A closer look at Valorant's always-on anti-cheat system
Riot explains how Vanguard works, and why, and then an expert weighs in.
Every time you install a new program on your computer, you’re taking a risk. With each click of the OK button, you’re placing implicit trust in whatever company or person is distributing that software. You’re assuming they’re not installing secret spyware, rummaging around in your files, or selling your keystrokes to the highest bidder. You’re saying, “I trust this company.”
So, with the launch of Valorant and Vanguard, the competitive shooter’s always-on anti-cheat system, the question is clear: Do you trust Riot Games?
“It's easy to go, ‘This is new, why should I trust it?’ But it's hard to get a satisfying answer because at the very end of it all you should trust us because we're trying to do right by you.”
That’s Paul Chamberlain, security and anti-cheat lead on Valorant. I talked with him and Riot’s chief information security officer Chris Hymes two days after their teams announced a handful of updates to Vanguard. The changes were in response to persistent online skepticism of Riot’s new, kernel-level anti-cheat system, and they were intended to give players more control. Just three weeks after Valorant and Vanguard went live in a closed beta, Reddit was packed with criticism and conspiracy theories relating to Vanguard’s omnipotence.
“That's the only assurance we can really give, is that we care about this a lot and we've put a lot of effort into doing things the right way with security reviews, transparency and all this,” Chamberlain said. “But at the end of the day we're just saying that it's good, and if you're uncomfortable with that, then we understand if you don't want to play.”
Riot isn’t the only company targeting the deepest depths of your computer with its anti-cheat software. Other popular systems like DayZ’s BattlEye and Fortnite’s Easy Anti-Cheat also use kernel drivers, but they only run when the game is active. Meanwhile, services like FACEIT and ESEA have “always-on” drivers, though after years of use and updates, they feel less invasive than Vanguard to many players.
This is despite the fact that in 2013, an ESEA developer used the software’s kernel access to turn players’ computers into a secret, large-scale bitcoin mining farm. The developer generated nearly $4,000 off the backs of unsuspecting players’ GPUs before he was caught. ESEA apologized and donated all of the money to the American Cancer Society.
Which brings us back to the issue of trust.
Riot has faced a few challenges to its reputation in recent years. First, it’s a multibillion-dollar tech company at a time when anti-corporate sentiment is all the rage. Second, following years of reports of sexual harassment and the studio’s frat-house-style culture, Riot settled a gender discrimination lawsuit in 2019 and agreed to pay at least $10 million to its employees and contractors who identify as female. Lawmakers are still negotiating the final amount that Riot will owe, and in January they suggested it could hit $400 million. And finally, Riot is fully owned by the gigantic Chinese technology conglomerate Tencent, fostering fears about the Communist Party of China accessing players’ data.
Chris Hymes had something to say about that last bit.
“In my five years at Riot I've never encountered a singular time where our parent company has ever requested or attempted to access any data that we have,” he said. “I fundamentally believe that A, that would never happen. And then B, that if that was requested we would probably not allow it to happen.”
With all of this in mind, I asked Chamberlain to explain why Vanguard works the way it does. And then, I ran his answers by independent security researcher Saleem Rashid.
Vanguard has two main components: a traditional scanning service that boots up when the game does, and a device driver that loads at system start. The driver runs the entire time your PC is on, even if you’re not playing Valorant. Players even have to reboot their computers before starting the game for the first time, in order to properly install Vanguard’s kernel-mode component.
“The driver itself doesn't do any of the scanning or communicate with the network or anything like that,” Chamberlain said. “It's there to make sure that from the start of your computer booting until when the game starts, the system hasn't been compromised or tampered with. It does this by starting up before any cheats could be loaded on your system. And then as new drivers or modules load on your computer, it checks them for security vulnerabilities. If it finds them, it doesn't let them load. This is unusual.”
Operating in the kernel, or ring 0, means Vanguard has access to every bit of a computer’s hardware. It’s the most privileged level of a PC, reserved for only the most trusted bits of the operating system. From ring 0, attackers can modify game memory, crash an entire system or access files from other users on the computer. And hackers don’t even need to be involved for the driver to cause problems -- Vanguard is crashing some computers as it blocks otherwise harmless software from operating properly. We’re talking like blue-screen-of-death failures.
“The other thing is that there are certain parts of the operating system that need to be able read and write to your game memory,” Chamberlain said. “They start when the computer starts as well. A common technique for getting a cheat into a game is to hijack one of these system components. Since the system components are running the whole time, you can't verify their integrity unless you have a component that's running the whole time. And that's most of what the kernel driver does.”
Chamberlain presents the system as a bubble of security shielding the entire computer from cheating software, but Rashid said Vanguard has a blind spot when it comes to ring 0 attacks. He said, “Vanguard's premise is that they can use a kernel driver to detect a specific kind of cheat injection that happens in ring 3, in user mode. But when cheat developers also move their cheats into the kernel, they can modify game memory in a way that Vanguard's driver cannot detect. This technique is already used to bypass existing anti-cheat mechanisms.”
This analysis is playing out in real-time, as cheaters have been active in Valorant since week one. Of course, no anti-cheat system is completely fool-proof and Riot expected attacks, even with Vanguard’s extra layer of protection.
The problem, according to Rashid and other experts, is that Vanguard isn’t just blind to some kernel attacks -- it’s actively inviting cheaters and hackers to target a computer’s most privileged level. Chamberlain agreed that this concern is valid, but he said most existing malware has no interest in ring 0.
“If I'm running a driver and I get a virus on my PC, the virus can exploit that security vulnerability in the driver to also run in ring 0, in the kernel, and then do anything in the kernel,” Chamberlain said. “This is actually relatively rare because most malware doesn't have any interest in kernel-level access to a computer because all the things that are valuable on your computer are accessible from user mode. The things that I want protected like my browsing history or my credit cards, and all the fanfiction that I'm writing, that's all accessible to anything on my computer. You don't need a kernel driver for that.”
Operating systems use exploit mitigations to protect user-mode applications from attacks, but this security blanket doesn’t cover kernel code. Cheat developers and hackers can still use security vulnerabilities in Vanguard and other trusted drivers to target the kernel and install software there, bypassing security certificate requirements entirely.
Chamberlain said his team built Vanguard to be as simple as possible, to limit the chances of implementing a vulnerable entry point. Of course, there’s always a chance that malware will make its way into ring 0 through Vanguard itself. And since kernel-mode attacks are less common, Vanguard and other anti-cheat systems are less prepared to catch them.
Rashid summed it up like this: “Using a kernel driver moves the cat-and-mouse game between game developers and cheat developers from user mode to the kernel. Encouraging cheat developers to implement cheats in ring 0 is going to make it even more difficult for Riot to detect cheating in the future.”
Riot is constantly updating both Valorant and Vanguard during the closed beta period, and plenty of people are playing with zero issues. The game has been a huge success on Twitch, due in part to a clever marketing scheme that tied beta access to watching streams, and Riot has announced initial plans for an esports league. A handful of professional players have already abandoned games like Overwatch, Counter-Strike and Fortnite in favor of Valorant.
Vanguard is also impressive as a piece of anti-cheat software. Chamberlain is particularly proud of his Fog of War system, which prevents cheaters from implementing wallhacks, or the ability to see the location of every enemy in real-time. It’s a common issue in competitive shooters, and tricky to solve, since character-location data is a necessary component in any game.
Chamberlain explained (vaguely, of course) on Reddit how Vanguard handles this problem: “The server withholds enemy locations until just before you [can] see them. So even if your wallhack is reading the game client's memory it won't do very much because the enemy location won't be in there.”
Counter-Strike: Global Offensive uses a similar Fog of War system, but in the same Reddit thread Chamberlain explained that, basically, Vanguard’s is better.
Issues with Vanguard haven’t stopped Valorant from finding success, but they’ve reignited a pervasive conversation about security and trust in the video game industry.
“We thought that for this audience that we're trying to serve, that they would appreciate that wherever there is a choice to be made between a convenience or a security, they hope that we choose security,” Chamberlain said. “And so the guiding principle here is this game isn't necessarily for everyone. But the players that we think that will enjoy this game the most will appreciate the efforts that we're going to, to keep cheats out of the game.”
To be fair, no one has an issue with Riot keeping cheats out of its games -- it’s all of the other stuff that Vanguard could do that worries some players.
