Doom Eternal has become the latest game to use a kernel-level driver to aid in detecting cheaters in multiplayer matches.
The game’s new driver and anti-cheat tool come courtesy of Denuvo parent Irdeto, a company once known for nearly unbeatable piracy protection and now known for somewhat effective but often cracked piracy protection. But the new Denuvo Anti-Cheat protection is completely separate from the company’s Denuvo Anti-Tamper technology, which uses code obfuscation to hinder crackers (and which was already mooted for Doom Eternal anyway shortly after launch).
The new Denuvo Anti-Cheat tool rolls out to Doom Eternal players after “countless hours and millions of gameplay sessions” during a two-year early access program, Irdeto said in a blog post announcing its introduction. But unlike Valorant‘s similar Vanguard system, the Denuvo Anti-Cheat driver “doesn’t have annoying tray icons or splash screens” letting players monitor its use on their system.
“This invisibility could raise some eyebrows,” Irdeto concedes.
No running outside the game
To assuage any potential fears, Irdeto writes that Denuvo Anti-Cheat only runs when the game is active, and Bethesda’s patch notes similarly say that “use of the kernel-mode driver starts when the game launches and stops when the game stops for any reason.” That’s a major difference from Valorant‘s Vanguard system, which requires the driver to be loaded from system startup in order to “monitor system state for integrity.”
“No monitoring or data collection happens outside of multiplayer matches,” Denuvo Anti-Cheat Product Owner Michail Greshishchev told Ars via email. “Denuvo does not attempt to maintain the integrity of the system. It does not block cheats, game mods, or developer tools. Denuvo Anti-Cheat only detects cheats.”
Greshishchev added that the company’s driver has received “certification from renown[ed] kernel security researchers, completed regular whitebox and blackbox audits, and was penetration-tested by independent cheat developers.” He said Irdeto is also setting up a bug bounty program to discover any flaws they might have missed.
And because of Denuvo Anti-Cheat’s design, Greshishchev says the driver is more secure than others that might have more exposure to the Internet. “Unlike existing anti-cheats, Denuvo Anti-Cheat does not stream shell code from the Web,” Greshishchev told Ars. “This means that, if compromised, attackers can’t send down arbitrary malware to gamers’ machines.
“These same gaming machines already have a sea of subpar (security-wise) administrative services with active Internet connections,” he continued. “Drivers from mouse and keyboard vendors, lighting and overclocking services, etc. If attackers really wanted to compromise gamers’ machines, they would go through them—not through the world’s strongest anti-tamper software.”
If a driver exploit is discovered in the wild, Greshishchev told Ars that revocable certificates and self-expiring network keys can be used as “kill switches” to cut them off. “No security expert can claim their solution is infallible, but our penetration testing, certification, and security auditing is significantly higher than any reasonable standard,” he said.
Time to kernel panic?
The use of kernel-mode drivers is actually pretty common in multiplayer game anti-cheat tools, helping to ensure that lower-privileged “user-mode” tools that try to modify the game code can be detected and stopped. While cheaters can still get around this by using code-signing exploits to install their own kernel-level cheat tools, the process is more difficult.
Loading a kernel-mode anti-cheat driver only when a game is running, as Denuvo does, is also very different from running a rootkit-style anti-cheat driver from startup, from a security perspective. The latter introduces much more exposure for system-level exploits that can run without the user’s knowledge, creating “a large attack surface for little benefit,” as independent security researcher Saleem Rashid told Ars regarding Valorant‘s Vanguard security driver.
Still, some members of the Doom Eternal community are not happy about the way the Denuvo Anti-Cheat tool was rolled out, or with the security risks they feel it creates on their systems.
“No piece of software, especially an anti-cheat, should have kernel-level access to your system and if it is we should have been informed before purchasing it,” Reddit user extant_dinero wrote in a popular thread on the Doom subreddit urging people to delete the game. “I would not have purchased it had I known it would be added. Just because other pieces of software do it doesn’t make it right.”
But Greshishchev tells Ars such fear is misplaced. Denuvo Anti-Cheat is “designed to be no different than Nvidia’s graphic drivers or Steam’s Client Service,” he said. “Unlike anti-cheats of the past, there are no filesystem hooks, no requirement to start with the OS, no annoying tray icons or splash screens.”
“It’s human nature to have a fear of the unknown, and no amount of technical claims by us could address that. Trust is built up over time, and we think that when Denuvo Anti-Cheat bans a player in your favorite game, we will gain your trust.”
https://arstechnica.com/?p=1676322