2018 have been a terrible year for computer security, and playing games on a computer isn’t all fun and games any more. In this article I’ll look at some of the security challenges of downloading and installing games from developers you have no reason to trust through the Steam Store. I’ll then explore how recent advancements for security on the Linux desktop now have made it it a more secure environment to run untrusted software and games than more the popular macOS and Windows 10 operating systems.
Steam is a online games store and game-library-as-service vendor popular among millions of customers worldwide. The nature of the service means that Steam is selling and distributing executable programs that may be malicious. We can only assume that Steam takes great care not to allow malicious code onto their platform. However, this is almost impossible to achieve on relatively open-platforms like macOS, Windows, and indeed the Linux desktop.
Steam Store security is far from perfect
Valve’s task to policy its catalog of over 29 200 games, many of which are still periodically updated by their developers and also receive add-ons developed by an army of third-party developers known as “modders”. Saying it’s quite the challenge is a massive understatement. 2018 haven’t been a good year for customer trust in the Steam platform’s ability to detect and block malicious code from getting onto their store.
In , a game add-on developer bundled a utility program designed to steal users’ passwords from the Chrome web-browser in what the developer described as a anti-piracy protection mechanism. This should obviously never have been allowed on the Steam Store, but there are no inherent protections against this type of behavior from software.
Valve’s own Anti-Cheat System (VAC) is also known for rummaging around on your hard drive looking at installed programs, recent downloads, and even your domain name system (DNS) resolver cache/history trying to identify known cheat programs.
In , only one month after Steam said they’d change their moderation policies to “allow everything onto the Steam Store”, a game shipped an embedded crypto-currency miner; exploiting customer’s computer resources to mine for virtual gold. Steam’s content moderation policy change may have been aimed at adult -themed and controversial game-content, but the crypto-currency miner would also possibly have been more easily noticed by a human reviewer spending a few minutes with the game itself.
The old moderation process wasn’t bullet proof either. In 2016, a security researcher masquerading as a game developer were able to approve and publish his own game, Watch Paint Dry, on the Steam Store and completely bypassing Steam’s content moderation process.
Anti-cheat protection systems, digital copy protection systems, as well as outright malicious software should not have full system access! Ideally, you’d want to use a dedicated computer that you don’t use for anything else. However, this requires additional hardware, additional space, and can be cost-prohibitive. You can use an operating system like Qubes OS that separates everything you do in separate virtual systems. This requires specific and expensive hardware and has a step learning curve and possibly a large performance cost. So what can we do instead?
Isolating Steam games from the rest of the system
Remember how much fun you had playing in a sandbox when you were a child? It’s not been much fun as an adult, but recent security-software enhancements have made it possible to enjoy your Steam game library on Linux from the security of a confined sandbox.
What that means in practice is that a properly sandboxed software or game won’t be able to do the sorts of things traditional unrestricted software was capable of. E.g. it couldn’t steal your web browser passwords or rummage through your emails or personal files; it wouldn’t have any access to it and wouldn’t even be aware of other software you had installed on your system. Unless the sandbox technology itself is broken and bypassed, you should be more secure without really noticing any differences in how the software work.
Apps and games distributed through the Mac App Store on macOS, and to some extend “modern apps” distributed through the Windows Store on Windows 10 have stronger sandboxing restrictions on what they can do compared to games downloaded through Steam. You can’t know for sure that a game you buy will be sandboxed, however. Neither stores have seen much interest from either players or game publishers. Steam offers more advantages to customers than these other stores, such as paying one time for a game and being able to play the game on Linux, macOS, and Windows on a single license. Steam itself doesn’t have any built-in security sandboxing technology, however.
On Linux on the other side, the platform haven’t bothered waiting for developers to adopt the latest security enhancing technologies. You can now install Steam for Linux in Flatpak; an emerging distribution method for Linux software that come with support for containerized/sandboxed software.
Steam itself and any games you install through Steam running in Flatpak will be restricted to a very limited environment. Instead of having access to your entire system and all your files, games will be limited to interfering with only what is installed in the same sandbox such as Steam and other games. A game can ship an update that will try to steal your passwords, but it won’t be able to even see your personal files or even which web browser you’ve installed. Steam and games get read-only access to your personal Music folder for use with the Steam music player and in-game music players, as well as the Pictures folder for storing screenshots. So you may not want to store your … extra private photos … in the Pictures folder. Other files and folders are strictly off limit, however.
This isn’t perfect security, as there is no such thing as perfect security. Games can still access hardware like game controllers and your graphics processor, so there are plenty of possible ways to go around the sandbox. Someone may find a way to get around the system and gain access to my personal files.
Gaming in a Flatpak sandbox on Linux offers an unparalleled layer of security compared to other operating systems. I feel an whole lot more confident playing games on a system that I use for other purposes when my games live off in their own little corner with limited access to the rest of the system. Yes, there are more games available for Windows — but that feels less important when you consider that every single one of them could be an avenue for someone to run malicious code or run off with your passwords and personal files.
PS: I’ve previously covered an issue where Steam Cloud syncing wouldn’t work with Flatpak. That issue have since been fixed, which was the main issue holding me back from recommending that people install Steam and play games in a Flatpak container.