BootMarker: UEFI Bootkit Defense via Control-Flow Verification
摘要
Bootkits threaten the very foundation of system security. By exploiting vulnerabilities in firmware and bootloaders, these attacks gain persistent, stealthy control at the earliest stages of boot. Despite widespread adoption of UEFI Secure Boot and TPM-based measurements, limited visibility and complexity during early boot allow bootkits to evade detection. Ongoing discovery of critical firmware flaws enables privilege escalation and circumvention of core protections. Existing static verification methods cannot detect runtime modifications during early boot, highlighting the need for runtime-aware integrity monitoring. In this paper, we present BootMarker, a runtime integrity monitoring framework built on a dual-layered architecture that combines Driver Execution Environment (DXE) and System Management Mode (SMM) instrumentation. BootMarker dynamically enforces control-flow integrity in the bootloader and performs cryptographic validation of firmware components in real time. It detects and mitigates bootkit attacks as they occur during early execution. Our evaluation shows that BootMarker reliably identifies diverse bootkit behaviors while imposing minimal performance overhead, making it practical for real-world deployment and significantly enhancing boot-time security.