of it; I was expecting something condescending or judgmental but it was fairly even-handed.
“You’re running other vulnerable drivers anyway” is an interesting way to go about anti-cheat security. I don’t think it’s gonna last though. MS already eye ways to drop ring 0 drivers. Remember CrowdStrike? Sure, it was big in news but MS now looks to replace kernel drivers with a user space API for that. I’m sure if an anti-cheat gets compromised in a similar way its ring 0 privileges are gonna be revoked even faster.
It’s also interesting that of all anti-cheats OP went for Vanguard. It’s one of the—if not the—most invasive anti-cheats. It runs in the kernel space even when you’re not running the game. It replaces a whole bunch of syscalls. It literally swaps memory pages if it thinks something’s trying to read memory it doesn’t like. Even EA thinks it’s overreaching as Battlefiled 6 won’t run under Vanguard.
If all the kernel anti-cheat drivers mostly do the same thing, why can’t Microsoft implement that and provide it as an API?
That’s an interesting point - an API to create a process with unreadable memory (even from kernel?) might help (perhaps the code could opt in to specific pages for io-uring style operations and other syscalls requiring a buffer). Could such a thing potentially exist in future linux?
even from kernel
Context switches would be… interesting. Maybe if you ran on dedicated CPU cores?
You couldn’t tell if someone modified the kernel to lie about it.
fear-mongering about kernel-level anti-cheat solutions
That “fear-mongering” is well justified. I’ve been playing on Linux for decades but there is no game I want to play badly enough to allow it to load a closed source kernel module.
This is something I have been looking to read for a long time, because this is the kind of code I want to write. I’m going to start my educational journey by engineering cheats for Quake 3 Arena or whatever and then writing an anti-cheat to progressively work around, it sounds like a good approach to get a feel for what the problem domain even is. We have all this crap - secure boot, TPM2.0, eBPF, hell even Firecracker VMs, kexec and l4linux and stuff like that… the world is our oyster right?
I remember recently when Google wanted to get the TPM/Pluton stuff from the browser up to the BIOS… just what I would love: my bank saying Linux isn’t an authorized OS to run their website without its latest Genuine Microsoft Windows Service Pack installed. They thought they could do the same as they do in the mobile OS duopoly space on desktop, & boy was there a lot of pushback. Maybe all games will move to mobile where folks grew up without the memory of actually owning their device.
Remote attestation that says ‘in the TCB for the running program you will find this specific 200 MLoC of C/C++’ is certainly something that is technically possible. Using that to make any meaningful security claims is the difficult bit.
to get the TPM/Pluton stuff from the browser up to the BIOS
Lol, moving things closer to the hardware for “chain of trust” right? We’re lead to believe secure boot helps because of chain of trust reason, but as we know this doesn’t do anything. It’s signed bootloader loading unsigned operating system, always, lol. Anyone else think this “chain of trust” type thing is pseudo security?
We have so many security features on Linux yet developers at companies like Riot Games feel the need to say (straight up misinformation) about Linux being a cheating vector, about it being insecure, unsafe. Then there’s linux being removed from Apex Legends, which had no noticeable impact on the amount of cheats:
Which is it? Are there no players or are there too many?
I think both can be true. Apex Legend’s player average count is about 100k. In Apex triples there’s what, 60 players? So all it takes is (100,000 / 60 =) ~1666 cheaters to have at least one cheater in your lobby. Linux users (including deck) are 2% of Steam users, so 2,000 Apex players. Is it believable that 75% of Linux users are using it just to cheat at Apex? Maybe. But if even 500 cheaters are using Linux to cheat means 25% of Linux users are cheating at Apex, while it’d be marginal for Windows. I believe at least 500 cheaters would install Linux just to cheat at games.
Respawn saw an opportunity for a cheap win by improving the experience for the other 98,000 people playing and they took it. Contrary to what you’ve said, I saw community agreement that match quality did improve for a while (as much as it can for a game running at 16 tick).
I never realized Apex ran at such a low tickrate. I’ve reviewed dozens of gameplay recordings in slow motion, and the hitreg has always seemed pretty fair and accurate to me. It was certainly leagues above CSGO’s 64 tick, so they must’ve done something right.
That is still statistically not particularly liking and your numbers are heavily biased to be on the high side. 2% of Steam users first does not mean that 2% of Apex players are Linux players. While the blocking of Linux resulted in a decrease in cheaters, https://www.gamingonlinux.com/2025/02/blocking-linux-steam-deck-in-apex-legends-led-to-a-meaningful-reduction-in-cheaters/, at the same time there was a decrease in playercount in the same time frame, and the graph shown already shows a a downwards trend, doesn’t definitively prove that linux was a platform where cheating occured regularly. Also it’s a corporation with questionable business practices so I would not take them at their own word.
Write proper networking code, verify data sent by the client so your game server does not blindly accept mach 8 as a walking speed.
Of course this is a no-brainer for online games, however, the topic is quite complex. To make the game appear smoother and more playable even on slow connections, there are various tradeoffs and ‘fudge factors’ where you let the server be a little more lenient to make lag less jarring to the player. These things can and do get exploited.
The point is cheaters can be banned after the match, and the pool of non-cheating players still get a good experience (on average). Typically game “netcode” will be predictivate/approximate in any case so there is no fundamental loss here.
You call it a bug, I call it a feature.
I agree as well. There’s plenty of games for me to play, some multiplayer, some not. And as the old saying goes: “no tux, no bux.”
For real. What’s the point of playing on Linux and installing proprietary malware (which all anti-cheats by definition are, as they take away control of the system from its owner) anyway? I get Steam Deck, I’d wager it will come with some hardware protections or just have a locked bootloader in the next version if they manage to get rid of GPL3 code in it.
valorant, after more than 5 years, still doesn’t have a replay system, meaning more subtle cheat users will have a much easier time avoiding being caught by players directly. ngl, can’t help but feel like it has been intentionally avoided - review seems fundamental to a game thats so competitive.
personally, in ~1 year of playing the game a reasonable amount of time i faced 2 cheaters that got banned by vanguard during the match, 1 very very obvious cheater and around 20 people i had suspicions about that i couldn’t shake off as me being kinda ass at the game
and quite frankly, im still wondering if its worth it running a kernel level anticheat so i can avoid cheaters in a game thats been manufactured to grab attention through ranked systems that motivate “just one more game so i can recover my rr” mentality and grab money by engaging in increasingly unfair monetization practices(recently even allowing gambling ads on vct)
Replay system, according to the dev updates, has not been easy to implement due to ping differences and possible netcode stuff.. i recommend watching their dev updates on the matter.
and around 20 people i had suspicions about that i couldn’t shake off as me being kinda ass at the game
Your not accounting for
Not everyone thats good at the game is a cheater. Better yet, not everyone that is having a absolute life performance in low-mid elo is a cheater.
grab attention through ranked systems that motivate “just one more game so i can recover my rr” mentality
What like eomm? In my countless hours of the game, I can confidently say there isnt engagement optimized matchmaking. You win some you lose some, thats the sign of a balanced game. On the other hand a pretty obvious example of EOMM is marvel rivals.
recently even allowing gambling ads on vct
Did you even read the article regarding gambling ads? No gambling ads are allowed on the main broadcast. Riot is only now allowing partnered teams to have approved gambling sponsors, such sponsors logos cannot appear on jerseys or on the main broadcast at all. The reason why im addresing this point is because of the misinformation/ peple not reading what the article was saying
my recommendation to you fluent, is read the articles yourself
according to dev updates
we investigated ourselves and here’s what we found
Your not accounting for …
i am, that’s what i meant by “me being kinda ass at the game”
What like eomm?
all mm is eo to an extent. you can definitely make it worse but visible ranks in a game where you dont really choose who you play with(and in fact get punished for leaving the match) or against is a bad idea given that even just playhours was already smth you could flex. ranked mm is really among the worst things that ever happened to multiplayer fps along with f2p but paid cosmetics
Did you even read the article regarding gambling ads?
i, in fact, did, i just simplified it because quite frankly it’s still really really bad and there definitely is a slippery slope effect in play here which could end up with just straight up gambling logos on jerseys and maybe even ads on vct due to the revenue being fucking insane
Cheating in school I can understand because these are predominantly flawed archaic systems; unfair environments¹. However, I cannot comprehend the state of mind of people that cheat in games; fair environments, isolated from the outside world where all players more or less start on equal footing. What are they proving to themselves? Not honing any skills, where’s the satisfaction?
Purely out of curiosity I used an aimbot in CS 1.6 when I was 15. I deliberately only connected to non Valve Anti-Cheat (VAC) servers as I knew I’d otherwise get banned and realized it was morally wrong to do it on VAC protected servers; “the players on non-VAC servers know what they sign up for”. The novelty of getting it to work and feel all powerful was quite thrilling at first, but after 30 minutes I was back into VAC protected servers. Wiping the floor of an entire server with my clan on TeamSpeak are among the fondest memories I have to this day because that’s all teamwork based on skill and fun. But what the hell instigates the need to cheat indefinitely? Are online game cheaters all psychopaths?
–
¹ Let’s teach for mastery – not test scores, Sal Khan, TED.
I think most people are just looking for a quick power fantasy and just playing a singleplayer videogame doesn’t do it for them, so they figure that cheating other people at an online game is harmless enough. It’s just a game, right? And getting good at an online game sucks, it can take a long time to hone those skills and you’re gonna be losing a lot, which doesn’t feel good. Maybe they just don’t have the drive to do it or a friend group that plays with them and encourages them to get better. Or maybe they’re looking for validation within their social group and don’t care to earn it legitimately.
Psychopath is a strong word; I wouldn’t use it to describe a slightly antisocial behavior that is just likely to be caused by external factors. Let’s just call them jerks.
Psychopath is a strong word indeed, but psychopathy occurs in roughly 1 of 23 people. Much more than one would expect, I’d say.
“After calculating the conjoint mean of their results with meta-analytic procedures, based on a total sample of 11,497 people, it can be estimated that the prevalence of psychopathy in the general adult population is 4.5%.” — Prevalence of Psychopathy in the General Adult Population: A Systematic Review and Meta-Analysis | PubMed
“A 2008 study using the PCL:SV found that 1.2% of a US sample scored 13 or more out of 24, indicating “potential psychopathy”. The scores correlated significantly with violence, alcohol use, and lower intelligence.” —https://en.wikipedia.org/wiki/Psychopathy#Frequency
The question is, how many of those people gravitate towards games? Could the prevalence of psychopathic individuals be higher in online multiplayer games than the general populace?
I like how the article handled valorant and riot games. In my opinion aswell they are the only ones that do anti cheats right. Most people are afraid of kernel level ACs because of the whoel crowdstrike incident. But i struggle to see why riot gaems wouldnt be extra careful with future patches because of the crowdstrike incident.
I think that we will only see these ACs gettign ported to Linux when the tide turns in OS popularities. If Linux market share growes significantly we might see these companies consider porting their games to linux. Or, these game studios could pioneer linux support and drive more people to their game. Either way, we are sadly and unfortunately a long way from linux support but its not impossible/unreachable
i struggle to see why riot gaems wouldnt be extra careful with future patches because of the crowdstrike incident.
And still all it takes is one person to make a mistake. I even probably still have Valorant installed on my Windows partition (that I haven’t booted in 2 years), so I’m not against installing kernel-level ACs, but I just think that’s not a great argument for them.
Article citing valorant as doing anti-cheat the best way is really baffling. Their anti-cheat practices are so invasive they might as well require you to play on a PC they own completely. They simply won’t let you play if you have software or drivers installed they don’t trust. One step further is to use TPM and secure boot to completely lock your PC to a trusted vendor installation aka iOS/Android walled garden for PCs.
But if “serious gamers” really want to go this far to prevent cheating (which will happen anyways as it’s not a technical but social problem) then go ahead I guess.
The article hints at it but sort of misses that anymore bootkits are what are used by the most nefarious cheaters who try to be subtle. The ones who create plausible deniability and are not obvious, that erode away trust in the game. For me, games fall apart when you see one or two blatant cheaters, because then you know there are definitely cheaters that are subtle, and no longer do deaths feel like a personal skill issue but rather a constant questioning of whether or not you were unfairly taken advantage of.
Bootkits have been made quite accessible in recent years and almost completely nullify any kernel level anticheats as they allow memory edits at a level higher than the kernel can even see.
Which brings me to the conclusion that client side anticheat is a losing battle. Server side Anti-Cheat is really the only effective measure, which of course is extremely difficult in online games, especially FPSes, but it’s just a very complex version of “you can never trust a client you don’t have physical access to”.
I’m kind of surprised MS does not offer the kernel anti-cheat service themselves to game developers. Maybe it’s not lucrative enough for a company their size. But they could make it as deep into the OS as possible and if the user already trust them to run their system, they’d trust them with the anti-cheat.
What I never understood is how they ensure you’re running their original software ?
That kernel driver has to somehow be certified by the software to be the right one running and protecting it. But if you modified the program no not even contain that check (or a fake driver to pretend to send some HWID) how would you even realize this ? Just by needing some magic network handshake that changes over time ?
What if there was a distro with a trusted boot chain, where everything is signed and validated? Android does this, and I think newer immutable distros are making progress on this. If there was a kernel patch that enabled protecting the game’s memory, the anti-cheat companies might get along.
I think this “chain of trust” in the end doesn’t really work. With secure boot you ensure that the bootloader you’re loading is signed. If you go further with that maybe you ensure that the kernel you load is signed, that’s it. It’s almost useless. Also I am pretty sure we do have kernel protecting program memory things, since 6.10 atleast https://blog.trailofbits.com/2024/10/25/a-deep-dive-into-linuxs-new-mseal-syscall/