Today we're going to be talking about Valorant's anticheat "Vanguard", and why there is so much drama and hysteria around it. This post will include many technical details, my personal viewpoints, and extensive research into topics surrounding this specific article / blog post, so let's get started.
Kernelspace and Userspace
In technology there is two general "spaces", these spaces are to put simply how close something running on your hardware is to the hardware itself, things like the Linux, MacOS, and NT (Windows) kernels run at ring level 0, this is normal as the operating system(s) need to be able to take advantage of and use the hardware in your machine, otherwise well, you wouldn't be able to do anything.
The higher up in the rings you are, the less privilege you have as a application/driver. There are typically 4 different rings, ranging from ring 0 to ring 3. A chart of these rings can be seen below.
Userspace is represented as ring 3, while kernelspace is usually represented as ring 0-2. In a typical fashion you only really want necessary device drivers, and the kernel itself running in kernelspace, and everything else running in userspace. This is taken to an extreme with upcoming changes to MacOS where kexts (kernel extensions) are being deprecated, and nothing will run in kernelspace except for the kernel itself.
Drivers vs Rootkits
Many people in the tech industry have heard both the terms "driver" and "rootkit". But not everyone knows exactly what they mean, so let's review before going any further.
In computing, a device driver is a computer program that operates or controls a particular type of device that is attached to a computer. A driver provides a software interface to hardware devices, enabling operating systems and other computer programs to access hardware functions without needing to know precise details about the hardware being used.
As per Wikipedia, drivers typically are software that allows operating systems to communicate with and access hardware. Examples of drivers are things like the software you install to get your graphics card(s) and wifi adapters working. Drivers typically only run in rings 1-2, nothing below or under these rings, and the ring they typically use is determined (hopefully) usually by a least privilege needed system.
rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed (for example, to an unauthorized user) and often masks its existence or the existence of other software. The term rootkit is a compound of "root" (the traditional name of the privileged account on Unix-like operating systems) and the word "kit" (which refers to the software components that implement the tool). The term "rootkit" has negative connotations through its association with malware.
Rootkits on the other hand are a collection of software designed to allow/enable access to a computer or area that is not usually allowed to be accessed. They are typically malicious or associated with malware.
Reviewing The Anticheat
Now that we got some technical details out of the way, let's review some important facts about the virus, let's start off by reading Riot's article about the anticheat changes.
In the last few years, cheat developers have started to leverage vulnerabilities or corrupt Windows’ signing verification to run their applications (or portions of them) at the kernel level. The problem here arises from the fact that code executing in kernel-mode can hook the very system calls we would rely on to retrieve our data, modifying the results to appear legitimate in a way we might have difficulty detecting. We’ve even seen specialized hardware utilizing DMA1 to read and process system memory—a vector that, done perfectly, could be undetectable2 from user-mode.
In this section Riot discusses that certain cheats have for a while used kernel level modules/systems to hook into system calls to make what the cheat is doing seem "legit" to the anticheat software the game is using, almost making it undetectable, and even some hardware that used Direct Memory Access (DMA) to modify/view memory to make the memory the cheat is using seem perfectly normal. This is a true statement, this has been done for years, and recently has seem to been picked up more by cheat developers to bypass multiple anticheat software(s).
Now, while most players might find the idea of a corrupted Windows installation objectionable, a disturbing number of cheaters have shown themselves to be downright enthusiastic about the opportunity to jump onto some guy’s botnet in exchange for the ability to orbwalk. So, an abundance of cheats currently run at a higher privilege level than our anti-cheat does. To put that in the terms of our immaculate kitchen analogy: When we ask the head chef if our goulash ingredients are actually farm-to-table, some random dude in a toque convinces restaurant management that he’s “got this,” and then replies to our request with a “sure my guy, dig in.”
They mention that while most (unfortunately not all) players prefer to keep their systems safe and uncorrupted, some people (probably have) jumped onto someone's botnet or malware, sacrificing their system for the sake of the cheat and becoming a "GOAT" in they're game their playing. They also mention that an abundance of game cheats already, at the current point in time run at a higher privilege level than the current anticheat. This is a reasonable statement, as it's been done, and will keep being done, for a while.
Well historically, your favorite anti-cheat team has been forced to play this game from the user-level, effectively giving cheaters a much-needed, twelve-stroke handicap. We haven’t needed both arms yet, primarily because we have the advantage of steady paychecks and the lack of strict bedtimes at our immediate disposal. But as much as we might like the idea of an ever-escalating appsec war with teenagers, we’re now entering a multi-game universe where linear time and sleep deficits will make this particular strategy untenable.
In this specific part they're basically saying that while they haven't needed "both arms" (userspace and kernelspace), due to them entering now a multigame era where time and sleep is probably extremely important as they will be managing multiple games (from what I can understand), they find the current anticheat strategy used unfeasible.
Now on to the juice. While I do trust Riot as a company, this is to say the least a very dangerous and quite terrifying change, as this anticheat driver runs at ring 0, it is considered a rootkit, however it is not malware, unlike popular belief, but despite not being malware, this does not mean they are not getting a very very high privilege level in your system, at a almost hardware level. Due to this being in ring 0, if something happens such as they update their kernel code, and it's broken for whatever reason, it might render all systems using the anticheat unbootable, or if the system is already turned on, possibly a instant BSOD (blue screen of death).
As for the security and vulnerability of this system, they did as far as I'm aware of have it looked over by an abundance of security firms before implementing the kernelspace driver.
While the use of a kernelspace driver/rootkit is a very dangerous move in the development of an anticheat, and nothing is perfect and could break at any point in time, I do have to applaud them for pushing the boundaries of anticheat software. Do I fully agree with this move? No. Will I still play their games? Yes. I've been playing valorant for a few days and Haven't had any issues with the anticheat software, but as for you to play it or not, is for you to decide.