What’s the Deal With Anti-Cheat Software in Online Games?

In the past decade, big competitive online games, especially first-person shooters like Activision-Blizzard’s Call of Duty and Bungie’s Destiny 2, have had to massively scale up their operations to combat the booming business of cheat sellers. But an increasingly vocal subset of gamers is concerned that the software meant to detect and ban cheaters has become overly broad and invasive, posing a considerable threat to their privacy and system integrity.

At issue are kernel-level drivers, a relatively new escalation against cheat makers. The kernel itself—sometimes called “ring 0”—is a sequestered portion of a computer, where the core functionality of the machine runs. Software in this region includes the operating system, the drivers that talk to hardware—like keyboards, mice, and the video card—as well as software that requires high-level permissions, like antivirus suites. While faulty code executed in user mode—“ring 3,” where web browsers, word processors, and the rest of the software we use lives—results in that specific software crashing, an error in the kernel brings down the whole system, usually in the ubiquitous Blue Screen of Death. And because of that sequestration, user-mode software has very limited visibility into what’s happening in the kernel.

It’s not surprising, then, that some people have reservations. But the reality is that security engineers, especially those working to establish fairness in the hyper-competitive FPS genre, haven’t been given a lot of choice. Anti-cheat systems are heading to the kernel in part because that’s where the cheaters are.

“Back in the 2008 era, effectively no one was using kernel drivers, like maybe 5 percent of sophisticated cheat developers,” says Paul Chamberlain, a security engineer who has worked on anti-cheat systems for games like Valorant, Fortnite, and League of Legends. Chamberlain recalls seeing his first kernel-based game exploit—the infamous World of Warcraft Glider—at the Defcon security conference in 2007. “But by 2015 or so, pretty much all the sophisticated, organized cheat-selling organizations were using kernel drivers.” With the tools available, there wasn’t much anti-cheat software could do against aimbots and wallhacks that lived in the kernel. Around this same time, at a Steam developer conference, Aarni Rautava, an engineer with Easy Anti-Cheat—which would eventually be purchased by Epic Games—claimed the overall marketplace for cheats had grown to somewhere north of $100 million.

Still, games studies were, and often remain, cautious about implementing their own driver solutions. Working in the kernel is difficult—it’s more specialized and requires loads of quality assurance testing because the potential impact of bad code is so much more drastic—which leads to increased expense. “Even at Riot, nobody wanted us to make a driver. Internally, they were like, ‘Look, this is too risky,’” says Clint Sereday, another security engineer who worked on Vanguard, Valorant’s kernel-level anti-cheat system. “At the end of the day, they don’t want to have to put out a driver to protect their game if they don’t need to.” But in the hyper-competitive FPS space, especially a tactical shooter where a single headshot can mean instant death, cheats have an outsized impact that can quickly erode players’ trust. In the end, Riot seemingly calculated that any backlash a kernel solution produced (and there was plenty) was still preferable to being hamstrung from fighting cheaters on even ground.

But to many gamers, who pushed into the kernel first isn’t important. They worry that an anti-cheat kernel driver could secretly spy on them or create exploitable vulnerabilities in their PCs. As one Redditor put it: “I’ll live with cheaters. My privacy is more important than a freaking game.”

A kernel driver could certainly introduce some sort of vulnerability. But the chances that a hacker would target it are slim, at least for the vast majority of people. “You’re talking easily hundreds of thousands of dollars, perhaps millions, for an exploit like that if it’s going to be remotely executable,” says Adriel Desautels, founder of penetration testing company Netragard. “What attackers would rather spend their time and money on are things where they can hit one thing and get a lot of loot,” like other criminal hacks or malware attacks where huge troves of valuable data were stolen or held for ransom.


Steve Liem

Learn More →