An illustration from Riot’s blog post highlights just how many privileges its “Ring 0” anti-cheat driver has.
) “This isn’t giving us any surveillance capability we did not already have , “Riot noted in its blog post (using language that isn’t exactly comforting on its own). “If we cared about grandma’s secret recipe for the perfect Christmas casserole, we’d find no issue in obtaining it strictly from user-mode and then selling it to the Food Network. The purpose of this upgrade is to monitor system state for integrity ( so we can trust our data) and to make it harder for cheaters to tamper with our games (so you can’t blame aimbots for personal failure). ”
“The Vanguard driver does not collect or send any information about your computer back to us,” Riot Anti-cheat lead Paul Chamberlain added in a Reddit post this week . “Any cheat detection scans will be run by the non-driver component only when the game is running.” “A large attack surface for little benefit”
That’s all fine — if you’re going to install any Riot application on your device, at some level, you have to trust it isn’t stealing grandma’s casserole recipe (or that it would be found out if it did). The real risk of installing a kernel-level driver, though, is the level of security exposure it creates on the rest of the system.
At the kernel level, any flaws in Riot’s driver code could create system-wide, “blue screen of death” – style crashes, as opposed to more localized application-specific glitches. And a serious oversight in the driver, like
a buffer overflow exploit , could let an attacker install their own malicious code at an extremely low level, where it could be extremely dangerous.
“Whenever you have a driver like that, you’re at risk of introducing security and reliability issues to the computer, “independent security researcher Saleem Rashid told Ars. “You don’t get as many exploit mitigations in device drivers as you do in normal applications, and a bug will crash the entire OS, not just the game.”
“DRM like this probably stops cheating in the very near term, but I’m not convinced it helps in the long run, “Rashid continued. “All it takes is for someone to analyze the driver from outside of Windows and then apply similar techniques they use to defeat other anti-cheat systems. So it looks like it introduces a large attack surface for little benefit.”
Riot: “We would likely be able to respond within hours ”
Writing on Reddit, Chamberlain downplayed these risks. “We’re … following a least-privilege approach to the driver where the driver component does as little as possible preferring to let the non-driver component do the majority of work (also the non-driver component does not run unless the game is running). “
Chamberlain expanded on that statement in an email to Ars: “The primary responsibility of the kernel driver is to create a protected environment for the rest of Vanguard (and the game) to operate in. If the integrity of the anti-cheat system is ensured, then almost everything else can happen entirely in user-mode. “
(Enlarge If something goes wrong with Vanguard, Chamberlain assures us the Riot security team could detect it and “respond within hours.” Chamberlain also told Ars that Riot’s own Application Security team was aided by the services of three separate external security groups to audit Vanguard before it was rolled out. That includes one group that was focused exclusively on the driver and another that performed “black box” attacks on the system from the outside.
And Chamberlain said that Vanguard also has code integrity checks and crash reporting functionality that could alert them to any signs of compromise. “In addition, we have our bug bounty program and good relationships with the game security community and the broader threat intelligence community, so we would be well placed to receive intelligence about potential compromises,” he said.
We would work with Microsoft to get [any] vulnerable driver blacklisted.
If a kernel-mode code execution bug was found in Vanguard’s drivers, Chamberlain says the system has been set up “to be easy to update on whatever cadence is required (separate from game update cadence) so we would likely be able to respond within hours. ” During those hours, Vanguard would be disabled on the game, and players would be instructed to uninstall it in the meantime.
“In extreme cases, we would work with our patcher team to automatically remove Vanguard from all players’ computers,” Chamberlain added. “After we had pushed a fix or removed the driver, we would work with Microsoft to get the vulnerable driver blacklisted.”
So for now, at least, you probably don’t have much to worry about by installing Riot’s anti-cheat driver on your system. But if hackers find any exploitable errors in that driver, users will have to trust that Riot will be able to find and fix them promptly enough to keep their systems safe from attack. And that’s a level of trust Riot seems to be taking pretty seriously, all things considered.
Dan Goodin and Jim Salter contributed to this report.
GIPHY App Key not set. Please check settings