Anti-cheat evolution in Windows 11

Summary

Hello there! As usually, long time not updating the blog (8 months 😟)… good news is that this week I am on vacation, so I have a little more free time. There are two non-AI related technologies that me and my team created in the year 2025 that I wanted to talk about (in these months, everyone seems to talk about AI, but that is another story): The Micro-executive, which allows the OS to updates PTEs on ARM64 respecting the break-before-making rule. An attestable Anti-cheat report, designed to prevent cheat kernel modules to be loaded when a game is running. Since #1 is too much MM state machines, I have decided to go with #2. I can return to #1 in case I will get interest from readers. So what is an attestable report? Before talking about it, we should first give an introduction about how the TPM works, why it is important, and how it could be leveraged to protect against cheaters in competitive video games (I personally love Doom, but far to be competitive 🤣) . So, let’s start by talking about what is a TPM. There is a lot of literature available online that generally describes the TPM, or Trusted Platform Module as a “dedicated security chip that securely stores cryptographic keys and performs cryptographic operations to protect your computer’s hardware and software integrity, acting as a root of trust for the boot process”. This definition is pretty abstract: the reality is that the TPM does a lot of things (interested readers can check the amazing “A practical guide to TPM 2.0” by Will Arthur and David Challenger). This write-up will not describe the TPM in details, but, for the sake of the “anti-cheat” discussion, the TPM: Provides a way for the OS to mathematically prove that certain areas of (boot) code and data have not been tampered with. Provides a way to external (or remote) entities to prove that they are really talking to a real authentic TPM Provides to the OS an hardware mechanism to store encryption keys that can potentially be made available only if...