Hardware Arms Race: Anti-Cheats Leverage CPU Features Against Game Hackers

Hardware-assisted anti-cheat defenses are growing in popularity as software approaches prove insufficient against advanced game hacks. By leveraging capabilities exposed by modern CPUs, anti-cheats gain powerful new ways to monitor and protect a game’s memory. Techniques like Intel MPX and CLFLUSH monitoring exemplify using hardware features to bolster security.

Memory integrity is a major concern in anti-cheat systems. Cheats will often modify a game’s code or data to manipulate behavior to their advantage. For example, changing values like ammo count, spawn location, or aim assist strength. Software-based scanning cannot always catch these violations. Hardware features like MPX and CLFLUSH monitoring provide greater visibility.

MPX: Memory Protection Extensions
Introduced with Intel’s Skylake microarchitecture, MPX adds new bounds table registers (BND0-BND3) and bound configuration registers (BNDCFGU/BNDCFG1) along with instructions like BNDMK, BNDCL, BNDCU, BNDCN, BNDMOV, BNDLDX, BNDSTX, and BNDCLR implementing bounds checking on memory accesses.

The CPU can track upper and lower limits on buffer sizes using data stored in the bound configuration registers, then check memory reads and writes against these limits. MPX also exposes violation events through the #BR exception that can trigger exception handlers.

For an anti-cheat, MPX offers a strong mechanism to detect common cheat behaviors like buffer overflows. By setting explicit limits around key game data structures in memory using the bound configuration registers, the anti-cheat can use MPX instructions like BNDMOV and BNDSTX to validate memory accesses.

Specific game data addresses can be encoded into the bound table registers using BNDMK. Critical structures like player health, ammo, inventory can all have specific bounds set this way. The anti-cheat exception handler registered for #BR events can instantly detect and react to out-of-bounds modifications.

While MPX has demonstrated potential, its availability is limited. It must be explicitly enabled by setting IA32_ARCH_CAPABILITIES[bit 9] and IA32_ARCH_CAPABILITIES[bit 1]. Anti-cheats must check CPUID for MPX support and selectively utilize it only on capable processors. Enabling it requires OS support to configure CR4 properly which can incur runtime overhead. Incremental adoption as CPUs grow more capable will allow anti-cheats to leverage MPX for game memory protection.

CLFLUSH Monitoring
Another hardware feature useful for memory integrity enforcement is the CLFLUSH instruction. This instruction flushes cache lines containing given linear addresses from the processor’s L1 and L2 caches out to main memory.

Cheats can leverage CLFLUSH to manipulate game state visibility when code in another thread or process reads the memory by forcing a fresh value load from RAM. The cheat can update the main memory version to inject manipulated values without detection.

Anti-cheats can combat this by monitoring all uses of CLFLUSH using the PEBS (Precise Event Based Sampling) mechanism. The processor triggers a PEBS record for each CLFLUSH execution which the anti-cheat can intercept and analyze. Scanning this stream of cache flushes and examining associated linear addresses provides a signal of potential cheat activity.

The anti-cheat configures the Precise Store Facility in each core’s performance monitoring unit (PMU) to deliver CLFLUSH PEBS records via the DS Save Area (DSAVE) in real-time. The anti-cheat’s exception handler uses DSAVESVM to read these records from the PMU buffer and examine the memory address and process context. Suspicious patterns around game state can identify cheats.

Combined with memory scanning heuristics, CLFLUSH addresses aligning with game data structures provides high confidence detection of cheating attempts. The anti-cheat can respond with countermeasures like cache pinning to disable CLFLUSH effectiveness.

Active Countermeasures
Advanced anti-cheat defenses do not solely rely on passive monitoring and detection. Capable anti-cheat kernels can employ active interference to disrupt identified cheat mechanisms.

For example, one countermeasure against CLFLUSH manipulation is using processor cache control (PCC) instructions like CLDEMOTE to prevent caching of critical data. This foils the cheat’s ability to control game state visibility in caches, defeating CLFLUSH-based attacks.

Other countermeasures include injecting useless interrupts via the local APIC to derail cheat thread timing, forcibly termination suspicious processes with kernel API calls, or containing payloads using hypervisor-based isolation.

Counter-manipulation tactics like cache pinning and forced game state refresh via PREFETCH instructions increase costs of cheat development. Active interference directed intelligently based on runtime system knowledge represents a shifting trend in anti-cheat design.

Ongoing Arms Race
Cheating in competitive online games continues to be an arms race between game hackers and anti-cheat systems. As software-only defenses lose robustness, leveraging advancing hardware capabilities becomes imperative.

Features like Intel MPX, CLFLUSH monitoring via PEBS, cache control, and precise active countermeasures exemplify techniques for anti-cheats to gain advantages against cheats. Yet cheat developers will continue adapting to these hardware defenses over time.

Anti-cheat architectures must themselves continue evolving, building runtime profiles of hardware capabilities to intelligently select defenses on each platform. Combining software monitoring, hardware events, and finely targeted interference directed by system knowledge maximizes anti-cheat effectiveness.

With billions at stake in esports and competitive gaming, the cycle of innovation–detection–mitigation–evasion will persist in the gaming domain. Anti-cheats leveraging both software and hardware techniques have the best chance of staying ahead of determined cheaters.