On trusting third-party client-sided anticheat software

By /robex/, August 2024. Back to Articles and Guides

Introduction

The following post will address some of my concerns and thoughts about third-party client-sided anticheat solutions, in particular the L4D2Center anticheat (AC from now on) that will soon be mandatory in order to play. Since the intended audience is pretty much any L4D2Center player who is (rightfully) concerned about the security of running the AC on their computer, I will try to keep the post as non-technical as possible so everyone can understand, without losing too much accuracy.

The problem

By definition, anticheat software that runs on the client is pretty much indistinguishable from malware, at least from an antivirus point of view. It scans your filesystem, it is heavily obfuscated to prevent people from figuring its behavior out, it sends data back to an external server, and it must be invasive to stop (or detect) cheat makers from doing things like process injection, hooking, network packet manipulation, and so on.

In the particular case of L4D2, the entire problem stems from the lack of a properly updated AC from Valve themselves. As an example, the lack of well implemented integrity checks for game files leads to easy, undetectable abuse in the form of tampering with sound files, loading addons that give you unfair advantages, and more.

Since server-sided anticheats can only go so far, as they only have access to the data that the server has, the only 3 real options left are:

• Player reports: When a player suspects that someone is cheating, they report them to the admins and have them manually review footage. This is basically how the community has operated until now, but it requires a lot of resources and it is pretty error-prone (e.g. How are you supposed to tell if someone is using no-sounds based on a demo?).
• Referees: Players suspected of cheating are forced to stream their games, take periodic screenshots, or in general they must provide some way for others to see their game from their computer's point of view so they can manually verify that nothing fishy is going on. This can generally be bypassed quite easily (ahem anti-OBS...) and it is unreasonable on a large scale.
• Client-sided AC: Force players to run some third-party software on their PC that will automatically attempt to detect cheats. This has the benefit of being much more powerful and removing human error from the equation, but it has serious privacy and safety downsides, as it allows the developer of the AC to run anything they want on your PC.

Trust

When it comes to popular anticheat solutions such as VAC, Easy Anti-Cheat, BattleEye, Vanguard and others, these solutions are created by or together with the developers of the game. Without becoming too paranoid, if the developers of these games wanted to run malicious code on my computer, they could do it in the game executables themselves, so from that point of view the extra step of running their own AC program does not add that much of an attack surface (kernel-level ACs aside).

Some of these companies also have verifiable people behind them who are liable to privacy laws such as GDPR in the EU, and subject to fines or other penalties. While this does not stop potential privacy violations, it definitely creates a bit more trust in users than some program developed by a "random", anonymous, unaccountable person.

Third-party ACs

The biggest issue in the case of L4D2Center players (or any third-party AC users, really) is that unless you are a programmer with access to the anticheat source code, and you understand it and build it yourself, you have no way of telling what is actually running on your computer. And obviously, publishing the source code would defeat the purpose of the AC, since a determined cheater with the right knowledge could simply modify it and remove all detection methods.

Like many things in life, in the end it comes down to whether or not you trust the developer of the AC. Are their intentions legitimate, or do they have some malicious objective beyond stopping cheaters? Nonetheless, putting all negativity aside, is there anything we can do to make things more trustworthy? In my opinion, yes.

In the world of software development, there exists the concept of reproducible builds. In short, the way programs are made is by transforming source code (readable text) into an executable (what the player would run on their computer) via compilation. What a reproducible build does is it ensures that the same source code is always transformed into the same executable.

And how does this help us? A reproducible build allows for verifiable, independent review of the behavior of the program. You could have a few trusted members of the community, from all sorts of backgrounds, review the source code and verify that there is no malicious code embedded in it. And since the final executable is guaranteed to have come from said source code, there is no possibility that it has been tampered with in the process of distribution to the final users (in this case, the players).

This does not solve all problems, but it creates a shared trust between multiple independent people instead of centralizing it all into the same person, making the addition of malicious behavior into the AC much less likely to go uncaught. The next problem to solve, is deciding who these trusted reviewers will be. And that is not up to me :), perhaps a community vote would be the choice here. And you have to keep in mind that reviewing the source code after every update of the AC is pretty time consuming for the reviewers, whose time is probably rather valuable.

Another issue to solve is that players who are new to the community will not have trust in anyone at the beginning, so why should it matter to them that the AC has been reviewed by xx_super_trustworthy_xx_admin if they do not know who this person is? This is likely to stop new players from flowing into the site, as the requirement of the AC will be too high of a barrier to entry. So, to address this, I will propose a few mitigations in the next section.

Mitigations

Beyond what was discussed in the last section, here are some other compromises that could be made in order to prevent the playerbase from decreasing or stagnating:

• In my opinion, the best solution is to only force the AC on players who are suspected of cheating (via reports, previous bans, admin inspection, unusually good game stats, or any other means).
• If the previous solution is too lenient, at least do not make running the AC mandatory until you have finished playing your placement games. This will allow new players to become familiar with the website, community and config before making them run some software that they cannot really trust.

Conclusion

TL;DR:

• Would you trust an anticheat made and reviewed by a single, unaccountable person? No, and you probably should not either.
• Would you trust an anticheat made and verifiably reviewed by multiple people? Depends on the people :)
• Do you think the anticheat should be forced on every player, all the time? No.

Unfortunately, there is no good solution for a third-party AC that does not involve a bit of blind trust, however, with the right measures in place the risk of malicious behavior slipping into the AC software can be considerably reduced.

I also want to point out that I have not gone into many other topics here such as: do we really need the AC in the first place, what does it do exactly, antivirus detections, code signing the executable, how to actually verify the executable via its hash, and so on. I wanted to keep this post purely about trusting and running the AC in a more generalized way.