Roblox Security Changes Break Nvidia Ansel & Vulkan Layer Support

Not everyone has the ability to do that

I agree, i feel like this is insane considering how little their changes actually helped. I hope that they can allow bloxshade soon

I’d say them providing dedicated support for something like Bloxshade is less likely to happen than if they were to just ease up on the restrictions they put that caused Bloxshade to disfunction. So although it might’ve been unintended, there’s no way they’ll go out of their way to put resources in something other than the platform, there’s already hardly any feedback from them on topics like these nowadays.

Security should nearly never be prioritized over user experience. Exploits continue finding bypasses due to their profitability, but software like this will never have the sole purpose of profit. This in turn lowers the user experience of hundreds of thousands on this platform.

This is a great point. I don’t believe the new restrictions have significantly improved security. Most exploits are not concerned with code signing or following the rules. Additionally, I doubt the latest code signing restrictions had the intended effect, as many would bypass them regardless or were already circumventing them in the first place.

The recent code signing restrictions have also broken support for NVIDIA Replay, as it turns out. I believe it has broken support for a lot of harmless software, and the changes are doing more harm than good.

This is a sad thing to see. It’s Roblox actively hurting the user experience. My hope is that this doesn’t extend to other third party things in the future (like Bloxstrap).

Hello Extravi,

Signing has been tightened up because previously, less restricted signing was being used by a large number of cheats to circumvent Hyperion.

As for Nvidia Ansel, I think it should be obvious that pretending to be a different game to enable certain features is not a scenario we can support.

Last but not least, shaders have been used for cheating, and allowing custom shaders without having any control over them opens the door to all kinds of exploits. Also, and this is a point I do not like to emphasize too much if I can avoid it, but here we go anyway, RoShade violates the TOS, so strictly speaking, we shouldn’t allow it in the first place.

Seeing community members being unhappy with stricter signing requirements while also being unhappy with the amount of cheating on Roblox is somewhat of a conundrum. Security doesn’t come for free.

We cannot tighten up security and at the same time be more lenient on it. There are several ideas and proposals in flight to solve this issue in a satisfying manner, but it is too early to publicly comment on them just yet.

Any plans to allow things like OBS Game Capture sometime in the future?

Yes, there are options that are currently being evaluated.

I am sure you can understand that the reason that people are unhappy has little to do with improved security measures and a lot to do with the fact that, despite these measures, exploiting continues to grow month-over-month. Exploiters are handed out 1-day bans every few months without any alt-detection while normal players are handed out ‘enforcement bans’ for logging in at school. This has been pointed out for over a year now and despite that, we continue to lose compatibility with things like shaders while the situation does not improve.

Players would likely be more receptive and understanding of these changes if we saw improvements to cheating metrics, but knowing that your teams aren’t even allowed to issue meaningful punishments makes it hard to agree that these are beneficial security improvements.

KreekCraft stated it perfectly here: https://youtu.be/cl2__gC-EDc?t=9718

I feel like the anti-cheat has broken more things to me than it has helped me. We still got all these hackers that have been going on for two-and-a-half years which the anti-cheat has done absolutely nothing about. The anti-cheat has broken Roblox in OBS. It has broken Roblox shaders. It has broken that one tool youtubers used. It broke Linux support. I’m going to be honest, I feel like the anti-cheat hasn’t really done much to help me, it just keeps breaking my stuff and I keep seeing hackers so…

Hello, I appreciate your response. I am currently on mobile typing my reply, so I apologize for any formatting issues. I believe that you have RoShade and ReShade mixed up. RoShade was a ReShade installer, and Nvidia Ansel is built upon ReShade because the owner and developer of ReShade is an employee at Nvidia. Also, I don’t believe that shaders can be used to cheat in an impactful way. I believe you’re most likely referring to the use of depth buffers, which usually breaks UI elements and sometimes dark environments, and I could see why that is a potential issue, but I believe the benefits far outweigh the negatives when it comes to content creation and the community overall. Alongside that, I wasn’t trying to run ReShade directly on Roblox; I was writing a capture utility that was a Vulkan layer that would copy the game’s rendered frame and the depth texture to an external overlay. It was in development and functional up until the recent code signing requirements. If it is an issue, you could restrict the use of those modules on certain experiences, allowing developers to opt-out, preventing the use of any third-party modules on the client in those experiences, like, for example, OBS game capture, which is very similar to what I was developing except for the depth texture. I can’t go into many details right now but I wanted to respond in the meantime. Thank you, and I appreciate your response.

To add on to this remark, the usage of the Vulkan overlay was to make sure that any shader software stayed within a boundary that prevented it from directly tampering with the client to not bring on any sort of security risk.

Yes, and this was the intended goal; that’s why I say it is similar to OBS game capture, but instead of just copying the frame, I would also copy the depth texture.

I can see why the community is unhappy. There should be a balance between client security and user experience. As of recently, Roblox has been trading off user experience for client security. Roblox’s security measures are intended to provide a better experience for all users on the platform who intend to play without harming the experience of others, but in the same light, the client shouldn’t be overly restrictive, harming the experience of users who are trying to play legitimately.

The recent changes targeted towards exploiters are to the detriment of the community, breaking compatibility for applications like Nvidia Replay and Nvidia Ansel and possibly software on AMD and Intel’s platforms.

Just because something can be used to cheat doesn’t mean it should be banned outright. For example, you can use WGC (Windows Graphics Capture) to capture the window and feed it into an AI to create an aimbot. Does that mean external screen recording should be banned outright as a result?

We can also apply the same logic to Sober on Linux. Sober utilizes an x86-64 build of Roblox’s Android application underneath Linux. You could consider that a possible attack vector and outright block it because the client is inherently less secure than running on Windows. Doesn’t that mean that Sober should also be banned and that Linux players should be outright blocked from playing Roblox?

You could also adjust how saturated and vibrant your monitor is and also adjust the brightness. This can be done on the display itself or within the Nvidia control panel. Couldn’t that be considered a potential cheat vector because when it comes to shaders, the primary target demographic are people who are usually interested in visual photography or visual arts or content creators on social media platforms like TikTok and YouTube Shorts?

The community isn’t happy because there isn’t a proper balance. Roblox is a diverse platform with many different experiences that players can enjoy, anything from high-detail and impressive showcases to low-poly simulator games, and many users, content creators, and anyone interested in photography or digital art may be interested in using shaders on Roblox because it is a diverse platform and an impressive game engine.

Yes, you are right; it technically can be used to cheat by adjusting the brightness and saturation or displaying the depth buffer, but at what cost? Sure, someone might have an easier time seeing in the dark in a horror game, but that is an extremely small percentage of users, and most people in the community are unhappy regarding these changes.

Bloxshade has the largest community on Discord for shaders, larger than any Minecraft community, at 94,000 members, but there are exploiting communities on Discord with far more members. I don’t believe shaders should be the target of exploit prevention or depth buffer when it has been more of a net positive to the overall community rather than these recent changes.

Using shaders on Roblox isn’t going to enable the ability to use fly hacks, wallhacks or anything like that just because something can technically be used to your advantage in very niche scenarios such as horror games doesn’t mean it should be treated as an outright exploit.

I’m sure developers are far more concerned that the exploiting community is growing month over month where it is possible to use fly hacks, wallhacks and so on. I believe that the recent security changes while intended to be a net positive for the community have been anything but that.

The community doesn’t want a less secure client, they just want a proper balance between security and usability now users cannot use OBS game capture, they cannot use shaders, they cannot use Nvidia Replay and possibly they cannot use stuff related to AMD and Intel’s platforms.

Many of Roblox’s star creators have voiced their own opinions and very likely can share similar opinions to me regarding this topic. For example, SharkBlox made a video today because he can no longer use Nvidia Replay on Roblox because of the recent changes, and KreekCraft has also voiced his opinion regarding this matter, and he’s a star creator who used shaders.

Most users on the platform likely see the recent changes as more detrimental than beneficial. There are more pressing issues than shaders on Roblox, considering the demographic and user base. Just because something can be used for cheating doesn’t necessarily mean it is, and it doesn’t necessarily mean the negatives outweigh the positives, causing more harm than good, which isn’t the case in this scenario.

Kreekcraft’s statement: https://youtu.be/cl2__gC-EDc?t=9718

I feel like the anti-cheat has broken more things to me than it has helped me. We still got all these hackers that have been going on for two-and-a-half years which the anti-cheat has done absolutely nothing about. The anti-cheat has broken Roblox in OBS. It has broken Roblox shaders. It has broken that one tool youtubers used. It broke Linux support. I’m going to be honest, I feel like the anti-cheat hasn’t really done much to help me, it just keeps breaking my stuff and I keep seeing hackers so…

SharkBlox’s statement (from what he read from the forum): https://youtu.be/nz6LkaMsCcs?t=262

Security should nearly never be prioritized over user experience. Exploits continue finding bypasses due to their profitability, but software like this will never have the sole purpose of profit. This in turn lowers the user experience of hundreds of thousands on this platform.

Beautifully said.

image1344×1344 87.5 KB

I was following @Extravi1 and watched as every method to get custom shaders working on the client getting patched/broken. These changes seem to perfectly prevent shaders from working while seemingly doing nothing to prevent exploiters. This amazing project has done nothing negative against Roblox and is being patched/broken over a technicality? This just seems like software engineering pretentiousness and patching things that dont need to be patched/changed just for the sake of “patching it” instead of focusing on the actual important things.

Basically this. The actual cheating issue on Roblox has little to do with shaders or screen-reading. It’s an issue of people injecting massive 5000+ line scripts and getting away with it for months before being banned for only one day. The severity of cheats in Roblox is much greater than simple ESPs. These minor things don’t even come to mind when I think of Roblox cheats because they’re so harmless in comparison to the actual issue.

The security team has stated numerous times that almost all executors are detected. Please act on these detections and clean up the platform before breaking more compatibility. Roblox policy regarding this issue is severly lagging behind. Until policy improves, these changes will continue to be a net negative for players.

There is also the idea of a opt-in competitive client. Roblox is a massive platform wth a ton of genres. Not everyone cares about cheating, many just want to enjoy taking cool pictures with shaders. On the other hand, many don’t care about shaders and just want to play their extraction shooter without skids noclipping/aimbotting every lobby. Perhaps this should be re-evaluated as a potential option:

Roblox is a vast and diverse platform, and I believe that experiences on it should have the option to opt out of certain features. If an experience wants to implement stricter security measures, it should be able to disable support for third-party modules such as OBS Game Capture, Nvidia Replay, Nvidia Ansel, and others. Given Roblox’s unique nature, security should not be a one-size-fits-all solution.

When I mention third-party modules, I am referring to those signed by reputable vendors, such as Microsoft Azure’s Trusted Signing. Developers should have the option to choose whether to allow these modules or to opt out entirely, thus preventing any use of unauthorized third-party components.

I’m unsure about the feasibility of implementing this feature or how complicated it might be. However, if it is possible, it should be considered.

This would make things relatively complicated because, for example, you cannot just unload Vulkan layers since they are loaded at runtime by the Vulkan loader. However, if the user is trying to join a restricted experience, they could be prompted to restart the client with more restrictions applied. However, that may not be feasible and could be annoying.

However, if users wanted to deal with that by default, it could potentially be enabled by a fast flag, so if that fast flag isn’t enabled, the strictest settings would be applied by default, and only users who intend to use stuff like Nvidia Replay, OBS Game Capture for Vulkan, and so on will have to deal with that.

If the user were to enable a fast flag like that, that user would have to accept that trade-off, but this way developers can choose whether or not they want to opt out of these changes. This way it wouldn’t be inconvenient for users who don’t want to use third-party modules provided by Nvidia, OBS, and so on. The fast flag, if enabled, will default to allowing modules signed by trusted vendors, and if the user wants to join a more restricted experience, they will have to restart their client, but this shouldn’t be enabled by default for users; that’s why I suggest a fast flag.

Also, because developers may not be explicitly aware of that option, it should be toggled off by default, allowing signed modules; however, if the developer does need more security, they should be able to toggle it on and would likely be aware of the option.

Well thanks for the response at least, it’s good to know where things are at on this topic, but this definitely leaves me big sad. Guess I gotta accept the fact shaders aren’t gonna be coming back, just wish I had recorded more footage with them like in the recent updates for games like Midnight Racing: Tokyo or Crimewave 1986.

Still don’t feel motivated to continue covering games on my channel as much as before knowing how good things could’ve looked and probably won’t for good. Being able to admire games in a new light was a big factor that got me engaged in doing the playthroughs that I do, but I guess I didn’t realize what I had until it was gone, I just thought it was a temporary thing for the hunt event.

Hi, if this is the case, why is Hyperion either not on android, or just absolute rubbish? Every exploiter I see uses mobile. Why not increase the security on android? Or since people exploit on android, lets just remove android, since so much people do that anyways. I mean, you pretty much killed wine because a small amount of linux users exploited, either that or linux users seem the type of people to exploit.