Finding vulnerable drivers with hooking and reading result verification
摘要
Exploiting trusted legitimate programs for attacks is a covert technique in the field of cyber confrontation. The behavior of legitimate programs when exploited by attackers is almost indistinguishable from their normal operation, making this type of attack difficult to detect by antivirus software. The attack technique that exploits legitimate Windows kernel drivers has a stronger impact because it runs in higher privilege. Although some existing symbolic execution-based frameworks can identify such vulnerabilities, issues like path explosion and incomplete analysis of sensitive instructions still lead to analysis failures or false positives. In this paper, we present BYOVD Detector, a symbolic execution-based framework for detecting vulnerable Windows kernel drivers. BYOVD Detector uses hooks to skip functions unrelated to dispatch routine setup during driver initialization and further determines whether the results of read instructions can be returned to user programs during analysis. We evaluate BYOVD Detector on public datasets of vulnerable drivers and compare it with other symbolic execution-based frameworks. The results show that BYOVD Detector mitigates the path explosion problem, improves the success rate of finding dispatch routine by 7.2%, and reduces false positive rates by 42.9% and 40.0% when analyzing vulnerabilities in reading MSR and I/O port instructions, respectively.