All Discussions > Steam Forums > Steam Discussions > Topic Details
Anmheda Jul 11, 2024 @ 12:19pm
Kernel anticheat, data collection and privacy within games.
I'm so tired of seeing PvE games using kernel level Anticheats these days. I mean, PvE games... Players versus environment... And they decide to include kernel level anticheat systems... that is just so stupid! These kernel level anticheats getting all that root access just to avoid potential "cheaters" from a PvE/Co Op game its beyond stupid, imo. They cant even prove that kernel anticheats works better than non-kernel server side anticheats, if you disagree - then show me some real statistics. My problem with these kernel level anticheats is their elevated access levels, anti cheats should never ever have root/kernel access to any system just to catch potential cheaters. Server side anticheats and non-kernel anticheats like VAC does the job good enough. Just look at Dota 2, a competitive game with lots of tournaments and money involved, do they use kernel level anticheat? No they dont.

And then you have all these games (most of them being online games) doing lots of data collection, and if you dont agree to some of those game company's terms, then you cant play those games (which is okay, to be honest).

I see lots of people complaining about data collection and bad privacy practice on certain games leaving negative reviews, and I totally understand and support that. Then I see people reply stuff like "why complain when google/microsoft/steam already collect data", or comments like "people complaining about data collection when big corporations already collect the same, they not interested in your life" bla bla. I think that is an ignorant way of thinking, people thinking like that will never understand what privacy and security is about. Why should we be okay with games collecting so much data? I understand why facebook collects a lot of data, but why should games do that? And its even worse when they collect a lot of data also being personal data. Why do they need all this data?

And what data does the kernel anticheats collect? I mean, they have root access so they could collect anything. I know Windows and Steam already collects data (not on the kernel level though, and it depends on your settings and firewall), but that doesn't make it okay for game companies to just mass collect data without giving consumers options to opt-put. I really hate the fact that more and more games go online these days collection more and more data without including options to opt-out/in, I hate it.
Last edited by Anmheda; Oct 30, 2024 @ 1:58am
< >
Showing 76-90 of 139 comments
Crashed Jul 13, 2024 @ 12:10pm 
Originally posted by RiO:
Originally posted by Crashed:
Except that kernel-mode drivers need installation.

There are particular type of kernel-mode drivers that can be installed on the fly if the certificate they are signed with is a pre-approved one. This is how we got a kernel mode remote code execution vulnerability back in 2022 which abused an old trusted anti-cheat kernel module from Mihoyo that had a code injection vulnerability in it.
Without asking for Administrator permission? Sounds doubtful.
#76
Crazy Tiger Jul 13, 2024 @ 12:13pm 
Originally posted by Lystent:
Originally posted by Crazy Tiger:
...Voting with the wallets is one of the actions people can take. ...
Unfortunately, refunds are out of the question...
To which people agreed.

Though depending on local laws, the consumer agency route can produce good results.

Edit: I really can't type on a mobile, sorry. Fixed errors.
Last edited by Crazy Tiger; Jul 13, 2024 @ 12:14pm
#77
RiO Jul 13, 2024 @ 12:15pm 
Originally posted by Crashed:
Originally posted by RiO:

There are particular type of kernel-mode drivers that can be installed on the fly if the certificate they are signed with is a pre-approved one. This is how we got a kernel mode remote code execution vulnerability back in 2022 which abused an old trusted anti-cheat kernel module from Mihoyo that had a code injection vulnerability in it.
Without asking for Administrator permission? Sounds doubtful.

Do you have to approve installation of a driver with a UAC prompt when you plug a USB device into your system?
#78
Ben Lubar Jul 13, 2024 @ 12:15pm 
Originally posted by BlackBloodRum:
Originally posted by Crashed:
Or maybe they made the conscious decision not to put that functionality into the software.
That is not what it says. It says 'we have limited the information EA anticheat collects', which means it is fully capable of collecting more, it just doesn't (if you believe them).
I technically have the ability to punch anyone I meet on the street. But people aren't afraid of me punching them at random on the street because I have made a decision not to randomly punch people on the street.

Just because a program can do something doesn't mean the code will allow it to.

Every game on Steam technically has the ability to delete your entire documents folder. The set of actions the game's code can do includes that. But none of them will because the code doesn't say to do that.

Ability and willingness are two different things, even for computer programs.
Last edited by Ben Lubar; Jul 13, 2024 @ 12:15pm
#79
Crashed Jul 13, 2024 @ 12:15pm 
Originally posted by BlackBloodRum:
Originally posted by Crashed:
Or maybe they made the conscious decision not to put that functionality into the software.
That is not what it says. It says 'we have limited the information EA anticheat collects', which means it is fully capable of collecting more, it just doesn't (if you believe them).
That's just your interpretattion. Nowhere does it say the anticheat is designed so it is capable of collecting that information; you have to have actual code to specifically go after things like your browsing history. Unless your web browser is installing hooks into your game it's not going to get scanned from what I can gather.
#80
Crashed Jul 13, 2024 @ 12:17pm 
Originally posted by RiO:
Originally posted by Crashed:
Without asking for Administrator permission? Sounds doubtful.

Do you have to approve installation of a driver with a UAC prompt when you plug a USB device into your system?
The driver is already installed in that case or is fetched from Windows Update. Any other installation requires user approval.
#81
Crashed Jul 13, 2024 @ 12:18pm 
Originally posted by Ben Lubar:
Originally posted by BlackBloodRum:
That is not what it says. It says 'we have limited the information EA anticheat collects', which means it is fully capable of collecting more, it just doesn't (if you believe them).
I technically have the ability to punch anyone I meet on the street. But people aren't afraid of me punching them at random on the street because I have made a decision not to randomly punch people on the street.

Just because a program can do something doesn't mean the code will allow it to.

Every game on Steam technically has the ability to delete your entire documents folder. The set of actions the game's code can do includes that. But none of them will because the code doesn't say to do that.

Ability and willingness are two different things, even for computer programs.
And just as EA has no reason to add code to their anti-cheat to scan your browser history or files not opened by the game or something hooking into the game.
#82
Ben Lubar Jul 13, 2024 @ 12:18pm 
Originally posted by RiO:
Originally posted by Crashed:
Without asking for Administrator permission? Sounds doubtful.

Do you have to approve installation of a driver with a UAC prompt when you plug a USB device into your system?

The scary part about an unknown USB stick isn't that it could have a virus on it. Modern operating systems do not run untrusted code automatically when a drive is attached for exactly that reason.

The scary thing is that it might not be a USB storage device inside there. It could just be a bunch of capacitors that take power from your computer's USB charging functionality, build up an enormous charge, and send a shock through your computer that damages all of its circuits.

It could also be a device that pretends to be a USB hub with a bunch of other devices attached: a mouse, a keyboard, some printer with vulnerable drivers, etc.
Last edited by Ben Lubar; Jul 13, 2024 @ 12:19pm
#83
RiO Jul 13, 2024 @ 12:19pm 
Originally posted by Ben Lubar:
Every game on Steam technically has the ability to delete your entire documents folder. The set of actions the game's code can do includes that. But none of them will because the code doesn't say to do that.
Well... there was that one time the Steam Client itself actually did that when uninstalling particular games on Linux. But that's a case of Hanlon's Razor: don't attribute to malice what can already be explained by ineptitude.


Originally posted by Crashed:
Originally posted by RiO:

Do you have to approve installation of a driver with a UAC prompt when you plug a USB device into your system?
The driver is already installed in that case or is fetched from Windows Update. Any other installation requires user approval.

Those drivers aren't all pre-installed. They're high-level filter drivers. They're loaded into and unloaded from the kernel on-demand.
They're also not always fetched from Windows Update. In some cases, e.g. printers, they can actually be fetched from a networked print server or a networked printer directly as a binary payload. Trusted, because signed with a trusted certificate. And it's the same with drivers from Windows Update; trusted, because signed with a trusted certificate.

Originally posted by Ben Lubar:
Originally posted by RiO:

Do you have to approve installation of a driver with a UAC prompt when you plug a USB device into your system?

The scary part about an unknown USB stick isn't that it could have a virus on it. Modern operating systems do not run untrusted code automatically when a drive is attached for exactly that reason.

They run the driver immediately though, when they can find a corresponding one and it's signed with a trusted certificate. That's the point I'm making. There are ways to load kernel modules without the user needing to already have administrative permissions or needing to raise a UAC prompt. All it requires is that it's implemented as a particular type of driver and that it's signed with a trusted certificate.
Last edited by RiO; Jul 13, 2024 @ 12:25pm
#84
Lystent Jul 13, 2024 @ 12:24pm 
Originally posted by RiO:
Originally posted by Ben Lubar:
Every game on Steam technically has the ability to delete your entire documents folder. The set of actions the game's code can do includes that. But none of them will because the code doesn't say to do that.
Well... there was that one time the Steam Client itself actually did that when uninstalling particular games on Linux. But that's a case of Hanlon's Razor: don't attribute to malice what can already be explained by ineptitude.
I remember watching a YT video where someone goes hypothetical into hacking an old video game console to do some sort of damage, but then would trail off about how devs already achieved such stuff by sheer accident.
Last edited by Lystent; Jul 13, 2024 @ 12:25pm
#85
RiO Jul 13, 2024 @ 12:28pm 
Originally posted by Crashed:
Originally posted by Ben Lubar:
I technically have the ability to punch anyone I meet on the street. But people aren't afraid of me punching them at random on the street because I have made a decision not to randomly punch people on the street.

Just because a program can do something doesn't mean the code will allow it to.

Every game on Steam technically has the ability to delete your entire documents folder. The set of actions the game's code can do includes that. But none of them will because the code doesn't say to do that.

Ability and willingness are two different things, even for computer programs.
And just as EA has no reason to add code to their anti-cheat to scan your browser history or files not opened by the game or something hooking into the game.

EA doesn't. But others might have reasons to try and find a weakness to exploit in EA's programming, which may well be every bit as shoddy as their regular programming for the games themselves, which would allow that other party to inject code into the kernel and allow them to e.g. place a rootkit.

Originally posted by BlackBloodRum:
I think a key element that's not getting across here is that it's all about trust. These are proprietary anti-cheats that you must trust to not do anything bad,

-- that you must trust to not do anything bad, and to not allow any other party to be able to misuse them to do anything bad.

It's the second part which is the actual problem!
Last edited by RiO; Jul 13, 2024 @ 12:30pm
#86
Crashed Jul 13, 2024 @ 12:36pm 
Originally posted by BlackBloodRum:
Originally posted by Ben Lubar:
I technically have the ability to punch anyone I meet on the street. But people aren't afraid of me punching them at random on the street because I have made a decision not to randomly punch people on the street.

Just because a program can do something doesn't mean the code will allow it to.

Every game on Steam technically has the ability to delete your entire documents folder. The set of actions the game's can do includes that. But none of them will because the code doesn't say to do that.

Ability and willingness are two different things, even for computer programs.
I agree, however - we are discussing kernel level control here. I can sandbox a game which does not have this anti-cheat to make it unable to delete my documents folder, or perform further actions on my computer - retaining control over my computer. If it is kernel level, I have no such control. That's a big difference, and requires a lot more trust.
Kernel mode driver still can only do what it was programmed to do. Do you trust those DMA boards that can manipulate memory without the knowledge of the CPU?
#87
RiO Jul 13, 2024 @ 12:39pm 
Originally posted by Crashed:
Originally posted by RiO:

There are particular type of kernel-mode drivers that can be installed on the fly if the certificate they are signed with is a pre-approved one. This is how we got a kernel mode remote code execution vulnerability back in 2022 which abused an old trusted anti-cheat kernel module from Mihoyo that had a code injection vulnerability in it.
Without asking for Administrator permission? Sounds doubtful.


Took a while to dig this one back up:

https://www.pcgamer.com/ransomware-abuses-genshin-impacts-kernel-mode-anti-cheat-to-bypass-antivirus-protection/
https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html

It is still rare to find a module with code signing as a device driver that can be abused. The point of this case is that a legitimate device driver module with valid code signing has the capability to bypass privileges from user mode to kernel mode. Even if a vendor acknowledges a privilege bypass as a vulnerability and provides a fix, the module cannot be erased once distributed. This file has a code signature for the driver, which allows this module to be loaded in kernel mode. If the signature was signed for a malicious module through private key theft, the certificate can be revoked to invalidate the signature. However, in this case, it is an abuse of a legitimate module. It seems that there is no compromise of the private key, so it is still not known if the certificate will be revoked. It remains valid, at least for now.

As mentioned above, this module is very easy to obtain and will be available to everyone until it is erased from existence. It could remain for a long time as a useful utility for bypassing privileges. Certificate revocation and antivirus detection might help to discourage the abuse, but there are no solutions at this time because it is a legitimate module.

(emphasis mine)


Originally posted by Crashed:
Originally posted by BlackBloodRum:
I agree, however - we are discussing kernel level control here. I can sandbox a game which does not have this anti-cheat to make it unable to delete my documents folder, or perform further actions on my computer - retaining control over my computer. If it is kernel level, I have no such control. That's a big difference, and requires a lot more trust.
Kernel mode driver still can only do what it was programmed to do.

If that program contains a flaw that allows arbitrary code to be injected, it can do whatever an attacker wants it to do though.

Or in case of the kernel-mode driver that used to ship with Street Fighter V:
it legitly had the ability baked in as a feature to execute code residing in memory in user space under kernel space. User space callers would simply pass the pointer of the start address of the code in user space to the kernel-space module, relying on the module to temporarily disable the Supervisor Mode Execution Protection (SMEP) hardware feature that normally protects against this kind of very dangerous pattern.

https://www.theregister.com/2016/09/23/capcom_street_fighter_v/
Last edited by RiO; Jul 13, 2024 @ 12:51pm
#88
Anmheda Jul 13, 2024 @ 12:57pm 
Originally posted by BlackBloodRum:
I'll say this honestly as a Linux user. Linux is great but do not take the decision to switch lightly. There are many things that are different between the two OS's. Some things are easy to adapt to, others not so.

You may also need consider which games work (For example: EA have introduced a new anti-cheat and are updating old games to intentionally block Linux users from using them[1].), and how well they work. Often for other software you may need to use an alternative rather than the exact one you had. The key emphasis to remember is: Linux is not Windows. They are not the same, if you go in expecting things to be the same you'll only leave with a negative opinion.

Aside from the initial caution; there are many distributions you may choose from and some may be easier than others. I'd generally recommend starting with Linux Mint if you use an AMDGPU or Pop_OS if you use nvidia. But other options are available and I generally advise you choose based on your own needs and preferences. Try distributions within a virtual machine first to get a 'basic feel' of it.

Try Live USB images and such as well. But do not make any major changes until you are ready.

Other than all that, simply plan carefully, be sure you are ready and be aware of what you are doing, there are plenty of Linux communities online who can help you get started :zombiethumbsup: (I don't recommend Steam as a place for that help)

Finally: Have fun!

[1] https://www.gamingonlinux.com/2024/04/battlefield-v-now-broken-on-steam-deck-linux-with-ea-anticheat-live/
I know, been using Linux before ;) Used both Ubuntu and Linux Mint in the past.
I appreciate your help though. Earlier I mention the two PCs alternative, like one PC for Linux only, and another one for Windows only. One personal PC, and a second gaming PC (without personal stuff). I could also do dual boot with one PC, but I rather have two. For me I would not be gaming so much on the Linux PC, I would use it for web browsing and personal projects, music production etc. And I did some research, seems like most DAWs also work pretty good inside Linux using Wine (for Windows only applications).
#89
Tito Shivan Jul 13, 2024 @ 1:07pm 
Originally posted by RiO:
The privacy concern is a lesser concern wrt kernel modules.
And not exclusive of them. I mean, if a dev was really interested in private content they can just ask access to it. And if you don't you don't get to play the game.

Easier and more straightforward than getting kernel level to then try to steal the same content.

Originally posted by BlackBloodRum:
To the point of demanding complete control over your computer?
And this is the kind of thing I refer when talking about 'disinformation'.
#90
< >
Showing 76-90 of 139 comments
Per page: 1530 50

All Discussions > Steam Forums > Steam Discussions > Topic Details
Date Posted: Jul 11, 2024 @ 12:19pm
Posts: 155
Start a New Discussion

Discussions Rules and Guidelines