How kernel anti-cheats work

Original Article ↗ Hacker News Discussion ↗

TPM, Remote Attestation, and Trusted Computing

  • Several comments dig into how TPM-based attestation can be subverted: MITM on discrete TPM buses, replaying PCR measurements, side-channel extraction of keys, architectural flaws in fTPMs, and fake/virtual TPMs.
  • Some argue the TPM spec never really protected the CPU–TPM bus historically; others push back, saying endorsement keys and newer guidance address “active attacks,” but admit measurements can still be spoofed.
  • Remote attestation is seen by some as the next big control layer (for anti-cheat, banks, DRM); others see it as a path to users losing control of their machines and being “untrusted” if they modify them.

Cheating as a Technical Problem

  • Many argue that because cheaters control the client, they always have an advantage; kernel anti-cheat only raises the cost, it can’t “solve” cheating.
  • Pure “do everything on the server” is widely criticized as unworkable for fast games due to latency and prediction issues.
  • Hardware/DMA devices, hypervisors, BIOS/SMM patching, and network-side setups (second PC reading screen and driving input) are cited as ways to bypass even kernel anti-cheats.

Kernel Anti-Cheat: Pros and Cons

  • Proponents: kernel anti-cheat is currently the most effective practical defense, especially in high-level competitive play (e.g., compared to user-mode / statistical systems like VAC). It raises the bar and makes powerful cheats expensive and niche.
  • Critics: it’s effectively a rootkit, expands attack surface, has caused real privilege-escalation bugs, and conflicts with sandboxing/virtualization. Some consider it an unacceptable trade for mere games.

Behavioral, Statistical, and Honeypot Approaches

  • Proposed alternatives include:
    • ML/anomaly detection on replays and full action logs.
    • Honeypot memory regions or fake entities only cheats would touch/react to.
    • Time-to-damage and other timing metrics as strong signals.
  • Skeptics note that large-scale behavioral systems (e.g., in CS) still leave games “infested,” struggle with closet cheaters, and risk false positives against legitimately strong or unusual players.

Social and Ecosystem Solutions

  • Suggestions range from:
    • Human admins and replays on community servers.
    • Segregated queues: invasive-AC vs. no-AC pools, or “cheater queues.”
    • Cultural shaming of cheaters.
  • Others argue the real conflict is between user freedom/ownership and publisher control; some would rather accept more cheating than normalize locked-down PCs and remote-attestation-based exclusion.