I recently saw the game called “Bongo Cat” on Steam which monitors yours keystrokes and accordingly plays the bongo drums. I saw that it was not working properly on Wayland because it does not allow the game to record keystrokes from other apps.
This got me thinking; how does Steam Valve protect us from malware? I was searching for “steam games malware” on DDG and found out that there were a few incidents regarding this.
I understand that Steam probably has a robust mechanism for understanding game behavior but it’s kind of a black-box for us.
Is there any independent vulnerability checker for games? How paranoid should one be before downloading games from steam?
PS: I know that as Linux users, most attack vectors don’t work for us but it’s good to be aware just in case.
Edit: I need to clarify. I know Steam is just a game-launcher, it’s not supposed to protect the user after the game is installed. I meant to say how does Valve protect the user from malicious games? Is their mechanism known?
In the sense of isolating games like a mobile app is on a mobile OS or something? It doesn’t, not as it’s installed normally. If you can do something, the game you’re running can. Steam doesn’t isolate individual games, and Steam is not, as it’s normally installed, isolated.
Wayland won’t let a random window on the screen see keystrokes going to others, but because the games aren’t normally running in isolation, they can fiddle with the environment such that they can do whatever. Wayland’s “keystroke” isolation is only useful if the software also can’t muck with your files; it’s intended to be used in conjunction with other forms of isolation.
I understand that it’s possible to use Steam packaged as a flatpak, which will isolate the Steam environment as a unit, including Steam and games.
investigates
https://flathub.org/apps/com.valvesoftware.Steam
Assuming that those are the only filesystem permissions it has — and I don’t have experience with flatpak, so I wouldn’t use me as an authority — then it should prevent anything in the container from doing things like grabbing SSH and GPG keys, stuff like that. A malicious game in the flatpak could still grab your Steam credentials or information from other games and muck with those.
Not an issue if you’re using Wayland, since it’ll be using xwayland, which itself is isolated.
You cannot deny network access to the flatpak, as Steam will need that to work.
Some Steam games can be run outside of Steam, don’t need to talk to it, and for those, you can explore other isolation options. Can maybe cut off network access using
firejailor something like that.Thanks for the detailed response.
I guess if I’m not using Flatpak, the games have access to my entire home directory. Sounds a bit risky, but I trust that Valve is testing the games before releasing the game to the store.
But this seems like a single point of failure.
I have no idea whether they try to audit for malware, but even if they do, it would be difficult to identify malware from just invoking a binary. It’s not uncommon for malware to only become active under specific conditions, precisely to make it harder to identify.