Valorant’s anti-cheat software loads kernel-based driver on system boot
Riot Games’ new team shooter Valorant has an anti-cheat system called “Vanguard” that has raised some security concerns. When the game launches, the Vanguard client loads with it into the userspace. However, there is a kernel-mode driver for the system that loads when you boot into Windows.
Riot claims that it needs this since some cheating software uses kernel-mode drivers to evade detection. Regular applications cannot detect kernel-mode drivers because of the higher privileges required.
Back in February, Riot explained the new anti-cheat software, initially designed for use in League of Legends, and why it was needed.
“In the last few years, cheat developers have started to leverage vulnerabilities or corrupt Windows’ signing verification to run their applications (or portions of them) at the kernel level. The problem here arises from the fact that code executing in kernel-mode can hook the very system calls we would rely on to retrieve our data, modifying the results to appear legitimate in a way we might have difficulty detecting. We’ve even seen specialized hardware utilizing DMA1 to read and process system memory—a vector that, done perfectly, could be undetectable2 from user-mode.”
Running a driver in kernel-mode raises concerns that Riot is only improving its cheat detection at the cost of increasing the attack surface of Windows, and at the root level no less. If you recall the 2005 Sony DRM rootkit fiasco, this level of risk might make you nervous.
Kernel-based drivers can also create system-wide stability issues that bring with them the dreaded BSOD (blue screen of death).
“Whenever you have a driver like that, you’re at risk of introducing security and reliability issues to the computer,” independent security researcher Saleem Rashid told Ars Technica. “You don’t get as many exploit mitigations in device drivers as you do in normal applications, and a bug will crash the entire OS, not just the game.”
Riot contends that it contracted three external security firms to audit the software before putting it into use. One of them even performed “black box” attacks against the system with no success. It also said that its Application Security team could detect and respond to any problems with Vanguard within hours.
Before freaking out too much about Riot’s decision to use a kernel-based driver for cheat detection, bear in mind it is not the only developer to use this technique. Battleye, a popular third-party anti-cheat solution, describes itself as a “kernel-based protection system.” Most notably, games like PUBG and Ark: Survival Evolved employ Battleye. Fortnite uses Easy Anti-Cheat, which also works in a similar way. So far, there have been no major security issues with these systems.
Users that feel such a system is a deal-breaker might want to take a pass on Valorant. Vanguard will soon be employed in League of Legends as well. Those who already play games like Fortnite and PUBG, which use similar, but separate mitigation methods, might be tempted to say, “What’s one more?” But if you think of kernel-based drivers as analogous to the doors on your house, then you can see precisely what that implies.