Anti-cheat demystified: What's the big deal about kernel-mode anti-cheat?
If you’ve been recently playing online games, you may have noticed that a bunch of games have switched to what’s called “kernel mode anti-cheat software” for catching cheaters: League of Legends switched to Riot’s Vanguard AntiCheat, and most notoriously, GTA Online also switched to BattlEye.
These updates, while they do bring a lot of major improvements to anti-cheating, they also bring with them a lot of controversy: From tech experts showing a lot of concern over them, to people DDoS’ing GTA V Online services in protest for this change. But why make such a fuss about something that should, in theory, make things fair for all players? Or is there a danger lurking around?
As it turns out, kernel mode anti-cheat is a powerful tool, but it may be too powerful. In this post I want to give a layman explanation without the technical mumbo jumbo.
A simple case of anti-cheating
Let’s say you want to buy the most powerful weapon you can get at a shop in an MMO game. An interaction without any anti-cheating would work like this:
Hi, I’d like to buy the Ultima Laser.
That’ll be 100,000 gold. How much do you have?
A billion.
Alright, here you go! Have fun!
This is just a simple example of an interaction between the client (the player) and the server (the shopkeeper). In practice, a lot of other metrics are considered for other situations, such as checking for speeding or performing abilities that could only be done in higher levels.
Now, it may be actually possible for a player to get that amount of gold in a legitimate manner. Regardless, the oblivious shopkeeper will think you can pay for it and the purchase goes through. But do you think the player really did get the gold fair and square?
An anti-cheat is basically a lie detector, and it scans for something coming from the player to detect if they are answering truthfully or not. In some cases it may choose to just reject the purchases, and in others it may ban the player. The key of the fuss, however, is in how the lie detector works by design.
There are three kinds of anti-cheat, depending on how their work, and each have their own pros and cons.
The “doing the detective work” approach
A lie detector doesn’t have to be a machine. A human can also detect cues on when a person is lying or not, such as voice and nervous ticks, and they can also refer to evidence to prove someone is lying. Detectives do this in all kinds of criminal investigations.
This is what server-side anti-cheats are doing: Corroborating records of the game with the player’s actions and using the intended game rules as a way of detecting whether they are cheating or playing legitimately.
But they aren’t very reliable, because they rely on intuition and the evidence gathered, and they may often get too biased with false positives or, worse, false negatives when detecting a cheater. It all depends on how capable it is, and how good is the player at concealing their tactics.
But if there’s one thing in which they shine is that they are the least invasive anti-cheat software. If the anti-cheat gets compromised in any way, it doesn’t pose a threat to the player —at least not directly— resulting in merely a ruined game experience.
The scanner approach
When people think of a lie detector, they usually think of a device that scans brainwaves or checks the heartbeat of a person. When it comes to detecting a cheater in a game, this is what’s called client-side anti-cheat.
You see, when you download an online multiplayer game, you’ll often get what’s called a client of the game, which is the program that sort of handles the game from a player’s perspective; the game master has the server version, and depending on the type of game, you may be able to download it and make your own server on your own computer. This is a bit of a simplification, of course, but it gets the gist of it.
Inside the client, there may be some code that will check what’s happening within the game client, a bit like checking your heartbeat when you’re being questioned. This can give a more accurate reading of what the player’s doing at any given moment while you run the game.
However, you trade off a bit of security. If the lie detector is compromised, it could be harmful to the person being questioned, but because it’s not directly connected to an organ, the worst they can get is a bad burn on their skin. Likewise, hackers can’t do much harm on your computer by hacking the anti-cheat. In fact, the actions that can be done are so little that it’s generally used for bypassing the anti-cheat and not much else.
Still, this is much better, but it’s not infallible, either. This kind of anti-cheat is very regional; just as how a brainwave probe can’t check for a heartbeat or if the person started sweating, an anti-cheat of this type can’t reliably check what’s happening outside the game. This allows for people to run external programs to bypass the anti-cheat, simply because the anti-cheat is overlooking those things.
But what if we could be able to check everything?
The implant approach
Kernel-level anti-cheat is a hyper-strengthened version of the client-side anti-cheat. Instead of putting on a lie detector, you get an implant into your brain that works as a lie detector.
When you install a game with this kind of anti-cheat, you give full consent for the installer to place a driver in the kernel of your operating system. This is the “brain implant”.
A kernel driver grants full access to what’s going on in your computer, even things that you, as an user, can’t normally have control of, regardless of whether you’re playing the game or not. In brain implant terms, it allows for it to check your memories and thoughts, and also body functions like your hormonal balance and digestion.
Giving access to everything that’s happening on the player’s computer makes for this type of anti-cheat to be the most effective: Nothing can be overlooked. But this also brings a lot of security concerns. The operating system (your brain) trusts that the driver will work perfectly. But if it starts failing and the operating system (Windows, Linux, Mac OS, etc) doesn’t know how to or simply can’t fix the errors, it will panic and proceed to reboot the system. Something like this was the cause behind the CrowdStrike outage that caused millions of computers across the world to go Blue Screen of Death in July of this year.
There’s a good reason why the kernel is usually reserved for the most critical stuff, such as power management (blood pressure balance) and input/output handling (nervous system). In the case of CrowdStrike, it was necessary for cybersecurity purposes in businesses, so it sort of acted like a “vaccine” or an aid for your immune system, following the human body analogy.
But detecting whether someone is cheating in one particular game is not critical in the least.
Would you risk frying your brain with a faulty implant just to play a game?
The driver itself could have its own security vulnerabilities. If hackers do find one, they can get unprecedented access to your computer, and not even a privileged user such as “administrator” users in Windows could possibly have clearance to fix this.
Once a hacker breaches to the kernel of your PC, they can literally do whatever they want, from stealing all your personal and sensitive information, to putting a program that sends screenshots of your screen to the hacker, or a keylogger that makes a log of what keys you press in your keyboard, allowing the hacker to see what you’re typing. And you would probably have no way of knowing this. So once they gain control of the kernel, they essentially hold your PC hostage.
And we’re not even taking into account that the game developers themselves could use that anti-cheat software to do things that you weren’t expecting it to do, even if those things show up in the game’s EULA. For example, it could turn your installed game into actual spyware.
Worst of all, uninstalling the game that has an anti-cheat of this kind will not be enough to prevent hackers nor undo their effects. MiHoYo had a lot of controversy for a critical security vulnerability in Genshin Impact’s anti-cheat and leaving behind Honkai Star Rail’s anti-cheat even if the game was uninstalled, one that had a history of critical security vulnerabilities, even.
Another drawback of kernel-mode anti-cheat is that not every computer has the same kernel. Although most gaming computers use Windows NT for its kernel, a notable minority uses Linux kernel, the latter of which, being open source, can have some fine-tuned customizations.
Anti-cheat developers may choose to support whichever kernels they wish, and the vast majority will add support for Windows, while Linux doesn’t have as much widespread support. But even if the anti-cheat supports Linux, it’s ultimately up to the developers themselves to enable that support into their game. For example, EA —despite supporting Linux for 3 years— made a u-turn and dropped support for Apex Legends on Linux a few weeks ago.
EA claims that “Linux kernels can be so different with each other that cheating is made easy if you use a niche version of Linux”, but this is highly debated. I personally see it as an excuse to cut corners on software and technical support.
But apart from that, this increase in anti-cheat protectionism constitutes a serious determent on gaming on Linux, which includes the Steam Deck.
Due to their extremely powerful capabilities, Windows and Mac OS kernel drivers/extensions have to be signed by Microsoft and Apple themselves, while Linux kernel modules have to be signed through a different but secure process. Passing the tests to get that signed driver should mean that these drivers won’t compromise the integrity of the operating system, and are also safe for the user. However, it’s not perfect; MiHoYo’s anti-cheat was bypassed and even exploited to disable any anti-virus the user may have on their computer.
Personally, I find kernel-mode anti-cheat too powerful for what it’s worth. If there are lots of cheaters, I can quit the game and move on to something else, hoping that things turn a bit fairer in a few hours. But if I get hacked because of an anti-cheat, that would pose a serious compromise to my security.
Valve has recently raised concerns about this kind of anti-cheats, and now they are enforcing game developers to disclose what anti-cheat they are using on all their games on Steam that are using a kernel-mode one, and heavily recommend to do so even if it’s not.
This is a very welcoming change, and one that I hope other games and app stores end up copying from Valve. I still think a user-mode client-side anti-cheat (the scanner lie detector ones) are probably the best anti-cheat software in terms of balancing reliability, performance, privacy and security, so if you are making an online game, I hope you choose this kind of anti-cheat solutions.
