AAU Student Projects is unavailable between June 15th 1.30pm and 17th 1.30pm due to planned system maintenance. The projects cannot be downloaded during this period.
AAU Student Projects - visit Aalborg University's student projects portal
A master's thesis from Aalborg University
Book cover


OdinSight - An eBPF-Based Client-Side Architecture for Kernel-Level Anti-Cheat on Linux

Authors

;

Term

4. term

Publication year

2026

Submitted on

Abstract

This thesis presents OdinSight, a client-side anti-cheat architecture for Linux that uses eBPF and Linux Security Module (LSM) hooks to monitor and restrict selected cheating techniques at the kernel level. The project builds on the earlier TyrSecure prototype, which demonstrated that eBPF can detect certain cheating behaviours during game execution but also exposed limitations in a protection model that only starts once the game is already running. OdinSight addresses these limitations by establishing trust and starting enforcement before the game is launched and maintaining protection throughout the lifetime of the game process. The system is structured around a launcher and a privileged daemon: the launcher offers an unprivileged interface for starting games under protection, while the daemon validates kernel integrity, manages eBPF programs, and controls game start-up. The implementation includes two main eBPF-based LSM programs: a daemon hardening module that prevents interference with the anti-cheat service itself, and a game protection module that blocks specific actions associated with cheating or process tampering in the game processes. OdinSight is evaluated through compatibility, coverage, and performance tests. The compatibility evaluation shows that several Linux games can run under OdinSight, while some titles fail or require exceptions due to runtime behaviour that conflicts with strict protection rules, highlighting the trade-off between security and practical game behaviour. The coverage evaluation confirms that the intended policies are enforced across the main trust boundaries considered in this work: the kernel environment, the anti-cheat daemon, and the game process, without claiming complete protection against all cheats or bypass strategies. The performance evaluation, based on a synthetic benchmark and a real game workload, reveals no clearly observable performance degradation in the tested scenarios and suggests that eBPF- and LSM-based enforcement can add useful security with limited performance impact. Overall, the thesis concludes that eBPF combined with LSM hooks is a promising foundation for kernel-level anti-cheat on Linux, and that OdinSight demonstrates a practical client-side architecture which still requires further work on stronger integrity verification, remote trust validation, and game-specific policy handling before it can be considered a complete solution.

Denne opgave præsenterer OdinSight, en klient-side anti-cheat arkitektur til Linux, der udnytter eBPF og Linux Security Module (LSM) hooks til at overvåge og begrænse udvalgte snydeteknikker på kernelniveau. Projektet udspringer af det tidligere TyrSecure-projekt, som viste, at eBPF kan bruges til at opdage snydeadfærd under selve spilafviklingen, men også afslørede begrænsninger ved først at påbegynde beskyttelsen, når spillet allerede kører. OdinSight adresserer disse begrænsninger ved at etablere tillid og starte håndhævelse før spillet lanceres og opretholde beskyttelse gennem hele spilprocessens livscyklus. Systemet er opbygget omkring en launcher og en privilegeret daemon: launcheren tilbyder et uprivilegeret interface til at starte spil under beskyttelse, mens daemonen validerer kerneintegritet, styrer eBPF‑programmer og kontrollerer spilopstart. Implementeringen omfatter to centrale eBPF‑baserede LSM‑programmer: et daemon-beskyttelsesmodul, der sikrer at anti-cheat tjenesten ikke kan manipuleres, og et spilbeskyttelsesmodul, der blokerer bestemte handlinger forbundet med snyd og procesmanipulation i spillets processer. OdinSight evalueres gennem kompatibilitets-, dæknings- og performance-tests. Kompatibilitetstesten viser, at flere Linux-spil kan køres under OdinSight, mens nogle titler kræver undtagelser eller fejler på grund af konflikt med stramme sikkerhedspolitikker, hvilket illustrerer balancen mellem sikkerhed og praktisk spiladfærd. Dækningstesten bekræfter, at de tilsigtede politikker håndhæves på tværs af de centrale tillidsgrænser: kernelmiljøet, anti-cheat daemonen og spilprocessen, uden at dette skal opfattes som fuldstændig beskyttelse mod alle snydetyper. Performanceevalueringen, baseret på syntetiske benchmarks og en rigtig spilbelastning, viser ingen tydelig, synlig ydelsesforringelse i de undersøgte scenarier og indikerer, at eBPF- og LSM-baseret håndhævelse kan levere ekstra sikkerhed med begrænset performanceomkostning. Samlet konkluderer projektet, at eBPF kombineret med LSM-hooks udgør et lovende grundlag for kernelniveau anti-cheat på Linux, og at OdinSight demonstrerer en realistisk klient-side arkitektur, som dog kræver yderligere arbejde med bl.a. stærkere integritetskontrol, fjernvalidering af tillid og spil-specifikke politikker, før løsningen kan opfattes som komplet.

[This abstract has been generated with the help of AI directly from the project full text]