Bootkits threaten the very foundation of system security. By exploiting vulnerabilities in firmware and bootloaders, these attacks gain persistent, stealthy control at the earliest stages of boot. Despite widespread adoption of UEFI Secure Boot and TPM-based measurements, limited visibility and complexity during early boot allow bootkits to evade detection. Ongoing discovery of critical firmware flaws enables privilege escalation and circumvention of core protections. Existing static verification methods cannot detect runtime modifications during early boot, highlighting the need for runtime-aware integrity monitoring. In this paper, we present BootMarker, a runtime integrity monitoring framework built on a dual-layered architecture that combines Driver Execution Environment (DXE) and System Management Mode (SMM) instrumentation. BootMarker dynamically enforces control-flow integrity in the bootloader and performs cryptographic validation of firmware components in real time. It detects and mitigates bootkit attacks as they occur during early execution. Our evaluation shows that BootMarker reliably identifies diverse bootkit behaviors while imposing minimal performance overhead, making it practical for real-world deployment and significantly enhancing boot-time security.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

BootMarker: UEFI Bootkit Defense via Control-Flow Verification

  • Jihoon Kwon,
  • Junho Lee,
  • MyeongYeol Lee,
  • HyunA Seo,
  • Jinho Jung

摘要

Bootkits threaten the very foundation of system security. By exploiting vulnerabilities in firmware and bootloaders, these attacks gain persistent, stealthy control at the earliest stages of boot. Despite widespread adoption of UEFI Secure Boot and TPM-based measurements, limited visibility and complexity during early boot allow bootkits to evade detection. Ongoing discovery of critical firmware flaws enables privilege escalation and circumvention of core protections. Existing static verification methods cannot detect runtime modifications during early boot, highlighting the need for runtime-aware integrity monitoring. In this paper, we present BootMarker, a runtime integrity monitoring framework built on a dual-layered architecture that combines Driver Execution Environment (DXE) and System Management Mode (SMM) instrumentation. BootMarker dynamically enforces control-flow integrity in the bootloader and performs cryptographic validation of firmware components in real time. It detects and mitigates bootkit attacks as they occur during early execution. Our evaluation shows that BootMarker reliably identifies diverse bootkit behaviors while imposing minimal performance overhead, making it practical for real-world deployment and significantly enhancing boot-time security.