Skip to content ↓ | Skip to navigation ↓

As the competitive online gaming and eSports industries gain legitimacy by becoming more popular and attracting mainstream attention, the question of competitive integrity lingers in the back of my mind. Can the game’s developers, community, and users maintain and uphold competitive integrity? Or will they fold under the pressure of greed and complacency?

Some of you may recall the “Konami Code” or the “Contra Code”: Up, Up, Down, Down, Left, Right, Left, Right, B, A, and optionally Start/Select at the end. Cheats like the Konami Code or Contra Code were safe for the game’s integrity and were programmed into the game by the developers as a way for players to experience the game in a unique way.

Today’s cheating culture, however, is very different from the Konami Code era of cheats–particularly cheats, hacks, and exploits of competitive online games. Cheats and hacks are no longer written by developers but rather by third parties who are interested in trying to exploit a game’s mechanics, database, and/or netcode to gain a competitive advantage. Nowadays, developers rarely dare to implement in-house cheats into their games, as doing so tends to expand the attack surface that an attacker can misuse in an online competitive setting.

Some examples of modern-day scripts and cheats that exploit games and undermine competitive integrity include (but are not limited to) the following:

  • Aimbots, which are most commonly found in first-person shooter games, use automated target acquisition and calibration to the player.
  • Trigger bots are also commonly used in first-person shooter games to automatically shoot opponents who appear in the field of view.
  • Lag switches use various methods, with the main idea being to DDoS your opponents.
  • Look-ahead cheats allow the cheater to see what other players are doing first by forging a delayed time-stamp on a packet.
  • World-hacking cheats allow the user to see more than the developer intended.

These cheats may be implemented in three ways:

  • Game code modification
  • System software modification
  • Packet interception and manipulation

With the rise of competitive gaming and eSports, the market for exploitative cheats has become so lucrative that entire ecosystems have sprung up around it. Cheating has become so common and exploitable that even professional players are willing to cheat in front of referees and thousands of viewers in LAN (Local Area Network) tournaments.

For example, in the 2018 Counter-Strike eXTREMESLAND LAN tournament, which had a $100,000 USD prize pool, the player known as “Forsaken” was caught cheating during the game. Forsaken attempted to conceal the cheats by obfuscating the name and location of the script files, even going so far as to try to delete the cheats while being apprehended by a referee live on stage.

How Are Developers Tackling the Integrity Problem?

Before going into how developers are tackling cheating, I will briefly explain the CPU protection rings and the differences in privileges, as they are at the core of the current problem and solution of cheating.

CPU protection rings are structural privilege layers that prohibit interaction between installed apps and key processes on a computer. They generally vary from the outermost ring (Ring 3), which is the least privileged, to the innermost (Ring 0), which the most privileged and also known as “the Kernel.”

Ring 0 is the kernel layer and is the core of all system processes. Anyone who can manipulate the kernel has complete power over that machine. Operating system engineers restrict access to this zone to prevent exploitation of its core. As a result, most operations that a computer user can access are confined to Ring 3.

So, how does the use of protection rings relate to cheating in competitive online gaming? Well, the protection rings are at the core of both the problem and the current solution. Cheat developers are now using kernel-level cheating software to avoid detection by anti-cheat (AC) software operating at the Ring 3 level (application layer).

Because of the use of kernel-level cheats, game developers created AC (anti-cheat) software at the kernel level (Ring 0) to combat kernel-level cheating software. Easy Anti-Cheat (Epic Games), Vanguard (Riot Games), and BattlEye are some notable Ring 0 anti-cheat examples. VAC is an example of a Ring 3 anti-cheat (Valve).

Application layer AC, such as Valve’s VAC anti-cheat tool, functions more like a virus scanner than a kernel-level driver. In the words of Steam, “VAC is a component of Steamworks and the Steam client and works by scanning the user’s system for cheats while the game is running. It works a lot like a virus scanner, and has a database of known cheats to detect.”

The Problems with Kernel-Level Anti-Cheat

While kernel-level AC may appear to be a viable solution to the cheating problem for some, I believe it is “kicking the can down the road” and shifting risk onto the end-user.

There are three issues with kernel-level AC:

  1. It provides an attack vector for attackers to exploit.
  2. Kernel-level AC can mistake legitimate hardware drivers and software as malicious, resulting in legitimate programs being blocked from the user.
  3. Users’ data is now completely exposed to the developers of the kernel-level AC to exploit for monetary gain.

An attacker cannot exploit the VAC anti-cheat to harm a user’s computer in any meaningful way as it is a Ring 3 (application layer) AC and cannot interact with the hardware or drivers at the lower ring levels. By contrast, kernel-level AC opens a door for attackers to hack into the kernel-level AC driver and exploit the user’s system with the anti-cheat driver working as a rootkit for the attacker. The possibilities of what a malicious actor can do with this level of access are off the charts. At this point, the attacker has complete control over the computer including all the hardware, drivers, and software.

There are multiple ways a kernel-level AC could be exploited ranging in spreadability and difficulty. A kernel-level AC could be exploited at a large scale where the attacker pushes malicious code to the code chain vendor to be pushed down to the end-user. On a smaller scale, the kernel-level AC could be exploited locally to modify the driver and infect the user with malicious code.

Aside from the issue of the kernel-level AC providing an attack vector for malicious actors, several users across different kernel-level anti-cheats have documented the issue of the kernel-level AC locking down hardware and software that isn’t malicious to the competitive integrity of the game. Legitimate hardware and/or software purchased by the user may be misidentified as malicious and thus blocked.

Furthermore, when dealing with kernel-level AC, the issue of data security and user privacy is raised. Does the end-user trust the kernel-level AC developers not to use that power for other purposes such as monetary gain through data harvesting or crypto-mining? For example, a third-party matchmaking service using kernel-level AC in Counter-Strike Global Offensive was caught installing bitcoin mining bots onto their users’ computers.

Another consideration is that a kernel-level AC could be used contextually. Regular competitive matchmaking could use a less intrusive AC at Ring 3, whereas professional players would be forced to compete in tournaments using a more intrusive kernel-level AC (Ring 0).

Do the Current Solutions Work? How Long Will They Last?

The current solution of developers utilizing kernel-level AC to combat the cheating problem appears to have made it more difficult for players to cheat but has not eliminated the cheating problem. Attackers have discovered a variety of ways to circumvent kernel-level AC including virtualization, kernel-level cheats, and AI-assisted cheats.

Ultimately, it is up to the end-user if they trust both the company’s intentions with kernel-level access as well as the company’s security competency to prevent individuals from exploiting their kernel-level AC drivers for malicious purposes. Furthermore, end-users must weigh the risk vs. reward of kernel-level AC. Do the benefits of convenience and integrity outweigh the risks that it imposes? Knowing that cheaters can still work around kernel-level AC doesn’t give much hope for the rewards of kernel-level AC, as many of them are bypassed soon after they are released.

Other Solutions

While this article may appear to offer no hope for end-users to “have their cake and eat it, too” by forcing them to choose between privacy and competitive integrity, that is not the final answer. More consumer-friendly anti-cheating solutions are on the way, with AI-enhanced Anti-Cheat being the most intriguing to me. AI-enhanced AC would function as a virus scanner in the same way that Valve’s VAC system does, but it would be an AI gameplay scanner that flags suspicious gameplay for inspection. The AI would examine the user’s gameplay for irregularities caused by cheating as well as differences in server-side vs. client-side data.

AI-enhanced AC could operate at Ring 3 while maintaining both competitive integrity and user privacy at the kernel level. Furthermore, this could be implemented on an opt-in basis, allowing users to choose between AC that is more efficient but more intrusive and AC that is less efficient but less intrusive.

An AI anti-cheat project I’ve been following called “Waldo Vision” is an open-source project that’s aiming to create a deep-learning AI that can detect human behavioral characteristics of a user within a video game. To summarize how it works, Waldo Vision is a visual machine learning algorithm that will be used to teach an AI about how humans play video games. Once the algorithm knows how people play video games based on gameplay footage, it can be fed gameplay footage to see if the person in the clip is being aided by a third-party “hack” or “cheat” tool.

For information about anti-cheats in the gaming industry, check out my resources/references for this article:

Robin ChanAbout the Author: Robin Chan is a 3rd-year student at Fanshawe College working towards an Ontario College Advanced Diploma in Cyber Security. When he’s not working or in school, he’s learning about various technologies and evolving IT threats, tinkering with tech, playing video games, and watching Studio Ghibli films.


Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.