In the case of online multiplayer gaming, no one prefers a cheater or cheaters at all. Crooked players spoil the game for everyone either they use external software to improve their performance or just to troll other players. Game developers are working on new ways to detect and impede these types of programs all the time.
An anti-cheat system of Riot games’ new shooter Valorant lifted some security concerns. When the game releases the Vanguard customer loads with it into the userspace. But, there is a Kernel-mode driver for the system that loads when you boot into windows.
Riot states that it requires this because some cheating software operates Kernel-mode drivers to circumvent detection. Due to the demand for higher privileges, regular applications cannot find Kernel-mode drivers.
Moreover, in February Riot detailed the latest anti-cheat software that originally developed to use in League of Legends and why it was required.
“Cheat builders have started to exploit frailties or corrupt Windows’ signing verification to operate their applications (or portions of them) at the kernel level in recent years. The issue here comes from the fact that rule executing in kernel-mode can lock the very system calls we would depend on to recover our data, changing the results to appear legitimate in a way we might have difficulty detecting. We’ve even seen specialized hardware using DMA1 to read and process system memory—a vector that, work great, could be undetectable2 from user-mode.”
Operating a driver in Kernel-mode provokes concerns that Riot is just strengthening its cheat detection at the cost of rising the attack surface of Windows, and equally on the base. If you remember the 2005 Sony DRM rootkit washout, this danger level might tick you off.
Kernel-based drivers may cause system-wide stability issues involving dreaded BSOD (blue screen of death).
As Saleem Rashid, an independent security researcher told to Ars Technica,
“When you have a driver like this, you’re at risk of initiating security and reliability problems to the computer. You don’t get as many exploit mitigations in device drivers as you do in regular applications. And a bug will ruin the entire OS, not just the game.”
Furthermore, Riot claims that it leased three external security firms to check the software before deployment. A part of them made “black box” attacks against the system in vain. In addition to these, its Application Security team could detect and meet any problems with Vanguard in a few hours.
Before going too mad regarding Riot’s decision to employ a kernel-based driver for cheat detection, its necessary to mention that many developers use this technique. A famous third-party anti-cheat solution Battleye explains itself as a “kernel-based protection system.”
The games particularly Ark and PUBG: Survival Evolved use Battleye. Fortnite employs Easy Anti-cheat, which also runs in the same way. So far, there have been no serious security problems with these systems.
Users that believe such a system is a breakpoint should set a pass on the Valorant. Vanguard will soon be used in League of Legends too. The people who already play games like PUBG and Fortnite which employ the same. But distinct mitigation processes might be trying to tell, “What’s one more?” But if you feel that kernel-based driver as analogous to the gates of your home, then you understand the true meaning of that.