DenJohn, 4 months ago

@ipg
Well the problem with kernel level anticheat is not only that it can run kernel level code. It's also a huge attack vector. These kernel anti cheat drivers aren't usually as secure as other kernel drivers are in windows. The fact that you don't know what it's running at the kernel level and that you can't easily know, the fact that it's a black box installed by a third party is what people don't like.

DenJohn, 4 months ago

@ipg
The kernel driver is signed, you don't need to have the anticheat installed to have the kernel driver installed. Any program can install it and, if they know of an exploit, any program can exploit it.

ipg, 4 months ago

@DenJohn very aware of this fact, i'm not really defending that part of kernel level anticheat (though i will stand by "if a well-designed well-behaved anti-cheat needs kernel anti cheat, i won't be mad", just most aren't)

look at how many times BEDaisy (BattlEye) and MHYProt (genshin's anticheat) have been blacklisted in Windows because of security flaws, it's definitely a problem to let anyone run around in the kernel... but that's a wider problem with Windows rather than solely anti-cheat

winload_exe, 4 months ago

@ipg @DenJohn i'm surprised MS is still signing these things themselves. afaik BEDaisy (as of october 2023) is signed by the following cert authorities:

• Microsoft Windows Hardware Compatibility Publisher (chains back to Microsoft Windows Third Party Component CA 2014)
• BattlEye Innovations e.K.

Rairii, 4 months ago

@winload_exe @ipg @DenJohn i'm not surprised.

since th2 or so, windows is only meant to load drivers signed by MS if they were signed after a certain point. but if there's no timestamp on the cert the old certs all still work (they've all expired by now but that doesn't matter, some of them had their private keys leaked and there's various signtool hooks to patch the expiry time checks out). so for anyone using their own legit code signing cert and privkey the ONLY option for signing drivers is to go through MS.

MS signs anything you give them (as long as you have access to sign drivers, which basically just requires a shell company and an EV code signing cert, people on unknowncheats can afford this) and basically rely on their terms and conditions to say "if you sign something with vulns we will revoke, if you sign malware we will ban". their terms and conditions also specify that they can require a code audit of your drivers at any time.

MS driver signing puts the name of the entity they signed it for in the opus info, that can be seen in the advanced tab (can't remember the asn1 object id right now), they do the same for UEFI bootloaders signed by the UEFI third party certificate

it would be nice if they could have proper certificate transparency-like processes for driver signing and provide any and all drivers/uefi bootloaders for download such that anyone can analyse them. i report third party uefi bootloader vulns to MSRC because MS signed them for someone and they can easily get in contact with the responsible vendor, and get taken more seriously than just some random researcher. maybe I should do the same with vulnerable drivers and see what happens.

i also think MS should clamp down on code obfuscation in drivers. whether that's disallowing it, only allowing it when the obfuscated code is cleanly sandboxed (wasm?) with clean interfaces specified to not allow anything dangerous to be called by obfuscated code, only allowing it by signing using a different chain that would be not be trusted by default and require a BS|NV variable (and physical-presence seperate boot application) to allow (because your typical corporate system shouldn't ever be loading, for example, genshin impact's anti-cheat driver, right?)...