Security Concerns About Kernel-Level Anti-Cheat in Video Games

By Andrew Hyatt

Short Introduction to Anti-Cheat

An anti-cheat can be defined as “software [that] is designed to prevent players of online games from gaining unfair advantage through the use of third-party tools” [1]. This type of software is vital to maintaining a fair playing field in online competitive video games. It is similar to drug testing in sports. To make sure everybody plays fairly, extra steps need to be taken in order to ensure that.

Valve Anti-Cheat ban message

History of Anti-Cheat

Before the early 2000’s, cheaters ran rampant in online games. The company Even Balance, Inc. had just released PunkBuster to combat cheating in Team Fortress Classic. This software was designed to scan the memory of the host computer to make sure no third-party software was being used to gain an unfair advantage. The scan of the computer was then compared to a database in order to locate cheats. This anti-cheat was protected by hashes and ensured that no players were put at risk when using this software. In 2002, Valve, the creators of Team Fortress Classic, developed their own Anti-Cheat called Valve Anti-Cheat (VAC). VAC would become the standard on most games available through Steam, Valve’s game marketplace. New anti-cheats are developed and released all the time nowadays hoping to combat gaming’s biggest problem: cheaters.

PunkBuster, EvenBalance Inc.

Anti-Cheat Arms Race

Like most things involving developing software to combat other software, the anti-cheat arms race was in full effect. In order to combat the growing markets of selling cheats for games, better anti-cheats needed to be developed. VAC, for instance, originally only banned players for one to five years. In 2005, when VAC2 released, these bans became permanent. The number of bans given by VAC increased from just dozens to tens of thousands per week. As anti-cheats became better at detecting and preventing cheats, the cheats became better at avoiding it. Cheats that altered memory or game files were simply not good enough anymore. These would be detected quickly, sometimes within the same day as installation. Cheat sellers needed something better in order to compete. This led to the creation of kernel-level cheat software. These cheats would run on the kernel-level of your operating system and were very difficult to detect, sometimes outright impossible to detect with anti-cheat software. As these types of cheats became more popular, anti-cheat needed to catch up. Ring 3 anti-cheats are the most common kernel-level anti-cheat. These run at Ring 3 in the kernel, which has access to almost every aspect of your computer. Ring 0 cheats, however, are fairly common. A Ring 3 anti-cheat is not capable of detecting a Ring 0 threat.

Protection ring depicting kernel levels

Concerns and Justifications


If you trust the company to keep your best interests in mind while also keeping you safe, then what is there to worry about? One of the most popular games to use this type of anti-cheat is Riot Games’ Valorant. Released in October 2019, this first-person shooter brought kernel-level anti-cheats to the mainstream. Riot Vanguard is a proprietary anti-cheat software developed by Riot Games for Valorant. To put it mildly, people were not happy at the idea of giving this software kernel-level access. In order to keep up with cheats being developed, Riot felt they had no choice but to make it run at Ring 3. Running at the kernel-level basically means that they do not have to rely on Windows API or system calls and can use their own methods of detecting cheaters. Many cheats nowadays do not need to run within the contents of the game itself. This means that it cannot be properly monitored without kernel access. The ability to monitor outside of the restrictions of the game’s engine makes it much more effective at detecting cheats. While this is unarguably better for the competitiveness of their games, it can be a concerning aspect for many people.

Vanguard banning a cheater in Valorant, Riot Games


So why is there so much fuss about kernel-level anti-cheat? Well, the main issue is security. Giving a third-party kernel-level access to your computer is not something that everybody wants to have to do. This can be especially troublesome if the anti-cheat software itself is not secure. If something goes wrong, a bad agent could gain access to your entire computer. Using the Vanguard example, Riot Games is owned completely by Tencent, a Chinese company. Especially for people in the United States, this just seems like a bad idea. Privacy is a major concern for many people as we have seen with the ongoing privacy war between Meta and Apple. Your data is not as secure as you think it is and much of it is probably already in the wrong hands. Many of these companies making this type of software already have your personal information such as credit card numbers. Riot Games, in a developer blog, stated:

“This isn’t giving us any surveillance capability we didn’t already have. If we cared about grandma’s secret recipe for the perfect Christmas casserole, we’d find no issue in obtaining it strictly from user-mode and then selling it to The Food Network. The purpose of this upgrade is to monitor system state for integrity (so we can trust our data) and to make it harder for cheaters to tamper with our games (so you can’t blame aimbots for personal failure).”

Riot Games Development Blog

The privacy debate is just one such problem with this type of software. Another concern is that the kernel-level software will run regardless if you are actually playing the game or not. This is an undesired trait of such software. You want it to protect you inside the game but leave you alone otherwise. Several other third-party anti-cheat systems already use kernel drivers to protect their games. Some of the biggest multiplayer games are protected by software such as EasyAntiCheat, BattleEye, and Xigncode3. These other anti-cheats run at Ring 3 and are just as intrusive as Vanguard. There are most certainly risks to this type of software, but for now it may just be something you have to deal with especially if you like competitive integrity.

Potential Risks

While this type of software is mostly safe, there are vulnerabilities to kernel drivers. One such vulnerability is Bring Your Own Vulnerable Kernel Driver (BYOVKD). This is a type of attack which utilizes a signed, vulnerable kernel driver to execute kernel privileges on a target computer. This allows untrusted drivers to feign their trust and gain access to all aspects of a target system. Such an attack, however, is unlikely to occur to the average person playing Call of Duty. This leaves us with a realistic view of the dangers of kernel-level anti-cheats. While there are certainly security concerns which are rooted in a genuine concern for the privacy of the individual playing the game, it is unlikely that you would experience an attack due to you running Vanguard or BattleEye for example. The founder of Netragard, a penetration testing company, said, “even when we’re delivering the most advanced level of that service, we don’t need to use attacks that go down that low. There’s never been a need or even an inkling of a need at that level” [2]. While there are risks involved, it is unlikely that anything will be different for the user when using a kernel-level anti-cheat.

Windows driver system call


Kernel-level anti-cheats can be seen as a necessary evil. Anybody who has played competitive games knows the struggles of playing against a cheater. It can be frustrating and ruin what is supposed to be a fun, enjoyable experience. In order to maintain competitiveness in multiplayer games, steps must be taken to ensure the highest level of integrity. With cheats running at the highest level of permissions, anti-cheats needed to step up their game. This has led to a problem for many people regarding privacy and integrity. While the risks involved with kernel drivers being used for anti-cheat software are few, they certainly exist.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s