What’s wrong with anti-cheat software in online games?

In the old days decade of great competitive online games, especially first-person shooters like those from Activision-Blizzard Call of Duty and Bungie Destiny 2, have had to massively scale up their operations to combat the thriving business of cheat sellers. But an increasingly vocal subset of gamers are concerned that software intended to detect and ban cheaters has become too broad and invasive, posing a significant threat to their privacy and the integrity of the game. system.

The problem is with kernel-level drivers, a relatively new escalation against cheat makers. The kernel itself, sometimes referred to as “ring 0”, is a sequestered part of a computer, where the basic functionality of the machine runs. Software in this region includes the operating system, drivers that communicate with hardware, such as keyboards, mice, and video card, and software that requires high-level permissions, such as antivirus suites. While faulty code running in user mode – “ring 3”, where web browsers, word processors and the rest of the software we use – live causes that specific software to crash, an error in the kernel stops the system, usually into the ubiquitous blue screen of death. And because of this sequestration, user-mode software has very limited visibility into what’s going on in the kernel.

It is therefore not surprising that some people have reservations. But the reality is that security engineers, especially those working to establish fairness in the hyper-competitive FPS genre, haven’t had much choice. Anti-cheat systems go to the kernel in part because that’s where the cheats are.

“Back in 2008, nobody used kernel drivers like maybe 5% of sophisticated cheat developers,” says Paul Chamberlain, a security engineer who has worked on anti-cheat systems for games. as Valorant, fortniteand League of Legends. Chamberlain remembers seeing his first kernel-based gaming exploit – the infamous World of Warcraft Glider – at the 2007 Defcon security conference. “But back in about 2015, just about every sophisticated, organized cheat-selling organization was using kernel drivers.” With the tools available, there wasn’t much anti-cheat software could do against the aimbots and wallhacks that lived in the kernel. Around the same time, at a Steam Developer Conference, Aarni Rautava, an engineer for Easy Anti-Cheat – which would eventually be bought by Epic Games – claimed that the overall market for cheats had reached somewhere in the north of $100 million.

Still, game studies were, and often remain, cautious about implementing their own driver solutions. Working in the kernel is difficult – it’s more specialized and requires a lot of QA testing because the potential impact of bad code is much more drastic – leading to increased expense. “Even at Riot, nobody wanted us to do a driver. Internally they were like, ‘Look, this is too risky,'” says Clint Sereday, another security engineer who worked on Vanguard. Valorantkernel-level anti-cheat system. “At the end of the day, they don’t want to have to release a pilot to protect their game if they don’t need it.” But in the hyper-competitive FPS space, especially a tactical shooter where a single headshot can mean instant death, cheaters have an outsized impact that can quickly erode player confidence. In the end, Riot apparently calculated that any backlash produced by a core solution (and there were plenty of them) was always better than being prevented from fighting cheaters on flat ground.

But for many players, who pushed into the core first is not important. They fear that an anti-cheat kernel driver is secretly spying on them or creating exploitable vulnerabilities on their PCs. As one Redditor put it, “I will live with cheaters. My privacy is more important than a scary game.

A kernel driver could certainly introduce some sort of vulnerability. But the chances of a hacker targeting it are slim, at least for the vast majority of people. “You’re easily talking hundreds of thousands of dollars, maybe millions, for an exploit like this if it’s remotely executable,” says Adriel Desautels, founder of penetration testing firm Netragard. “What attackers would rather spend their time and money on are things where they can touch one thing and get a lot of loot,” like other criminal hacks or malware attacks where huge amounts of valuable data were stolen or held for ransom.