What kernel–level anti–cheat is and why you should care

Is this the future of cheating prevention?


Cheating in online video games is becoming a more and more serious offense in the eyes of game developers and, of course, in the eyes of the actual gamers. Gamers often spend large amounts of money to either buy the game or for in-game purchases and, when someone cheats, they have the right to feel angry and demand for things to change. Sure, many games use various anti-cheat tools but the mere fact that cheating is a major issue in gaming indicated that these tools were not that successful on a large scale.

Game developers say they were listening to their fans and a new anti-cheat concept was born: kernel-level anti-cheat tools. You’d expect this solution to make gamers happy and end cheating once and for all but as things have unfolded that is certainly not the case. The introduction of such software merely led to gamers’ outrage and a massive number of negative reviews and comments left for games that decided to implement this technology. Some of it is indeed justified as several developers behind games with this tech have a questionable history and after all your digital rights are at stake here.

What is kernel-level anti-cheat?

The most unfamiliar word in its name for most people is “kernel”.

The kernel is the core of your operating system and it runs at the lowest level possible. Essentially, it’s a computer program and it has complete control over your system.

When you turn on your computer, the kernel loads immediately after the bootloader. The kernel’s code has its area in memory and it’s protected from application programs. This means the kernel and the apps you have installed can work in parallel without interference or issues like a browser accessing kernel memory and changing how your operating system works altogether.

If we were to divide system privileges into four rings, from Ring 0 to Ring 3, the kernel’s privileges would belong to Ring 0, Ring 1 and 2 would be occupied by device drivers, and all other apps on your computer would belong to Ring 3, being the least privileged programs on your computer. So, something on a kernel-level is something with high privileges and something you don’t want to go wrong or your system is fried.

Well, several game developers are forcing kernel-level anti-cheat drivers. Apart from the usual anti-cheat client which is active while you play the game and scans what you have running on your computer, the kernel-level driver will load during startup and block certain drivers from loading or running on your computer.

Many other programs on your computer can depend on these drivers so it’s evident that playing a video game will prevent you from using other applications. Such anti-cheat tools often target drivers and software that have access to your hardware, such as overclocking tools, temperature monitors, fan controllers, and, of course, game cheats that also operate on the kernel-level.

Also, it will block drivers with security vulnerabilities that allow cheat developers to load their cheats in the kernel part of memory. Your regular anti-cheat client can’t see a cheat located in a part of memory it can’t access.

Potential risks and problems of kernel-level anti-cheat

Everything sounds great in theory: kernel-level anti-cheat tools disable insecure drivers that can be exploited by cheaters. However, the biggest cause of concern is that the anti-cheat itself can turn out to be vulnerable.

In that scenario, you would, at startup, run a tool located in the kernel memory, the Ring 0 on your computer and its potential vulnerability could be exploited by both cheaters or even worse, people who might just ruin your entire operating system. If a browser or a video game is vulnerable to hackers, it’s one thing. It belongs to Ring 3 with the least privileges and all damage is restricted to that ring. Kernel-level vulnerability costs much more.

Another problem that may appear is that you won’t be able to run certain programs on your computer.

Since your kernel-level anti-cheat will block all drivers it considers vulnerable, all programs that depend on those drivers will fail to run while the anti-cheat is active, and it’s active since the very system boot! False positives are possible but, if your anti-cheat blocks a driver on your PC, you should check if there’s a new version available.

Finally, there have been complaints from users that kernel-level anti-cheat programs decrease their PC’s performance and spoil their gaming experience.

It’s difficult to find any correlation between performance issues and such anti-cheat tools. However, we’ve already mentioned that your overclocking, temperature monitoring and fan speed controlling programs might not work because the drivers they need might be disabled by the anti-cheat. Without these programs that improve your computer’s performance, it’s easy to find the culprit behind many gamer complaints.

How have gamers responded kernel-level anti-cheats?

As we have already mentioned, gamers were far from happy to see such anti-cheat solutions combined with their favorite games. In many cases, they were simply forced to install them and many gamers probably didn’t even think about the potential risk they might be getting themselves into. Some even brought up their frustrations with controversial DRM software like SecuROM or StarForce and how kernel-level anti-cheat software might lead down that road.

In particular, there are three highly popular games whose developers have decided on the kernel-level measure, two of them developed and published by Riot Games.

Riot rolls out Vanguard to League of Legends and Valorant

Riot is behind both League of Legends and Valorant when it comes to games on this list and they have deployed Vanguard, their anti-cheat tool designed to prevent cheaters from deploying high-privilege cheats that can’t be detected using current-level defense mechanisms by Riot.

Riot was pretty open about the whole thing and they have issued several statements where they’ve justified their acts. Riot has named a couple of reasons why you shouldn’t freak out about this on their League of Legends portal:

  • Implementing a kernel-level driver doesn’t give them a new tool to spy on us as the user-mode (Ring 3) already provides for that.
  • Efficient cheats will become more difficult to create and they won’t go unnoticed as they do today.
  • Other game companies and third-party anti-cheat tools are already doing it!

Riot also put their money where their mouth is and they’ve promised bounties up to $100K for players who can find security flaws in Vanguard. The details are available on their HackerOne page.

Everything we’ve already mentioned regarding kernel-level anti-cheat applies to Vanguard.

You have to install it and reboot your PC afterward. Vanguard will then boot each time with your system and disable drivers it deems potentially vulnerable.

If you disable Vanguard, your PC won’t be trusted and you won’t be able to play Valorant until you re-enable it or until you reboot. Because of this, some people are uninstalling Vanguard after playing Valorant and then reinstalling it again when they won’t play another session. League of Legends is still not using Vanguard but announcements have been made and it’s just a matter of time before Riot deploys it.

Riot promises that Vanguard is in no way connected to the Internet and that it doesn’t communicate with Riot servers or anything else for that matter.

According to them, it’s not logging data about your or your computer and its purpose is to simply disable certain drivers. Riot also promised to improve users’ experience with Vanguard and provide notification each time Vanguard disables a driver. This set of features hasn’t been working very well at the moment as many users have complained about the lack of transparency with its notifications.

Vanguard’s reported problems include blocking Core Temp, a temperature monitoring program from running, under the excuse of the app using a forbidden driver, PC overheating, and stopping mice and keyboards from working. Overheating was blamed on the fact that overclocking and fan controlling apps were blocked from running as they would be able to regulate your PC’s temperature. When it comes to Core Temp, mice, and keyboards not working, well, you probably have a driver Vanguard has a problem with and, if you want to resolve the problem, then tough luck, you’ll need to replace them.

Unfortunately, Riot is right when they say that this isn’t big news.

As mentioned before, EasyAntiCheat, Battleye, and Xigncode3 are all third-party anti-cheat systems that already deploy and operate on kernel-level and they are used by many AAA video game titles.

Doom Eternal steps away from Denuvo Anti-Cheat

Doom Eternal seems to be the game that has taken the most backlash when an update later included the installation of Denuvo Anti-Cheat, from the developers of Denuvo Anti-Tamper.

Bethesda, the publisher behind the game, accidentally included a DRM-free executable when the game launched and this may account partly why it took such a heavy-handed approach. The Denuvo update also operates on the kernel-level and the game was review-bombed on Steam with more than 6000 negative reviews written after the news about Denuvo Anti-Cheat was announced.

The negative backlash was successful and lead to the game’s executive producer announcing that the anti-cheat technology will be removed from the game’s PC version with the next update. The major concern among gamers was related to the fact that its installation and running were a must and could not be disabled when the game was not running. Also, some players only wanted to play the campaign but they still had to install and run Denuvo Anti-Cheat. On top of that, players started to notice performance issues, and, of course, they have blamed the anti-cheat for that as well.

The game’s executive producer, Marty Stratton, has responded on Reddit that they will take everything the gamers have complained about into account for future updates as the game will probably return the anti-cheat into play once they have sorted out certain issues. Also, he claimed that performance issues were not related to the anti-cheat and that these issues will be dealt with independently.

There are legit concerns

A kernel-level anti-chat tool going rogue headline would not be the first of its kind, were something to happen to Riot’s Vanguard or Denuvo Anti-Cheat.

In 2013, ESEA, an eSports network, distributed malware along with its anti-cheat client to effectively create a botnet. The malware was a Bitcoin miner and it used the graphics cards of the gamers for mining a total of $3,602.21 before a user posted about it on their forums. Their story is that they created this feature and thought about implementing it. They were testing it on a few accounts and decided to back down but one of their employees used the test code and released the miner for his gain.

Well, it sounds shady, doesn’t it?

It doesn’t end there though. Some of the same employees involved with ESEA’s anti-cheat software are now involved with Vanguard.

Riot itself is not all flowers and sunshine when it comes to its reputation. The company is 100% owned by Tencent, a Chinese technology conglomerate founded in 1998. Tencent has already come under fire for assisting the Chinese government in spying and censoring its people. A hacker revealed that millions of conversations that take place on Tencent’s numerous social media apps like WeChat are available to police in China.

But do people outside of China have something to worry about? There are numerous suspicious behaviors reported regarding Riot and Tencent, some of which esports journalist Richard Lewis has astutely pointed out:

  • Censorship of players in League of Legends regardless of their country and people using the WeChat app outside of China.
  • Failure to disclose the breach of millions of League of Legends accounts and leaked the private information of an unknown amount of players.

While Riot is an American company its parent company must, like all other Chinese companies, cooperate with the government:

All organizations and citizens, must support, assist with, and collaborate in national intelligence work, and guard the national intelligence work secrets they are privy to.

Article 7 of China’s National Intelligence Law

So how can we know for sure that our privacy is safe with Vanguard, or any kernel-level anti-cheat software for that matter, having the highest level of access on our computers?

Unfortunately, you can’t really.

You have to take the company’s word for it and if their history is troubling then why should you?

Ultimately it comes down to whether you value your digital rights or playing the game more.