“Nice Boots!” - A Large-Scale Analysis of Bootkits and New Ways to Stop Them

Grill, Bernhard; Bacs, Andrei; Platzer, Christian; Bos, Herbert

doi:10.1007/978-3-319-20550-2_2

Cited by 6 publications

(4 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This is before the moment the OS can use its antimalware protection [7], so research is desired also in the field of detecting bootkits. Bernhard Grill and the collective of authors of [7] introduce Bootcamp -a framework capable, as they say in [7] of detecting and analysing bootkits. The architecture of their solution utilizes a group of Bootcamp Workers [7] that run virtual machines.…”

Section: Introductionmentioning

confidence: 99%

“…Bernhard Grill and the collective of authors of [7] introduce Bootcamp -a framework capable, as they say in [7] of detecting and analysing bootkits. The architecture of their solution utilizes a group of Bootcamp Workers [7] that run virtual machines. The sample of bootkits are analysed within these VMs [7].…”

Section: Introductionmentioning

confidence: 99%

“…The architecture of their solution utilizes a group of Bootcamp Workers [7] that run virtual machines. The sample of bootkits are analysed within these VMs [7].…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Rasp Abstract Machine Emulator – Extending the Emustudio Platform

ŠIPOŠ¹,

Šimoňák²

2017

AEI

View full text Add to dashboard Cite

This paper presents the RASP (Random Access Stored Program) abstract machine emulator implemented as a plugin for emuStudio -extendable platform for computer architectures emulation. It consists of three submodules -the CPU emulator (the core of the plugin), main memory for storing RASP machine's program and data and compiler of RASP assembly language. The compiler is able to translate RASP program source code into the form executable by the emulator. The main goal is to provide a supporting tool for Data Structures and Algorithms, respectively other subjects taught at the Department of Computers and Informatics. In addition to this, its aim is also to contribute to emuStudio platform so as to support its further development. There are not many universal software products for computer emulation flexibly extendable by plugins for new architectures and that is why emuStudio deserves our interest. Its flexibility makes it an ideal study supporting tool.

show abstract

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Rasp Abstract Machine Emulator – Extending the Emustudio Platform

ŠIPOŠ¹,

Šimoňák²

2017

AEI

View full text Add to dashboard Cite

show abstract

“…This chapter covers RQ3 and RQ4, with a method and environment to study the storagerelated behavior of bootkit malware, techniques to stop bootkit attacks, and possible evolution paths for bootkit technologies. Chapter 3 appeared in the Proceedings of the 12th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA '15) [62].…”

Section: Organization Of the Dissertationmentioning

confidence: 99%

Securing Modern Storage Stacks

Bacs

View full text Add to dashboard Cite

Modern storage stacks implement persistent memory which is a core component of computing systems. This dissertation considers threats that affect the storage stack, discussing solutions to analyze and reduce the resulting attack surface in pre- and post-compromise scenarios. On the attack surface analysis front, we first identified and studied a new class of advanced attacks based on a timing side channel (pre-compromise scenario). The latter originates from the filesystem deduplication feature of modern filesystems like ZFS and Btrfs. We showed how an attacker can abuse the side channel to leak sensitive data at the byte or block granularity, bypassing traditional filesystem access controls. We proposed a mitigation where the read and write operations exhibit the same behavior in the time domain, regardless of the presence of the data on storage. To explore the post-compromise attack surface, we introduced lightweight instrumentation to track low-level storage operations, observing any malicious interactions with the storage stack. This was helpful to study an important class of persistent malware (bootkits) for a large period of time. As a result, we derived its storage-related characteristics and proposed mitigations for it. On the attack surface reduction front, we first studied and proposed a generic intrusion detection system for the virtualized storage stack with low overhead (pre- compromise scenario). Next, we proposed a post-compromise solution for intrusion recovery, which is operating system agnostic and uses heavyweight instrumentation to precisely track malicious data through the system at the byte granularity. In the process, we addressed important challenges such as reducing the semantic gap to have a more precise recovery granularity and hiding the instrumentation overhead by means of a decoupled security model.

show abstract

SoK: ATT&CK Techniques and Trends in Windows Malware

Oosthoek

Doerr

2019

Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

View full text Add to dashboard Cite

“Nice Boots!” - A Large-Scale Analysis of Bootkits and New Ways to Stop Them

Cited by 6 publications

References 15 publications

Rasp Abstract Machine Emulator – Extending the Emustudio Platform

Rasp Abstract Machine Emulator – Extending the Emustudio Platform

Securing Modern Storage Stacks

SoK: ATT&CK Techniques and Trends in Windows Malware

Contact Info

Product

Resources

About