Kernel-level anti-cheat

Kernel-level anti-cheat systems are software mechanisms that operate within an operating system's kernel space (Ring 0) in order to detect and prevent unauthorized modification of video game processes. Unlike user-mode anti-cheat systems, which operate at the same privilege level as standard applications (Ring 3), kernel-level implementations use privileged drivers to monitor system activity at a lower level.^[2][3]

Kernel-level anti-cheat systems have historically had limited support on Linux. Differences in driver signing requirements, kernel module policies, and the decentralized nature of Linux distributions can complicate the deployment of proprietary kernel drivers compared to Windows, where driver signing and distribution are centrally managed by Microsoft.^[4]

Because kernel-level systems have such a high level of trust, any software that wants to enter kernel space must be digitally signed according to Microsoft's driver signing requirements.^[5]

Code signed drivers are susceptible to vulnerabilities like any other software. In one reported case, the anti-cheat driver mhyprot2.sys used by Genshin Impact was abused by ransomware actors to disable antivirus software.^[6]

Conventional anti-cheats run in user mode with limited access. These anti-cheats may be unable to reliably detect and intercept kernel-mode cheats. By running in Ring 0, kernel-level systems can observe low-level system calls, drivers, and memory interactions that would otherwise be inaccessible to user-mode applications.^[7]

Game developers have stated that kernel-level anti-cheat mechanisms are intended to preserve competitive integrity, particularly in online multiplayer environments where cheating can undermine matchmaking systems, ranked play, and esports competition.^[8]

• Rootkit
• Kernel (operating system)
• Cheating in online games
• Digital rights management