In the ever-evolving cat-and-mouse battle between cheaters and game developers, Riot Games is taking expanded measures to protect legitimate players in its new tactical combat game Valorant. But Riot’s new Vanguard anti-cheat system—which involves a kernel-level driver that has very low-level access to your system—is raising some eyebrows among both players and security experts.
While the Vanguard anti-cheat client only launches when Valorant is being played, Riot says the system also makes use of a “kernel mode driver” that starts operating as soon as Windows boots up. That’s a big change from Riot’s pre-Vanguard anti-cheat systems, which operated entirely at the more common “user mode” level, just like most Windows executables.
The old anti-cheat system gave cheaters a big advantage, Riot says, since those cheaters could use code-signing holes or Windows corruption exploits to create cheating software that runs at the kernel level. With that more privileged access to the system, those kernel-level cheating tools could make themselves look completely legitimate to user-level anti-cheat tools (which have more limited visibility into the inner workings of the OS).
This was like “effectively giving cheaters a much-needed, twelve-stroke handicap,” Riot said in a February blog post. “We haven’t needed both arms yet, primarily because we have the advantage of steady paychecks and the lack of strict bedtimes at our immediate disposal. But as much as we might like the idea of an ever-escalating appsec war with teenagers, we’re now entering a multi-game universe where linear time and sleep deficits will make this particular strategy untenable.”
Panicking over kernels
With Vanguard, Riot would like to patch up this hole with a kernel-level driver that can hopefully detect any and all abnormalities running at the user level. That doesn’t make the game impervious to other kernel-level attacks, of course, but it “requires a different (more strenuous) approach from cheat developers to attack,” Riot anti-cheat lead Paul Chamberlain told Ars in an email.
“For cheat developers operating at the kernel level, they need to work around the restrictions Microsoft places on kernel level software,” he continued. “This extra work reduces the incentives for cheat developers because their cheats become harder to make, less convenient for players to install and just overall less profitable to sell… We don’t expect that any protection will remain unbreached forever but Vanguard’s protections are strong, and as cheat developers’ tactics evolve, so will ours.”
Despite some alarming discussions on worrisome threads around the Internet, this kind of system isn’t actually that uncommon in gaming these days. Battleye, a third-party anti-cheat tool used to protect games from Fortnite and Ark: Survival Evolved, also sells itself as a “fully proactive kernel-based protection system,” for instance.
Still, granting such high-level OS access to a game maker can make some users nervous, especially if they remember Sony’s rootkit DRM debacle from 2005. So Riot is doing its best to assure users that they have nothing to fear from granting such high system privileges to the company’s protection tool.
“This isn’t giving us any surveillance capability we didn’t already have,” Riot noted in its blog post (using language that isn’t exactly comforting on its own). “If we cared about grandma’s secret recipe for the perfect Christmas casserole, we’d find no issue in obtaining it strictly from user-mode and then selling it to The Food Network. The purpose of this upgrade is to monitor system state for integrity (so we can trust our data) and to make it harder for cheaters to tamper with our games (so you can’t blame aimbots for personal failure).”
“The Vanguard driver does not collect or send any information about your computer back to us,” Riot Anti-cheat lead Paul Chamberlain added in a Reddit post this week. “Any cheat detection scans will be run by the non-driver component only when the game is running.”
“A large attack surface for little benefit”
That’s all fine—if you’re going to install any Riot application on your device, at some level, you have to trust it isn’t stealing grandma’s casserole recipe (or that it would be found out if it did). The real risk of installing a kernel-level driver, though, is the level of security exposure it creates on the rest of the system.
At the kernel level, any flaws in Riot’s driver code could create system-wide, “blue screen of death”-style crashes, as opposed to more localized application-specific glitches. And a serious oversight in the driver, like a buffer overflow exploit, could let an attacker install their own malicious code at an extremely low level, where it could be extremely dangerous.
“Whenever you have a driver like that, you’re at risk of introducing security and reliability issues to the computer,” independent security researcher Saleem Rashid told Ars. “You don’t get as many exploit mitigations in device drivers as you do in normal applications, and a bug will crash the entire OS, not just the game.”
“DRM like this probably stops cheating in the very near term, but I’m not convinced it helps in the long run,” Rashid continued. “All it takes is for someone to analyze the driver from outside of Windows and then apply similar techniques they use to defeat other anti-cheat systems. So it looks like it introduces a large attack surface for little benefit.”
Riot: “We would likely be able to respond within hours”
Writing on Reddit, Chamberlain downplayed these risks. “We’re… following a least-privilege approach to the driver where the driver component does as little as possible preferring to let the non-driver component do the majority of work (also the non-driver component doesn’t run unless the game is running).”
Chamberlain expanded on that statement in an email to Ars: “The primary responsibility of the kernel driver is to create a protected environment for the rest of Vanguard (and the game) to operate in. If the integrity of the anti-cheat system is ensured, then almost everything else can happen entirely in user-mode.”
Chamberlain also told Ars that Riot’s own Application Security team was aided by the services of three separate external security groups to audit Vanguard before it was rolled out. That includes one group that was focused exclusively on the driver and another that performed “black box” attacks on the system from the outside.
And Chamberlain said that Vanguard also has code integrity checks and crash reporting functionality that could alert them to any signs of compromise. “In addition, we have our bug bounty program and good relationships with the game security community and the broader threat intelligence community, so we would be well placed to receive intelligence about potential compromises,” he said.
We would work with Microsoft to get [any] vulnerable driver blacklisted.
If a kernel-mode code execution bug was found in Vanguard’s drivers, Chamberlain says the system has been set up “to be easy to update on whatever cadence is required (separate from game update cadence) so we would likely be able to respond within hours.” During those hours, Vanguard would be disabled on the game, and players would be instructed to uninstall it in the meantime.
“In extreme cases, we would work with our patcher team to automatically remove Vanguard from all players’ computers,” Chamberlain added. “After we had pushed a fix or removed the driver, we would work with Microsoft to get the vulnerable driver blacklisted.”
So for now, at least, you probably don’t have much to worry about by installing Riot’s anti-cheat driver on your system. But if hackers find any exploitable errors in that driver, users will have to trust that Riot will be able to find and fix them promptly enough to keep their systems safe from attack. And that’s a level of trust Riot seems to be taking pretty seriously, all things considered.
Dan Goodin and Jim Salter contributed to this report.