Ars Technica: Ring 0 of fire - Does Riot Games’ new anti-cheat measure go too far?


In the ever-evolving cat-and-mouse battle between cheaters and game developers, Riot Games is taking expanded measures to protect legitimate players in its new tactical combat game Valorant. But Riot's new Vanguard anti-cheat system—which involves a kernel-level driver that has very low-level access to your system—is raising some eyebrows among both players and security experts.

While the Vanguard anti-cheat client only launches when Valorant is being played, Riot says the system also makes use of a "kernel mode driver" that starts operating as soon as Windows boots up. That's a big change from Riot's pre-Vanguard anti-cheat systems, which operated entirely at the more common "user mode" level, just like most Windows executables.

The old anti-cheat system gave cheaters a big advantage, Riot says, since those cheaters could use code-signing holes or Windows corruption exploits to create cheating software that runs at the kernel level. With that more privileged access to the system, those kernel-level cheating tools could make themselves look completely legitimate to user-level anti-cheat tools (which have more limited visibility into the inner workings of the OS).

This was like "effectively giving cheaters a much-needed, twelve-stroke handicap," Riot said in a February blog post. "We haven’t needed both arms yet, primarily because we have the advantage of steady paychecks and the lack of strict bedtimes at our immediate disposal. But as much as we might like the idea of an ever-escalating appsec war with teenagers, we’re now entering a multi-game universe where linear time and sleep deficits will make this particular strategy untenable."
Despite some alarming discussions on worrisome threads around the Internet, this kind of system isn't actually that uncommon in gaming these days. Battleye, a third-party anti-cheat tool used to protect games from Fortnite and Ark: Survival Evolved, also sells itself as a "fully proactive kernel-based protection system," for instance.
"This isn’t giving us any surveillance capability we didn’t already have," Riot noted in its blog post (using language that isn't exactly comforting on its own). "If we cared about grandma’s secret recipe for the perfect Christmas casserole, we’d find no issue in obtaining it strictly from user-mode and then selling it to The Food Network. The purpose of this upgrade is to monitor system state for integrity (so we can trust our data) and to make it harder for cheaters to tamper with our games (so you can’t blame aimbots for personal failure)."

"The Vanguard driver does not collect or send any information about your computer back to us," Riot Anti-cheat lead Paul Chamberlain added in a Reddit post this week. "Any cheat detection scans will be run by the non-driver component only when the game is running."
"Whenever you have a driver like that, you're at risk of introducing security and reliability issues to the computer," independent security researcher Saleem Rashid told Ars. "You don't get as many exploit mitigations in device drivers as you do in normal applications, and a bug will crash the entire OS, not just the game."

"DRM like this probably stops cheating in the very near term, but I'm not convinced it helps in the long run," Rashid continued. "All it takes is for someone to analyze the driver from outside of Windows and then apply similar techniques they use to defeat other anti-cheat systems. So it looks like it introduces a large attack surface for little benefit."
Writing on Reddit, Chamberlain downplayed these risks. "We're... following a least-privilege approach to the driver where the driver component does as little as possible preferring to let the non-driver component do the majority of work (also the non-driver component doesn't run unless the game is running)."

Chamberlain expanded on that statement in an email to Ars: "The primary responsibility of the kernel driver is to create a protected environment for the rest of Vanguard (and the game) to operate in. If the integrity of the anti-cheat system is ensured, then almost everything else can happen entirely in user-mode."
Chamberlain also told Ars that Riot's own Application Security team was aided by the services of three separate external security groups to audit Vanguard before it was rolled out. That includes one group that was focused exclusively on the driver and another that performed "black box" attacks on the system from the outside.

And Chamberlain said that Vanguard also has code integrity checks and crash reporting functionality that could alert them to any signs of compromise. "In addition, we have our bug bounty program and good relationships with the game security community and the broader threat intelligence community, so we would be well placed to receive intelligence about potential compromises," he said.