Some anti-cheat ideas

[Subdino]

Hi.
I'm not a part of the dev team (yet ? ) but I have worked on an anti cheat for another game (GhostRecon from ubisoft - proprietary & closed source, and ubisoft/redstorm refusing to do the least thing that could have helped fighting cheat).

There are some points that needs to be clarified before designing any anti-cheat system. I'll try here to put some ideas without being technical - just in case "security by obfuscation" is chosen.

What is "cheating" ?
(I'm here assuming we are talking about network play, I don't think there is any trustable way to prevent solo cheats - nor there is any interest in doing so)
Cheating can mean "using modified files", "modifying program data while runing", and "exploiting bugs or weaknesses in game engine".
For the first, how can a file be said "original" ? What can be called a reference file ? The one on the server we are playing, or the one originaly bundled with the engine ?
For the second, there are 2 ways I know : Either check that the data in the engine is correct (how ?) or prevent processes from modifying the memory.
For the last, I'm afraid there is no solution. And if glitches exploits can't be avoided, what should be the official position of the devteam ? Are they "features" - somehow disturbing to admit - or are they "situations players must avoid" - with the risk that an innocent can be caught by accident using an exploit.

Once a cheater is discovered, what should be done ?
The options here are quite vast, from suddently shutting down his game and reporting him as a cheater on a public place, to increasing some kind of "cheat point" account to make false positives less critical. To make a soft that people believe, something between those two extremes should be chosen : detect cheaters, but don't flame innocents.

What are the available network resources ?
Where our anti-cheat will be able to gather and transmit information ? The P2P model is quite problematic, because we can't trust all the peers. The client/server model is quite better, but is based on the assumption that the server is honest. The client/server/master server model is even better, but requires at least one "master server".
Here is a small explanation about the "master server" thing :
client : the client game, connection to a game server
server : the game server
master server : a trusted server, reachable from both the client and the server
When the server starts, he registers with the master server. Each client, when it connects to a server, registers with the master server, telling which server they joined. On client connection, the server asks if the master server knows the client that joined. If it does, it allows the connection, if not it refuses it.
Now that there is a trusted server (the master server), checks can be done with a great accuracy, and the client & server are equal from an anti-cheat point of view.

Choices I made in the last version (3rd) of my anti-cheat (which was never released, because I was exhausted of working alone on that project) :
-Architecture : client/server/master server
-Cheating is having files that are not known by the master server
-Every cheat is reported and the cheater is imediatelly kicked & flamed
That cunjunction of choices made it possible to have more than one master server : the important thing is that the clients & servers trust their master server. And the master server rewards their trust by telling them everything it detects.

If anybody from the dev team is interested with technical details, please PM me .

[zwzsg]

So,in your system, if two people wants to try a brand new mod online, they are kicked and flamed?

[Subdino]

No. Unknown files were ignored (because I found no way to have a precise list of what was used by GR - and some special files absence was checked, to avoid API hooking).
And if they want anti-cheat support for their mod, they have to make a master server know about those files (either ask an andmin to add the files, or start another master server).

By "files not known" I meant "the same filename, but with different content".

[WillRiker]

ever since GhostRecon tom clancy's games have really gone down, in my opinion original rainbow 6 was the best tactical fps ever.

[Subdino]

I personaly prefer Raven Shield, but I can't say I spent much time on old R6s... And I keep GR in a good place in my memories.

[renrutal]

So,in your system, if two people wants to try a brand new mod online, they are kicked and flamed?

Turn off the master server cheating check and make it a client-server game.
The master server model is just for environments that need to be protected against cheating, such as an official ladder game. Just because they're using modified files it doesn't mean they are cheating.

A flexible model that could think about all those major and minor cases would be the best. You don't always need to apply anti-cheating measures.

[Matt]

Here's my thoughts on this issue, since spring IS an open source game, a client-server-master model won't work, however a client server model would work great. maybe have an ability to import an XML blacklist of cheaters or someting for a "master" but no official master because this IS open source, and things tend to diversify alot more than with propritary games.

anyways, as for my thoughts on an anti cheat method, this ability needs to be included in with the gamelobby (also under development, I beleve?) basically, client takes checksum of everyfile in the directory (similar to how SAINT works (http://www.unixgeeks.org/fss/)) then checks these with the server, if there is a discrepency, kick users/add to a blacklist based on.. whatever (MAC address if possible?)

as for his comment on how to handle original game files/whatever maybe have a syncing ability between client and server for this? this would also take care of quite a few usability issues.

that should cover the "using modified files" thing that subdino was discussing

as for protecting memory access, I am not framillar of many methods in windows XP (I presume that is target for this, 2k3 has this functionality built in) but taking a sum of the unit/whatever data stored in memory and and creating periodic checks during the game might be a good option. Another good option to combat these types of cheat is be actively involved in hunting them down and creating a server-controlled client-side checker that will check for certain files/programs loaded/whatever on a client then send the info back to the server, of course, this could be a major security hole for the client if people start hosting malicious servers.

[SinbadEV]

Open source needs to gain some street cred here... It's FREAKING EASY to cheat in games where you have access to the source code. modifying packets even to the point of giving "My files are" fine responses to the server when they shouldn't... debug codes and other bugs being re-activated in a custom build etc... Frankly it's not really gonna work with anti-cheat, people will need to "play nice" for the most part.

However, if you want to run ladders or something, you could make a custom, hard coded encryption algorythm protected compile of the client and server and distribute this to participants on a torrent (if everyone needs the same one file it would go fast enough to be practicle)... encrypt all the packets so they can't get sniffed or modified, have it do internal MD5 checks on any models and maps and such.

[Subdino]

Here's my thoughts on this issue, since spring IS an open source game, a client-server-master model won't work, however a client server model would work great. maybe have an ability to import an XML blacklist of cheaters or someting for a "master" but no official master because this IS open source, and things tend to diversify alot more than with propritary games.

In my idea, there is not only one master server. I see the master servr as some box, administrated by someone the users truct to put in it good cheat hecking rules which will be aplied both on the (game-)servers and (game-)clients. But there can be much more than only one master... The interest of a master compared to others are wether one knows the admin, or has a registered access on that server (so "private" master servers could be available if some clans want to have their own).
So the master server can be open-source and widely distributed, because the one we have to rely on is the master server admin we connect to when playing. And that guy should definitely know what he does and work against cheats if he doesn't want to be flamed :) .
The client-side of the anti cheat could also be open-source, I think, because it doens't contains the check themself but only the routines that does the checks. The only danger is that someone spoofs the checks (but that would require to know all kind of checks, and the "normal" content of every memory places...).

basically, client takes checksum of everyfile in the directory

That's complementary whith the idea I explained here, but couldn't block the hooks (an exe modifying dinamicaly the memory of another... believe me, it's sooo easy to code - under windows at least). Both should be used.

based on.. whatever (MAC address if possible?)

MAC address is a bad idea, because it can be spoofed. I think we should rely on some keypairs, like in cryptography. Hadware IDs are a bad idea in general, I think, because even if we make it strong enough, it's easy to sell the identifying part to someone - wich would get a side-effect ban - and to buy a new one.

a syncing ability between client and server

Some kind of auto-download thing ? Good idea I think. (as long as non-modified clients don't get their files overwritten, of course)

many methods in windows XP (I presume that is target for this, 2k3 has this functionality built in) but taking a sum of the unit/whatever data stored in memory and and creating periodic checks during the game might be a good option.

AFAIK, nobody can rely on those things. If someone installs some kind of driver and can tell the driver to change memory, it won't be caught (drivers in windows work in kernel-space without checks from OS, IIRC).
Checking periodicaly the values can be a better option, but the values have to be predictable (such checks were usefull & easy in Ghost Recon to check wether built-in cheats were enabled or not, by checking a byte for 1 or 0 value).

this could be a major security hole for the client if people start hosting malicious servers.

That's because of the potentiality of malicious servers that I think master servers could be more reliable.

[Subdino]

giving "My files are" fine responses to the server when they shouldn't

The master server has to be stmarter than that... The questions wouldn't be "is that file ok ?" but "can you give me the value of byte x in file z ?" or "can you give me the MD5 sum of file x ?" or "can you give me the value you have in variable x ?". Much more work would be required to answer right everytime...

you could make a custom, hard coded encryption algorythm

Ciphering with PGP-like algorithm doesn't need the algorithm to be secret to offer a good privacy. The oponents could share their public keys before the match and send data cyphered with their private keys (so we are sure nobody interfers with the game nor reads packets he isn't suposed to receive). The last problem is to be sure the packet is generated by a clean game... And here we need active measures (ie. and anti-cheat program).

[Matt]

AFAIK, nobody can rely on those things.

well, my thoughts here are multiple-layers of security, as with any system, only one method cannot be trusted, but a series of methods are always better than just one, as if we just check files, packets can still be modified, etc.

as for the PGP-encoded netcode, I would imagine that would bring significant bandwidth & processor overhead and not that secure as intercepting with the right keys wouldn't be that hard... just would take a little genius to do right :)

as for the mac-addresses, good point, but we would have to come up with some type of non-IP based blacklisting, any ideas here?

anyways, all I'm trying to do is expand the thoughts on this and see what we can come up with (at least at this point) i'm a unix guy, so windows is somewhat foreign to me (I'm used to things like properly protected memory etc)

[Subdino]

as for the PGP-encoded netcode, I would imagine that would bring significant bandwidth & processor overhead and not that secure as intercepting with the right keys wouldn't be that hard... just would take a little genius to do right :)

As PGP who uses symetric cyphering to actualy cypher, and then crypt the symetric key used to do the first encryption with the disymetric - slow - method, something could be done like that to lower the cpu usage. And I don't think that bandwith increases when cyphering...
About interception, I don't think it would be that easy. Otherwise, PGP, GPG, SSL, SSH & other things using disymetrical cryptography wouldn't be that common...

as for the mac-addresses, good point, but we would have to come up with some type of non-IP based blacklisting, any ideas here?

In my idea (still keyrings), the player would be identified by his public key. A good player would get his key signed by ppl thinking he is honest, and cheaters would spend their time generating soon-revoked & never-(or self-)signed keys. Things like "allow only ppl owning a key I signed" or "ban ppl who own a key signed by x [percent of] cheaters" could be done to reglement access to servers.

i'm a unix guy, so windows is somewhat foreign to me (I'm used to things like properly protected memory etc)

So think to windows as a huge multithread process, or an SHM segment that would span across the whole memory .
Actualy, I saw some memory-protecting & allocating functions in WinXP, but as far as I was able to play with, it never worked (I haven't spent a lot of time on them though, but they are definitelly harder than the usual "malloc"). The fact they are only available in most recent versions of windows makes it hard to rely on, again...