Kernel-level anti-cheats are the next impending technical disaster

Key findings

• Kernel-level anti-cheat protection provides comprehensive access to monitor and control the interaction of software and hardware, providing strong protection against cheats.
• ESEA and Vanguard are notable examples of kernel-level anti-cheat systems that have experienced issues such as a Bitcoin miner and blue screen errors.
• Using kernel-level anti-cheat features carries risks such as system instability and conflicts with other software, as well as the potential for catastrophic errors when updates fail.

If you're into competitive gaming, you've probably heard of kernel-level anti-cheat. It's a highly controversial mechanism used to curb cheating in online games, but the trade-offs required to do so aren't necessarily worth it. Not only are you granting a game maker an incredible amount of access to your computer, but because of the privilege level it's running with, any bug or other issue that occurs could cause your computer to bluescreen or even fail to boot.

What is kernel-level anti-cheat?

It runs on a privileged level

Kernel-level anti-cheat systems operate directly at the core of a computer's operating system, allowing extensive access to monitor and control how the software interacts with the hardware. This allows them to effectively detect and block cheats that attempt to tamper with the game code or memory, providing stronger protection than traditional anti-cheat methods. This allows them to detect cheats that use direct memory access and other unique methods.

However, because these systems operate with such high-level access, they also pose significant risks. If the anti-cheat software has a flaw, it could potentially compromise the entire computer, raising security and privacy concerns. In addition, this deep integration can sometimes cause conflicts with other software, resulting in system instability.

These anti-cheats are typically loaded as drivers, meaning they run on your computer with incredible privileges. When an anti-cheat driver is loaded at the kernel level, it runs with the same high-level privileges as the operating system itself, allowing it to monitor all other drivers, processes, and memory allocations on the system. This means it can detect unauthorized changes or insertions to a process' memory. By running at such a privileged level, the anti-cheat driver can intervene before cheat software takes effect, effectively blocking or reporting suspicious activity in real-time.

Anti-cheat at kernel level has a pretty tough history

ESEA and Vanguard are two you may have heard of

There are many games today that use kernel-level anti-cheat. Some of the biggest ones are Counterstrike 2 (through third party services), League of LegendsAnd BraveMany years ago, the third-party matchmaking service ESEA in Counterattack used a kernel-level anti-cheat to protect its games from cheaters. To the company's credit, ESEA was the anti-cheat of choice for years and uncovered a major cheating scandal involving a small number of professional players.

However, things have not always been good at ESEA. On April 13, 2013, a Bitcoin miner was added to the ESEA client and was discovered on May 1. A year later, ESEA agreed to a $1 million settlement and the company blamed a rogue employee for distributing the miner. Although a Bitcoin miner can run on a Windows computer without kernel-level access, it is harder to detect if it is hidden in an anti-cheat program. And protects it from analysis.

A much more recent example is the introduction of the Vanguard Anti-Cheat in League of LegendsVanguard has been operating in Braveand when it was finally introduced in League of Legendsa lot of users reported that their computers were constantly experiencing blue screen errors. While Riot stated that a very small percentage of users were experiencing issues caused by Vanguard, users insisted that the problems only started occurring after installing the anti-cheat, and some reported that the problems disappeared after removing it.

Is a kernel-level anti-cheat system necessary?

it is a somewhat murky topic

Looking back, the battle between anti-cheat software and cheat providers was an incredibly long and drawn-out game of cat and mouse. To be clear, any software on a Windows computer can be used to steal information and try to take control of your computer. It doesn't matter whether it runs at the kernel level or not. For example, a kernel-level anti-cheat can access your webcam and see your screen, but so can any other software running on your computer.

To clarify, there is still anti-cheat software that hooks into your game (not at the kernel level) and takes screenshots every second for analysis. A popular free anti-cheat program for tournaments is called MOSS, and it gives you a zip file when you close your game, which you can then hand over to the tournament operator. It's still a bit invasive, but significantly less so than an anti-cheat program that runs as a driver when you start your computer.

However, it can be argued that the ever-growing arms race between cheat developers and anti-cheat developers will simply continue to escalate. Nowadays, sophisticated cheats are also being built as drivers for Windows and have been known to use fake driver signatures in the past to pass driver signature verification. This type of tactic makes them significantly harder to detect and this is why game developers believe that the natural evolution of anti-cheat software is to use these anti-cheats at the kernel level.

A faulty update can render millions of computers unusable

See: Crowdstrike

Here's the problem: If you run an anti-cheat on millions of computers worldwide, running concurrently with the system, a lot of control is given over to the computer creating the anti-cheat. In the case of vanguarda faulty update would cause computers around the world to fail to boot. Imagine if an update was accidentally released with an untested change that caused computers to crash. That's exactly what happened to CrowdStrike, a company that makes security solutions for enterprise customers. Do you really think a gaming company wouldn't be able to make a similarly colossal mistake?

Make no mistake: millions of people around the world use their computers to play games, and any update that could cause damage would cause damage on a similar scale to what happened with CrowdStrike. The problem is that users who don't know how to fix technical issues like these on their own can't get help from the technical support provided to the major companies affected.

However, the damage it would cause would be a true technical disaster, rivaling the greatest disasters of all time. The difference is that it would affect consumers, not businesses, but otherwise the damage would still be incredible. In addition, anti-cheat software could be vulnerable to malware, providing an extremely privileged vector for an attacker to gain access to a machine.

Currently, these companies are testing and implementing anti-cheat software on their own machines, which should avoid the vast majority of potential problems. Then again, you would expect the same from what happened with CrowdStrike. And given what we've seen in the past with both ESEA and Vanguard, it's not impossible that more problems could arise.