What Kernel-Level Anti-Cheat Is and Why You Should Care
What Kernel-Level Anti-Cheat Is and Why You Should Care
Cheating in online video games is becoming a more and more serious offense in the eyes of game developers and, of course, in the eyes of the actual gamers. Gamers often spend large amounts of money to either buy the game or for in-game purchases and, when someone cheats, they have the right to feel angry and demand for things to change. Sure, many games use various anti-cheat tools but the mere fact that cheating is a major issue in gaming indicated that these tools were not that successful on a large scale.
Game developers say they were listening to their fans and a new anti-cheat concept was born: kernel-level anti-cheat tools. You’d expect this solution to make gamers happy and end cheating once and for all but as things have unfolded that is certainly not the case. The introduction of such software merely led to gamers’ outrage and a massive number of negative reviews and comments left for games that decided to implement this technology. Some of it is indeed justified as a number of developers behind games with this tech have a questionable history and after all your digital rights are at stake here.
Panicking over kernels
With Vanguard, Riot would like to patch up this hole with a kernel-level driver that can hopefully detect any and all abnormalities running at the user level. That doesn’t make the game impervious to other kernel-level attacks, of course, but it “requires a different (more strenuous) approach from cheat developers to attack,” Riot anti-cheat lead Paul Chamberlain told Ars in an email.
“For cheat developers operating at the kernel level, they need to work around the restrictions Microsoft places on kernel level software,” he continued. “This extra work reduces the incentives for cheat developers because their cheats become harder to make, less convenient for players to install and just overall less profitable to sell. We don’t expect that any protection will remain unbreached forever but Vanguard’s protections are strong, and as cheat developers’ tactics evolve, so will ours.”
Despite some alarming discussions on worrisome threads around the Internet, this kind of system isn’t actually that uncommon in gaming these days. Battleye, a third-party anti-cheat tool used to protect games from Fortnite and Ark: Survival Evolved, also sells itself as a “fully proactive kernel-based protection system,” for instance.
Further Reading
“This isn’t giving us any surveillance capability we didn’t already have,” Riot noted in its blog post (using language that isn’t exactly comforting on its own). “If we cared about grandma’s secret recipe for the perfect Christmas casserole, we’d find no issue in obtaining it strictly from user-mode and then selling it to The Food Network. The purpose of this upgrade is to monitor system state for integrity (so we can trust our data) and to make it harder for cheaters to tamper with our games (so you can’t blame aimbots for personal failure).”
“The Vanguard driver does not collect or send any information about your computer back to us,” Riot Anti-cheat lead Paul Chamberlain added in a Reddit post this week. “Any cheat detection scans will be run by the non-driver component only when the game is running.”
Why are you telling me this?
Well historically, your favorite anti-cheat team has been forced to play this game from the user-level, effectively giving cheaters a much-needed, twelve-stroke handicap. We haven’t needed both arms yet, primarily because we have the advantage of steady paychecks and the lack of strict bedtimes at our immediate disposal. But as much as we might like the idea of an ever-escalating appsec war with teenagers, we’re now entering a multi-game universe where linear time and sleep deficits will make this particular strategy untenable.
This is why some of Riot’s future titles will be protected by a kernel driver.
How Have Gamers Responded?
As we have already mentioned, gamers were far from happy to see such anti-cheat solutions combined with their favorite games. In many cases, they were simply forced to install them and many gamers probably didn’t even think about the potential risk they might be getting themselves into. Some even brought up their frustrations with controversial DRM software like SecuROM or StarForce and how kernel-level anti-cheat software might lead down that road.
In particular, there are three highly popular games whose developers have decided for the kernel-level measure, two of them developed and published by Riot Games.
League of Legends and Valorant
Riot is behind both League of Legends and Valorant when it comes to games on this list and they have deployed Vanguard, their own anti-cheat tool designed to prevent cheaters from deploying high-privilege cheats that can’t be detected using current-level defense mechanisms by Riot.
Riot was pretty open about the whole thing and they have issued several statements where they’ve justified their acts. Riot has named a couple reasons why you shouldn’t freak out about this on their League of Legends portal:
- Implementing a kernel-level driver doesn’t give them a new tool to spy on us as the user-mode (Ring 3) already provides for that.
- Efficient cheats will become more difficult to create and they won’t go unnoticed as they do today.
- Other game companies and third-party anti-cheat tools are already doing it!
Riot also put their money where their mouth is and they’ve promised bounties up to $100K for players who can find security flaws in Vanguard. The details are available on their HackerOne page.
Everything we’ve already mentioned regarding kernel-level anti-cheat applies to Vanguard.
Basically, you have to install it and reboot your PC afterward. Vanguard will then boot each time with your system and disable drivers it deems potentially vulnerable.
If you disable Vanguard, your PC won’t be trusted and you won’t be able to play Valorant until you re-enable it or until you reboot. Because of this some people are uninstalling Vanguard after playing Valorant and then reinstalling it again when they want play another session. League of Legends is still not using Vanguard but announcements have been made and it’s just a matter of time before Riot deploys it.
Riot promises that Vanguard is in no way connected to the Internet and that it doesn’t communicate with Riot servers or anything else for that matter.
According to them it’s not logging data about your or your computer and its purpose is to simply disable certain drivers. Riot also promised to improve users’ experience with Vanguard and provide notification each time Vanguard disables a driver. This set of features hasn’t been working very well at the moment as many users have complained about the lack of transparency with its notifications.
Vanguard’s reported problems include blocking Core Temp, a temperature monitoring program from running, under the excuse of the app using a forbidden driver, PC overheating, and stopping mice and keyboards from working. Overheating was blamed on the fact that overclocking and fan controlling apps were blocked from running as they would be able to regulate your PC’s temperature. When it comes to Core Temp, mice, and keyboards not working, well, you probably have a driver Vanguard has a problem with and, if you want to resolve the problem, then tough luck, you’ll need to replace them.
Unfortunately, Riot is right when they say that this isn’t big news.
As mentioned before, EasyAntiCheat, Battleye, and Xigncode3 are all third-party anti-cheat systems that already deploy and operate on kernel-level and they are used by many AAA video game titles.
“A large attack surface for little benefit”
That’s all fine—if you’re going to install any Riot application on your device, at some level, you have to trust it isn’t stealing grandma’s casserole recipe (or that it would be found out if it did). The real risk of installing a kernel-level driver, though, is the level of security exposure it creates on the rest of the system.
At the kernel level, any flaws in Riot’s driver code could create system-wide, “blue screen of death”-style crashes, as opposed to more localized application-specific glitches. And a serious oversight in the driver, like a buffer overflow exploit, could let an attacker install their own malicious code at an extremely low level, where it could be extremely dangerous.
“Whenever you have a driver like that, you’re at risk of introducing security and reliability issues to the computer,” independent security researcher Saleem Rashid told Ars. “You don’t get as many exploit mitigations in device drivers as you do in normal applications, and a bug will crash the entire OS, not just the game.”
“DRM like this probably stops cheating in the very near term, but I’m not convinced it helps in the long run,” Rashid continued. “All it takes is for someone to analyze the driver from outside of Windows and then apply similar techniques they use to defeat other anti-cheat systems. So it looks like it introduces a large attack surface for little benefit.”
Why are you telling me this?
Well historically, your favorite anti-cheat team has been forced to play this game from the user-level, effectively giving cheaters a much-needed, twelve-stroke handicap. We haven’t needed both arms yet, primarily because we have the advantage of steady paychecks and the lack of strict bedtimes at our immediate disposal. But as much as we might like the idea of an ever-escalating appsec war with teenagers, we’re now entering a multi-game universe where linear time and sleep deficits will make this particular strategy untenable.
This is why some of Riot’s future titles will be protected by a kernel driver.
“A large attack surface for little benefit”
That’s all fine—if you’re going to install any Riot application on your device, at some level, you have to trust it isn’t stealing grandma’s casserole recipe (or that it would be found out if it did). The real risk of installing a kernel-level driver, though, is the level of security exposure it creates on the rest of the system.
At the kernel level, any flaws in Riot’s driver code could create system-wide, “blue screen of death”-style crashes, as opposed to more localized application-specific glitches. And a serious oversight in the driver, like a buffer overflow exploit, could let an attacker install their own malicious code at an extremely low level, where it could be extremely dangerous.
“Whenever you have a driver like that, you’re at risk of introducing security and reliability issues to the computer,” independent security researcher Saleem Rashid told Ars. “You don’t get as many exploit mitigations in device drivers as you do in normal applications, and a bug will crash the entire OS, not just the game.”
“DRM like this probably stops cheating in the very near term, but I’m not convinced it helps in the long run,” Rashid continued. “All it takes is for someone to analyze the driver from outside of Windows and then apply similar techniques they use to defeat other anti-cheat systems. So it looks like it introduces a large attack surface for little benefit.”
Why are you telling me this?
Well historically, your favorite anti-cheat team has been forced to play this game from the user-level, effectively giving cheaters a much-needed, twelve-stroke handicap. We haven’t needed both arms yet, primarily because we have the advantage of steady paychecks and the lack of strict bedtimes at our immediate disposal. But as much as we might like the idea of an ever-escalating appsec war with teenagers, we’re now entering a multi-game universe where linear time and sleep deficits will make this particular strategy untenable.
This is why some of Riot’s future titles will be protected by a kernel driver.
Riot: “We would likely be able to respond within hours”
Writing on Reddit, Chamberlain downplayed these risks. “We’re. following a least-privilege approach to the driver where the driver component does as little as possible preferring to let the non-driver component do the majority of work (also the non-driver component doesn’t run unless the game is running).”
Chamberlain expanded on that statement in an email to Ars: “The primary responsibility of the kernel driver is to create a protected environment for the rest of Vanguard (and the game) to operate in. If the integrity of the anti-cheat system is ensured, then almost everything else can happen entirely in user-mode.”
Chamberlain also told Ars that Riot’s own Application Security team was aided by the services of three separate external security groups to audit Vanguard before it was rolled out. That includes one group that was focused exclusively on the driver and another that performed “black box” attacks on the system from the outside.
And Chamberlain said that Vanguard also has code integrity checks and crash reporting functionality that could alert them to any signs of compromise. “In addition, we have our bug bounty program and good relationships with the game security community and the broader threat intelligence community, so we would be well placed to receive intelligence about potential compromises,” he said.
If a kernel-mode code execution bug was found in Vanguard’s drivers, Chamberlain says the system has been set up “to be easy to update on whatever cadence is required (separate from game update cadence) so we would likely be able to respond within hours.” During those hours, Vanguard would be disabled on the game, and players would be instructed to uninstall it in the meantime.
“In extreme cases, we would work with our patcher team to automatically remove Vanguard from all players’ computers,” Chamberlain added. “After we had pushed a fix or removed the driver, we would work with Microsoft to get the vulnerable driver blacklisted.”
So for now, at least, you probably don’t have much to worry about by installing Riot’s anti-cheat driver on your system. But if hackers find any exploitable errors in that driver, users will have to trust that Riot will be able to find and fix them promptly enough to keep their systems safe from attack. And that’s a level of trust Riot seems to be taking pretty seriously, all things considered.
Dan Goodin and Jim Salter contributed to this report.
