Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

If It Looks Like a Rootkit and Deceives Like a Rootkit: A Critical Examination of Kernel-Level Anti-Cheat Systems

Christoph Dorner, Lukas Daniel Klausner

TL;DR

This paper investigates whether kernel-level anti-cheat systems used in online gaming exhibit rootkit-like properties. By defining a rootkit metric set and applying it to four widely used systems—BattlEye, Easy Anti-Cheat, FACEIT Anti-Cheat, and Vanguard—the authors identify FACEIT and Vanguard as rootkit-like due to intrusive boot-time operation, virtualization, evasion, and remote-controllability, while BattlEye and EAC are less invasive but still raise privacy concerns. The study highlights a balance challenge between effective cheat detection and user privacy, arguing for more transparent, privacy-preserving designs and cross-platform considerations. The findings have practical implications for developers, researchers, and players, prompting a re-evaluation of kernel-level anti-cheat deployment and governance in games.

Abstract

Addressing a critical aspect of cybersecurity in online gaming, this paper systematically evaluates the extent to which kernel-level anti-cheat systems mirror the properties of rootkits, highlighting the importance of distinguishing between protective and potentially invasive software. After establishing a definition for rootkits (making distinctions between rootkits and simple kernel-level applications) and defining metrics to evaluate such software, we introduce four widespread kernel-level anti-cheat solutions. We lay out the inner workings of these types of software, assess them according to our previously established definitions, and discuss ethical considerations and the possible privacy infringements introduced by such programs. Our analysis shows two of the four anti-cheat solutions exhibiting rootkit-like behaviour, threatening the privacy and the integrity of the system. This paper thus provides crucial insights for researchers and developers in the field of gaming security and software engineering, highlighting the need for informed development practices that carefully consider the intersection of effective anti-cheat mechanisms and user privacy.

If It Looks Like a Rootkit and Deceives Like a Rootkit: A Critical Examination of Kernel-Level Anti-Cheat Systems

TL;DR

This paper investigates whether kernel-level anti-cheat systems used in online gaming exhibit rootkit-like properties. By defining a rootkit metric set and applying it to four widely used systems—BattlEye, Easy Anti-Cheat, FACEIT Anti-Cheat, and Vanguard—the authors identify FACEIT and Vanguard as rootkit-like due to intrusive boot-time operation, virtualization, evasion, and remote-controllability, while BattlEye and EAC are less invasive but still raise privacy concerns. The study highlights a balance challenge between effective cheat detection and user privacy, arguing for more transparent, privacy-preserving designs and cross-platform considerations. The findings have practical implications for developers, researchers, and players, prompting a re-evaluation of kernel-level anti-cheat deployment and governance in games.

Abstract

Addressing a critical aspect of cybersecurity in online gaming, this paper systematically evaluates the extent to which kernel-level anti-cheat systems mirror the properties of rootkits, highlighting the importance of distinguishing between protective and potentially invasive software. After establishing a definition for rootkits (making distinctions between rootkits and simple kernel-level applications) and defining metrics to evaluate such software, we introduce four widespread kernel-level anti-cheat solutions. We lay out the inner workings of these types of software, assess them according to our previously established definitions, and discuss ethical considerations and the possible privacy infringements introduced by such programs. Our analysis shows two of the four anti-cheat solutions exhibiting rootkit-like behaviour, threatening the privacy and the integrity of the system. This paper thus provides crucial insights for researchers and developers in the field of gaming security and software engineering, highlighting the need for informed development practices that carefully consider the intersection of effective anti-cheat mechanisms and user privacy.
Paper Structure (54 sections, 1 table)

This paper contains 54 sections, 1 table.

Table of Contents

  1. Introduction
  2. Related Work
  3. Methodology
  4. Rootkits
  5. Rootkit Metrics
  6. Anti-Cheat Solutions
  7. BattlEye
  8. Easy Anti-Cheat
  9. FACEIT Anti-Cheat
  10. Vanguard
  11. Results
  12. BattlEye
  13. BattlEye Anti-Cheat Measures:
  14. Memory Scans
  15. Page Guard
  16. ...and 39 more sections