If "you can never trust the client", then why do companies such as Valve rely solely on client-side verification?

If so, then why do these companies not offer server side verification for video games, but rather continue to insist on trusting the client?

It's less about insisting on trusting the client and more that there is no other viable anti-cheat model. Like DRM, and in fact, anti-cheat software like PB use a form of DRM, there's little that can be done.

DRM software has mitigations in place to keep the client from poking too much, but it has to be put on the client to try to prevent the client from doing things that the media companies don't want the client doing.

Anti-cheat technology relies on similar methodology. Information about the client is gathered, sent to the server, and if a client is seen as misbehaving, through whatever series of checks are done for the specific software, it can be banned at the server.

At the end of the day, it comes down to risk management. Yes, don't trust the client is one of the first tenets of security. But for mitigating risks that occur at the client, there's a cost-benefit analysis, which is what risk management is. Is the cost of letting clients continue to bot and cheat worth losing customers who want a fair and fun game? Or should some mitigations be put in to place? PB and other software packages aren't there to entirely stop cheating, but aim to make it more expensive to cheat.

Also there is another more subtle way of limiting the clients to cheat (wall hacks,...), mostly implicated by online only games but not limited to. This is achieved by not feeding the client side all data. For example unreal engine 3 has checks if an actor is in your vicinity of visibility, if this check is positive, the server sends YOU the exact location as well as your opponent YOURS. So to say, only the server knows all positions, actions and movements of all actors on the gaming instance.

This can be read in the documentation of the unreal engine 3 / Client Server Model in the paragraph cheating, to be found here: https://udn.epicgames.com/Three/ClientServerModel.html

So to say, with advanced engines/network code and Client Server models, it is not necessarily needed to trust the client 100%. The Server can decide beforehand what the client should know, effectively LIMITING the possibilities of hacks. To go even further, the server can decide what it SHOULD know itself, not to get distracted or confused by clients sending forged packets.


Client side anticheat software in and of itself isn't about security, it's about the gameplay (and customer) experience.

Thus, security rules aren't nearly as applicable. Trusting the client "hit pixel 1056 by 1723" is very different than trusting the client "can transfer $1000 to Nigera", or that the client "can access Bob's email".

Note that I am specifically excluding financial transactions, just gameplay cheats like aimbots, big head cheats, etc.


First: There are many games, which use 100% server side validation and don't trust the client. One example: Online Poker

You simply do not send the value of any cards to the client which he cannot know. So even if he hacks the client and reads the matrix, there is nothing hidden which he can reveal and no moves he can make which he couldn't do with the regular client.

But many modern games are a lot more complex. A first person shooter for example. Here it is not so easy to decide if and how good you can see another player. You might say it is easy, if there is a wall between you two you cannot see him. And for these simple cases modern games can already cull the enemy player from your view, so you won't get the position where he is. But as soon as the enemy is in a dark corner and only barely visible the game has still to send his position to you, so you graphics device can paint him there. If you use a cheat, which paints him in bright colors you can easily spot him and cheat. This is hard to prevent, because the logic which paints him in dark colors in the shadow is very complex for games with good graphics - so rending the picture on the server and only sending you the final picture would make cheating a lot harder, but also would require a ton of resources on the server and would have the serious problem of LAG.

DELAY or LAG: The second big problem to streamed gaming is lag. If you move the mouse, you can look around very fast in a first person shooter. But sending this command over the internet and receiving the result to show on your screen will necessary take longer than rendering locally. If you have a fast internet connection you can be lucky with a Ping below 20ms, but most connections can be very unstable and the lag can go higher at times. A game which reacts that slowly will play horribly slow and be almost no fun at all. On the contrary many modern games apply a ton of techniques like move prediction, time warp and others so you can lower the perceived lag of other players by making your game compute a lot of local logic and predicting the moves of other players, so the game feels more fluid than it actually is.

Hardware/Out of the box cheating. And there are always a ton of opportunities to cheat which cannot easily be defeated by software. What about doping? (a real thing in esports) Or letting a robot play for you. Or having a webcam over your shoulder, which spots enemies on your screen and tells you where they are? Or even things like DDoS attacks from a botnet on you enemy team to disturb their communications ?

There are some possibilities to make server-supported validations. The server can test the correctness of the game code/anti cheat software like DRM protection (but can of course be spoofed). The server can also check the game logic, measure your movements, collect statistics and data about your behaviour and compare it to other players and certain limits and try to decide if you are playing abnormally or if you are breaking any rules... but nothing of this is perfect.

Tags:

Client Side