Roblox Security Changes Break Nvidia Ansel & Vulkan Layer Support

I haven’t had any issues with Vulkan, but I have heard reports of people running into problems with it on laptops that have AMD’s integrated graphics and Nvidia’s dedicated graphics.

Otherwise, if you’re running an Intel and Nvidia system on a desktop or laptop, or an AMD CPU without integrated graphics paired with an Nvidia GPU, it’s relatively fine.

The only issue I had with it was not being able to exit full screen. Once you enter full screen, you can’t undo it unless you switch back to DirectX 11.

Roblox has support for Vulkan because of their Android client, but I’m not entirely sure why they still support OpenGL. It’s pretty old at this point, and I’m not really sure what’s even using it anymore. It also performs worse compared to the other APIs available on Windows.

It’s probably just used as a legacy fallback in case of software issues or for outdated hardware.

Otherwise, their Vulkan support is relatively good on Windows, aside from a few small issues.

It’s also protected by their anti-tamper system, just like DirectX and OpenGL are. However, Vulkan gives more flexibility for applications like OBS game capture without compromising security, unlike DirectX, because you don’t need to write hooks to capture Vulkan internally, which is what OBS game capture took advantage of before the updated code signing requirements.

I used to be able to run Vulkan fine before (only issue I suffered from is screen tearing), however I can’t say the same for now. It would completely crash when I force enable Vulkan. This only started happening after hyperion was added on the Windows client. I have a laptop with an Intel CPU with integrated graphics and a Nvidia discrete GPU.

I am not sure about the claim that Vulkan support is good for Windows because it never was meant to work there. It never got optimized or made to work there. It would be great for Roblox to fully deprecate OpenGL and either add official support to Vulkan on Windows or support DirectX12 or even both.

Being competitive is not the reason most people cheat.

Adding onto that, there are a lot of competitive games.

I’m not necessarily sure if I explained it correctly, but I meant to say that I believe most people cheat to be disruptive, not competitive; they just want to ruin the experience of others on the platform. That’s why I included a natural disaster example.

I don’t think buffer access can be put in the same category as the users using destructive exploits on games like Natural Disaster, where they can fling everyone over and over again. I can still see it being a potential issue in some experiences on the platform, though, and that’s why I think Roblox should offer a separate client for competitive experiences.

the only thing i can say is: well no shit, it’s a live service game

i don’t think anyone should be surpised this was eventually gonna be canned. sure there is use-cases, but it was always a grey area.

there is an opportunity to cheat given how some of the top roblox games are competitive shooters, which may be used in future events with a prize incentive.

because reshade is most likely not coming back, file a feature request to add some of reshade’s shaders in, along with a “cinematic mode” feature

While that is true, Roblox is a massive platform. Yes, there are a lot of competitive games, but I believe there are even more role-playing or simulator-type games that could benefit from custom shaders.

I don’t think security on Roblox should be treated as a one-size-fits-all solution, because it’s a unique platform with a ton of different experiences on it.

At some point, if the policy doesn’t change, Roblox has to keep restricting things. It’s not unlikely that Roblox might eventually release a competitive version of the client.

Right now, though, I think it’s more of a policy issue. Like others have mentioned, I think bans should be more harsh. In my personal opinion, they should be longer, or even permanent. Roblox probably doesn’t want to terminate accounts, but they could still make bans significantly longer to hopefully deter people from cheating. That said, I could be completely wrong about that and how their policy works.

I also don’t think a kernel driver is necessarily a bad idea for competitive experiences. It would make it a lot more costly for bad actors to come up with something viable that’s widely available to non-technical users.

It would be relatively difficult to develop a kernel cheat because of Microsoft’s Windows 11 hardware requirements and the requirements of other games that use kernel anti-cheat like TPM 2.0 and Secure Boot. That kind of stuff is likely going to become even more normalized over time.

Even though someone can technically disable Secure Boot on their computer, they might not know how to, or it might just be too much of a hassle. That could end up being a good enough hurdle to hurt people trying to sell an exploit that bypasses the requirements in the future.

My post was more-so focused towards losing OG BloxShade, OBS game capture, and now shaders.

There are more paid Windows executors right now than there were before Hyperion even came out, I’m sure you understand why this is frustrating to see.

22 executors in total, 11 of which are updated and functional as of right now, and an additional 12 external “ESP” type cheats, all of which Hyperion has proven capable of detecting at this very moment.

I can’t say I’m a fan of Hyperion blowing up passionate community projects in the name of “security”, and yet they can’t/don’t even act upon the detections they have.

What you’re suggesting is impractical, and I wasn’t asking for ReShade itself to come back.

I was developing a Vulkan layer to provide the depth buffer and back buffer information to an external overlay, where ReShade runs in its own isolated and sandboxed environment outside of Roblox. At a fundamental level, it only needs two things: a depth texture and a back buffer to use as a light map.

Also, very few people can actually make a future request, including me—that’s not something I can do, and it’s not really practical on Roblox’s part. Roblox can’t just add in ReShade shaders for various reasons, including copyright.

First of all, ReShade uses its own shading language called “ReShade FX,” which means it has its own compiler. The shaders written in that language are made by individual developers with GitHub repos, and some of those aren’t even licensed.

Bloxshade is only possible because the installer fetches those files directly from GitHub, which complies with copyright laws.

I also know a lot of the developers—some of them are individual contractors or even former Nvidia employees. It’s highly impractical to integrate ReShade directly into Roblox or provide official support, mostly because of the copyright issues and also because of how its compiler and programming language is implemented.

On top of that, ReShade itself, including its compiler, is licensed under a BSD-3-Clause license, which adds even more complications.

ReShade, OBS Game Capture, and other similar software have had their code signing signatures whitelisted by anti-cheat vendors like Easy Anti-Cheat and BattlEye. Roblox limiting code signing to just Microsoft and themselves is kind of absurd and overreaching.

If they had instead whitelisted trusted vendors—like Nvidia, the OBS Project, etc.—without giving them any special privileges beyond their code signing signature, a lot of this functionality could have remained supported without breaking things. And if a certificate was ever abused, Roblox could remove that certificate from the whitelist.

If Roblox can whitelist fast flags, I don’t see why this isn’t viable or why it can’t at least be tested since this has been done by other anti-cheat vendors in the past.

Also, some of the developers in the ReShade community were aware of what I was developing for Roblox. At the time, since code signing was the only real requirement, it was believed that sandboxing ReShade would be the best approach.

At no point did ReShade ever run directly on Roblox. It was completely sandboxed in its external window. The Vulkan layer simply provided a depth texture and back buffer image to that external app—just like OBS Game Capture provides a back buffer to OBS.

To add to what I said earlier, literally anything can be used to cheat and would be significantly more efficient than a depth texture.

It would only be practical in niche scenarios, like horror games or dark environments. I don’t see it being useful in a competitive shooter game on Roblox, like Arsenal, because you wouldn’t even have a crosshair. And if you’ve ever played like that, it’s genuinely terrible.

If you tried it for even 30 seconds, you’d see how impractical it is. Like I said before, the benefits far outweigh the negative impact it might have.

It’s not disruptive, unlike most of the exploits that currently exist for the platform. A depth texture isn’t going to let someone fling everyone in a server like in Natural Disaster, and it’s not going to give them aim or wallhacks in Arsenal either.

Is it not? What is the reason then? 99% of cheating cases were all due to someone wanting an competitive advantage over other people. Sure yeah on roblox there’s also people who exploit just to troll random children but considering how crippled exploits are these days (and with how the whole exploit trolling scene got nuked in 2017), trolling does not seem like it could stand as even anywhere close to the main reason for cheating.

Hey bitdancer,

I get that all of this stuff, shaders, FFlags aren’t officialy or natively supported by roblox, however most of these features are actually good and I feel that they should be official. For example, FFlags can be used for multiple performance increases, that simply sliding down a graphics bar can’t replicate.

I think that just because a few FFlags are being used for exploits, we don’t have to remove and restrict all of them. Same thing with shaders, just because exploits exist doesn’t mean we should loose shaders

TLDR; there’s no foolproof way to fully prevent somebody from abusing a feature in the first place. A ton of people use FFlags to improve performance, modify settings that we don’t have, etc. Most people who use FFlags use them for their intended reasons, and not for exploiting. Same thing with shaders. There’s probably a person or two who uses them to hide fog, but everybody else uses it to improve their own experience. Roblox’s lighting/settings system are both lackluster, with little to no customization. It’s the opposite of intuitive, and FFlags help with this issue because they let us customize our experience more. Now, I get that there are vulnerabilities. However, every good thing has a catch. The community has been in shambles trying to improve the experience of Robloxians. These are features that we have wanted for years, but we never got. The community stepped in to help, with things like Bloxstrap and Shaders. They aren’t malicious- they are made to make the experience of a player better.

I came up with a possible solution to this issue. Only a little amount of games on Roblox are affected by the FFlags and Shader vulnerability issues. So instead of removing them entirely, have developers be able to choose whether they want to allow FFlags or not. Maybe even add some FFlags as official settings! Not only would this fix multiple problems, it would allow games like showcases to shine even more.

I feel that it’s either this, or built in shaders. Roblox’s lighting sucks. The last major update that we got from lighting was from 2019-2020 Post processing effects. Like uhhh… bloom? Yeah, nobody really cares about that. We want shaders. We want comprehensive and intuitive settings. So many people use FFlags, so many people use shaders. The community wants this. It’s not a question. Even people like Kreekcraft have used shaders (and he uses FFlags too!)
Thank you for reading all of this.

Have you read the entire thing yet?

Nope, but I just wanted to say if you wanted to add something regarding FFlags It’s better you’d directly say it in that specific thread, not trying to come off as rude but bitdancer already said it

As far as I know, fast flags aren’t being removed, but they are going to be limited—meaning there will be a whitelist of fast flags.

I don’t know if that whitelist includes rendering APIs like Vulkan, but hopefully, it does.

Also, there still hasn’t been a clear conclusion about Vulkan layers and the code signing requirements. It’s pretty unfortunate, but I wouldn’t be too worried about fast flags being completely removed since that seems unlikely.

Bitdancer even mentioned that there will likely be a whitelist, though he isn’t allowed to make a solid promise, so I’m not 100% sure either way.

https://x.com/RealBitdancer/status/1916430098569498688

image613×530 48.9 KB

Apologies. I didn’t see that since I don’t actively follow that thread. Thank you for the clarification.

Alright. I honestly think that they should add “advanced settings” for whitelisted fast flags, but that’s just my opinion

There is a solution that could fix the issues users are having with Nvidia Replay and OBS game capture for Vulkan.

Traditional code signing certificates have a static serial number that stays the same throughout the certificate’s lifetime. This applies to Roblox’s modules and executables, Nvidia Replay, or any module that uses a traditional certificate. But this doesn’t apply to Microsoft’s Azure Trusted Signing, which issues short-lived certificates with different serial numbers though those aren’t currently used by Nvidia, the OBS Project, or any major corporations.

I also don’t think there should be any special privileges beyond just allowing the module to load. For example, if OBS game capture doesn’t work with DirectX 11, it shouldn’t be given special treatment; users would just have to use Vulkan instead. As far as I know, Nvidia Replay works with both Vulkan and DirectX, so that shouldn’t be an issue either.

This isn’t anything new. Anti-cheat vendors like Easy Anti-Cheat and BattlEye have implemented similar measures before, and Roblox could consider doing the same. There are also additional metadata checks Roblox can perform alongside this to make it a more secure and robust solution.

It would give Roblox direct control over what modules are allowed to load, and if needed, they could block a specific serial number down the line. Roblox is already planning to whitelist certain fast flags. I don’t see why this can’t also be done for certificates.

Doing this would directly address community concerns since Roblox would retain full control over what’s allowed and what isn’t. I think, at the very least, they should test it first with Nvidia’s certificate. If that goes well, maybe they can expand support to other trusted signatures that use a static serial number and help resolve the issues users are having with things like Nvidia Replay.

Again, this isn’t anything new. Other vendors have done this, and Roblox already has a custom implementation to check code signing certificates so I don’t see any reason why this can’t be done. It shouldn’t pose any major security risk either, since Roblox would have full control over it.

There likely are better solutions to this, but this is just an idea I had, so I felt like sharing it.

image942×738 148 KB