CN110795735A - Rootkit universality detection method oriented to heterogeneous BIOS environment - Google Patents

Rootkit universality detection method oriented to heterogeneous BIOS environment Download PDF

Info

Publication number
CN110795735A
CN110795735A CN201911037212.6A CN201911037212A CN110795735A CN 110795735 A CN110795735 A CN 110795735A CN 201911037212 A CN201911037212 A CN 201911037212A CN 110795735 A CN110795735 A CN 110795735A
Authority
CN
China
Prior art keywords
bios
module
detection
rootkit
modules
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN201911037212.6A
Other languages
Chinese (zh)
Inventor
何利文
侯小宇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing University of Posts and Telecommunications
Original Assignee
Nanjing University of Posts and Telecommunications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing University of Posts and Telecommunications filed Critical Nanjing University of Posts and Telecommunications
Priority to CN201911037212.6A priority Critical patent/CN110795735A/en
Publication of CN110795735A publication Critical patent/CN110795735A/en
Withdrawn legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Stored Programmes (AREA)

Abstract

A Rootkit universality detection method oriented to heterogeneous BIOS environments is characterized in that a reverse analysis technology is utilized to analyze specific structural characteristics of various BIOS environments, Rootkit samples of actually applicable heterogeneous BIOS environments are combined, common infection points and modules of different samples in the same BIOS environment are analyzed and sorted, meanwhile, a trusted computing technology is combined to establish 3 trusted chains and determine modules needing to be detected, a detection module is embedded in a system starting process, detection of 3 stages of BIOS file and Windows system file initialization, kernel loading process and kernel initialization is achieved by comparing data of an uninfected system with check data obtained by the detection module, and the modules with infection traces are repaired. The method can effectively detect that the computing method system is infected with Rootkit, has universality and high accuracy when oriented to the heterogeneous BIOS environment, and belongs to the field of malicious code detection.

Description

Rootkit universality detection method oriented to heterogeneous BIOS environment
Technical Field
The invention provides a Rootkit universality detection method for a heterogeneous BIOS environment, mainly solves the problems of how to judge whether to infect malicious viruses in an unknown BIOS type environment and recover a damaged BIOS environment and the like, relates to a reverse analysis technology and a trusted computing technology, and belongs to the field of malicious code detection.
Background
Rootkit is a special malicious software, and is a tool set used for maintaining the highest access authority of the super user of an attacker after the attacker invades a computer system, creating a backdoor, hiding access to system resources, attack traces and the like. The Rootkit term was first used in month 2 of 1994. Rootkit is different from common virus and generally does not affect the running speed of the host. An attacker typically finds a vulnerability on a target host, and after gaining access to a system in which the vulnerability exists, the attacker can manually install the Rootkit. Rootkits have a hidden function and are difficult to perceive by users and other software. Therefore, rootkits are typically used to steal target host information. Once it is implanted in the target host, it hides itself and moves on the fly, waiting for important data to appear.
The Rootkit is characterized by strong imperceptibility, and once the Rootkit is installed in a system, an administrator can hardly discover the existence of an attacker. Even if a Rootkit is found in a system, the remedial action that can be taken is limited because it is difficult to know how long it is in the system and the computational penalty it incurs on the system. Therefore, preventing Rootkit from invading the host and detecting Rootkit in time become the best method for avoiding loss. Rootkit has also been a hot problem of research, and many scholars and hackers have contributed greatly in this area.
Currently, most research on Rootkit is only performed for one BIOS or one application environment. In the development process of computers, the mainstream BIOS mainly comprises Legacy BIOS and UEFI. With the improvement of the system performance requirement of the user, the UEFI added with the technologies of boot-up, application pre-caching and the like is widely applied. However, many Legacy BIOS exists in many local area networks of government agencies, colleges and businesses. Therefore, malicious code such as Rootkit needs to meet the requirements of application in heterogeneous BIOS environments.
Legacy BIOS and UEFI are two completely different boot modes. The Legacy BIOS supports the disk partition as an MBR structure, and a system installed in the Legacy BIOS mode can only enter the system in the Legacy BIOS mode; UEFI is a new BIOS, and the system installed in the mode can only boot in the UEFI mode, only a 64-bit system is supported, and the disk partition must be a GPT structure. GPT provides a more flexible disk partitioning mechanism, allowing volume capacities greater than 2TB, compared to MBR partitioning schemes. The Legacy BIOS is divided into Award BIOS and Phoenix BIOS according to structures, the operation flows of the two BIOS are similar, but the specific structures are different. An ISA interface exists in AwardBIOS, and a user-defined ISA module can be embedded in the AwardBIOS; the Phoenix BIOS has a decompression module, and can run for many times and decompress other modules in the BIOS. Therefore, the Rootkit detection method with wider universality and higher accuracy still needs further research.
The reverse analysis technique is the reverse of the order in which the source code is changed into an executable program, which restores the compiled and linked program back to the "code level". Reverse analysis by decompiling the program with tool software, the applied binary program can be decompiled into assembly code or even pseudo code. By adopting a reverse method and analyzing the operation mechanism of the virus, the infection characteristics of the Rootkit can be extracted.
Trusted computing is an algorithm that can be widely applied to the field of computer security. The central idea of trusted computing is to establish a trusted root in a computer system and provide information protection and storage functions; and adding integrity measurement detection in each execution stage of computer operation, establishing a trusted chain measurement mechanism, and extending the trust relationship to the whole terminal. The trusted computing plays a safety protection role in each operation process of the whole computer system based on the safety of the trusted root.
Disclosure of Invention
The invention provides a Rootkit universality detection method oriented to heterogeneous BIOS environments, which is characterized in that a reverse analysis technology is utilized, a plurality of Rootkit samples suitable for various BIOS environments are analyzed by utilizing IDA, Ollydbg and other tool software and the reverse analysis technology, the infection way of a virus sample in the current BIOS environment is detected, and the whole infection point and the infection flow of the virus sample are restored. And integrating the analysis data of all samples, establishing a trusted chain by using a trusted computing technology, determining the detection position of the trusted chain, and realizing Rootkit universality detection on the heterogeneous BIOS environment.
A Rootkit universality detection method oriented to heterogeneous BIOS environment comprises the following steps:
step 1, collecting Rootkit samples based on various BIOS environments, wherein the Rootkit samples mainly comprise Award BIOS, PhoenixBIOS, UEFI and the like; analyzing the samples by using a dynamic and static debugging method, sorting infection points of each sample, and determining a detection method, a specific module to be detected and a code;
step 2, analyzing the structure types of various BIOS by using a dynamic and static debugging method, wherein the structure types mainly comprise AwardBIOS, Phoenix BIOS, UEFI and the like; according to 3 stages of BIOS file and Windows system file initialization, kernel loading process and kernel initialization, dividing modules of the computer system starting process according to stages;
step 3, 3 trusted chains are established according to 3 stages of BIOS file and Windows system file initialization, kernel loading process and kernel initialization, and the module of each stage divided in the step 2 is an object to be measured of the corresponding trusted chain;
step 4, embedding the check value, the feature code and the credible chain detection module of each module into the BIOS;
step 5, running a detection method once in a computer which is not infected by the Rootkit based on the heterogeneous BIOS environment, and recording module backups, check values and the like under the condition that the system is not infected by the Rootkit in a BIOS data area;
step 6, the detection method is used for detecting the computer system infected by the Rootkit, and in operation, the detection module can automatically skip the detection program aiming at the nonexistent module; if the abnormality is not detected, the computer system is normally started; if the system module is detected to be tampered, the system starting process is suspended, the detection mechanism takes out the backup module from the memory to cover the module and then transfers the control right, and the system is recovered to be started;
and 7, smoothly starting the system, and judging whether the system is infected with the Rootkit according to error report in the starting process.
Further, the step 3 specifically includes the following sub-steps:
step 3-1, the trusted chain 1 corresponds to an initialization stage, and corresponding modules or service lists of different BIOS environments can be extracted by means of tools such as an Award BIOS editor and the like for detection, and integrity detection is carried out on the modules or the service lists;
step 3-2, the trusted chain 2 corresponds to a kernel loading process stage, and modules therein can be mainly divided into two types: IDTs and other modules; detecting IDT needs debugging the interrupt vector table, and can know whether the entry address of the interrupt service program is changed or not through comparison; other modules are provided with feature codes, and can be positioned through the feature codes and carry out SHA-1 algorithm integrity check;
step 3-3, the trusted chain 3 corresponds to a kernel initialization phase, wherein module detection passes feature code positioning and SHA-1 algorithm integrity checking.
Further, the step 4 specifically includes the following sub-steps:
step 4-1, applying for a plurality of pages of internal memories in the BIOS data area for storing backup and check values of each detection module and each module of the computer system;
step 4-2, the detection module of the trusted chain 1 is used as a module to be inserted into the initialization process of the BIOS file and the Windows system file;
step 4-3, inserting the detection module of the trusted chain 2 into Startup.com through Int 15h to realize the detection of the kernel loading process;
and 4-4, similarly, inserting the detection module of the trusted chain 3 into Ntdetect.com through Int 15h to realize the detection of the kernel initialization process.
Further, the step 6 includes the following sub-steps:
step 6-1, in the process of initializing the BIOS file and the Windows system file, the detection module mainly checks an ISA module and a decompression module in AwardBIOS and Phoenix BIOS, compares the ISA module and the decompression module with data in a data area, if the detection module is found to be tampered, the detection module is covered by a backup module in the data area, and then the control right is returned to the system;
step 6-2, when the start.com is operated, the control right of the system is handed to a detection module of the trusted chain 2, the detection module mainly checks modules such as IDT, Osleader.com, Winload.efi and the like, if the modules are found to be tampered, the modules are covered by a backup module of a data area, and then the control right is handed back to the system;
and 6-3, when the Ntdetect.com is operated, the control right of the system is handed to a detection module of the trusted chain 3, the detection module mainly checks the modules such as Ntoskinl.exe and the like, if the modules are tampered, the modules are covered by a backup module of the data area, and then the control right is handed back to the system.
Compared with the prior art, the invention has the following characteristics and innovations:
(1) as a detection method for heterogeneous BIOS environment, the method makes up the limitation that the traditional detection method only aims at specific BIOS environment, does not need to judge the BISO type before detection, and reduces the detection cost of Rootkit;
(2) the invention utilizes the trusted computing technology to establish 3 trusted chains, divides the whole computer starting process into three stages, emphasizes the detection of the kernel loading process of the second stage, and can position most of the modules in the stage through the feature codes and detect whether the modules are tampered or not through the integrity measurement. The Rootkit has cooperative hiding performance, the tampering trace initialized by the kernel in the third stage can be hidden after the kernel is loaded, and if only the third stage is detected, the Rootkit is difficult to detect through the tampering trace. The method avoids the influence of cooperative hiding of the Rootkit on the detection result.
Drawings
FIG. 1 is a schematic diagram of a trusted chain in an embodiment of the present invention.
FIG. 2 is a block diagram of the overall flow of the Rootkit universality detection method oriented to the heterogeneous BIOS environment in the embodiment of the present invention.
Detailed Description
The technical scheme of the invention is further explained in detail by combining the drawings in the specification.
A Rootkit universality detection method oriented to heterogeneous BIOS environment is disclosed, the flow of which is shown in figure 2, and the method comprises the following steps:
step 1, collecting Rootkit samples based on various BIOS environments, wherein the Rootkit samples mainly comprise Award BIOS, PhoenixBIOS, UEFI and the like; and analyzing the samples by using dynamic and static debugging methods, sorting infection points of each sample, and determining a detection method, a specific module to be detected and a code.
Step 2, analyzing the structure types of various BIOS by using a dynamic and static debugging method, wherein the structure types mainly comprise AwardBIOS, Phoenix BIOS, UEFI and the like; according to 3 stages of BIOS file and Windows system file initialization, kernel loading process and kernel initialization, the modules of the computer system starting process are divided according to stages.
And 3, establishing 3 trusted chains according to 3 stages of BIOS file and Windows system file initialization, kernel loading process and kernel initialization, wherein the module of each stage divided in the step 2 is an object to be measured by the corresponding trusted chain.
In step 3, the trusted chain is constructed as shown in fig. 1, and specifically includes the following sub-steps:
and 3-1, the trusted chain 1 corresponds to an initialization stage, and corresponding modules or service lists of different BIOS environments can be extracted by means of detection of the trusted chain 1 through tools such as an Award BIOS editor and the like, and integrity detection is carried out on the modules or the service lists.
Step 3-2, the trusted chain 2 corresponds to a kernel loading process stage, and modules therein can be mainly divided into two types: IDTs and other modules; detecting IDT needs debugging the interrupt vector table, and can know whether the entry address of the interrupt service program is changed or not through comparison; other modules all have feature codes, can be positioned through the feature codes and carry out SHA-1 algorithm integrity check.
Step 3-3, the trusted chain 3 corresponds to a kernel initialization phase, wherein module detection passes feature code positioning and SHA-1 algorithm integrity checking.
And 4, embedding the check value, the feature code and the credible chain detection module of each module into the BIOS.
In the step 4, the method specifically comprises the following steps:
and 4-1, applying for a plurality of pages of internal memories in the BIOS data area for storing backup and check values of each detection module and each module of the computer system.
And 4-2, inserting the detection module of the trusted chain 1 as a module into the initialization process of the BIOS file and the Windows system file.
And 4-3, inserting the detection module of the trusted chain 2 into the Startup.com through the Int 15h to realize the detection of the kernel loading process.
And 4-4, similarly, inserting the detection module of the trusted chain 3 into Ntdetect.com through Int 15h to realize the detection of the kernel initialization process.
And 5, running the detection method once in the computer which is not infected by the Rootkit based on the heterogeneous BIOS environment, and recording module backups, check values and the like under the condition that the system is not infected by the Rootkit in a BIOS data area.
Step 6, the detection method is used for detecting the computer system infected by the Rootkit, and in operation, the detection module can automatically skip the detection program aiming at the nonexistent module; if the abnormality is not detected, the computer system is normally started; if the system module is detected to be tampered, the system starting process is suspended, the detection mechanism takes out the backup module from the memory to cover the module and then transfers the control right, and the system is recovered to be started.
In the step 6, the method comprises the following steps:
and 6-1, in the process of initializing the BIOS file and the Windows system file, the detection module mainly checks an ISA module and a decompression module in AwardBIOS and a Phoenix BIOS, compares the ISA module and the decompression module with data in a data area, covers the data area by using a backup module in the data area if the data area is tampered, and returns the control right to the system.
And 6-2, when the Start.com is operated, the control right of the system is handed to a detection module of the trusted chain 2, the detection module mainly checks modules such as IDT, Osleader.com, Winload.efi and the like, if the modules are found to be tampered, the modules are covered by a backup module of the data area, and then the control right is handed back to the system.
And 6-3, when the Ntdetect.com is operated, the control right of the system is handed to a detection module of the trusted chain 3, the detection module mainly checks the modules such as Ntoskinl.exe and the like, if the modules are tampered, the modules are covered by a backup module of the data area, and then the control right is handed back to the system.
And 7, smoothly starting the system, and judging whether the system is infected with the Rootkit according to error report in the starting process.
The above description is only a preferred embodiment of the present invention, and the scope of the present invention is not limited to the above embodiment, but equivalent modifications or changes made by those skilled in the art according to the present disclosure should be included in the scope of the present invention as set forth in the appended claims.

Claims (4)

1. A Rootkit universality detection method oriented to heterogeneous BIOS environment is characterized in that: the method comprises the following steps:
step 1, collecting Rootkit samples based on various BIOS environments, wherein the Rootkit samples mainly comprise an Award BIOS, a Phoenix BIOS, UEFI and the like; analyzing the samples by using a dynamic and static debugging method, sorting infection points of each sample, and determining a detection method, a specific module to be detected and a code;
step 2, analyzing the structure types of various BIOS by using a dynamic and static debugging method, wherein the structure types mainly comprise Award BIOS, Phoenix BIOS, UEFI and the like; according to 3 stages of BIOS file and Windows system file initialization, kernel loading process and kernel initialization, dividing modules of the computer system starting process according to stages;
step 3, 3 trusted chains are established according to 3 stages of BIOS file and Windows system file initialization, kernel loading process and kernel initialization, and the module of each stage divided in the step 2 is an object to be measured of the corresponding trusted chain;
step 4, embedding the check value, the feature code and the credible chain detection module of each module into the BIOS;
step 5, running a detection method once in a computer which is not infected by the Rootkit based on the heterogeneous BIOS environment, and recording module backups, check values and the like under the condition that the system is not infected by the Rootkit in a BIOS data area;
step 6, the detection method is used for detecting the computer system infected by the Rootkit, and in operation, the detection module can automatically skip the detection program aiming at the nonexistent module; if the abnormality is not detected, the computer system is normally started; if the system module is detected to be tampered, the system starting process is suspended, the detection mechanism takes out the backup module from the memory to cover the module and then transfers the control right, and the system is recovered to be started;
and 7, smoothly starting the system, and judging whether the system is infected with the Rootkit according to error report in the starting process.
2. The Rootkit universality detection method oriented to the heterogeneous BIOS environment according to claim 1, characterized in that: in the step 3, the method specifically comprises the following steps:
step 3-1, the trusted chain 1 corresponds to an initialization stage, and corresponding modules or service lists of different BIOS environments can be extracted by means of tools such as an Award BIOS editor and the like for detection, and integrity detection is carried out on the modules or the service lists;
step 3-2, the trusted chain 2 corresponds to a kernel loading process stage, and modules therein can be mainly divided into two types: IDTs and other modules; detecting IDT needs debugging the interrupt vector table, and can know whether the entry address of the interrupt service program is changed or not through comparison; other modules are provided with feature codes, and can be positioned through the feature codes and carry out SHA-1 algorithm integrity check;
step 3-3, the trusted chain 3 corresponds to a kernel initialization phase, wherein module detection passes feature code positioning and SHA-1 algorithm integrity checking.
3. The Rootkit universality detection method oriented to the heterogeneous BIOS environment according to claim 1, characterized in that: in the step 4, the method specifically comprises the following steps:
step 4-1, applying for a plurality of pages of internal memories in the BIOS data area for storing backup and check values of each detection module and each module of the computer system;
step 4-2, the detection module of the trusted chain 1 is used as a module to be inserted into the initialization process of the BIOS file and the Windows system file;
step 4-3, inserting the detection module of the trusted chain 2 into Startup.com through Int 15h to realize the detection of the kernel loading process;
and 4-4, similarly, inserting the detection module of the trusted chain 3 into Ntdetect.com through Int 15h to realize the detection of the kernel initialization process.
4. The Rootkit universality detection method oriented to the heterogeneous BIOS environment according to claim 1, characterized in that: in the step 6, the method comprises the following steps:
step 6-1, in the process of initializing the BIOS file and the Windows system file, the detection module mainly checks an ISA module and a decompression module in the Award BIOS and the Phoenix BIOS, compares the ISA module and the decompression module with data in a data area, if the detection module is found to be tampered, the detection module is covered by a backup module in the data area, and then the control right is returned to the system;
step 6-2, when the start.com is operated, the control right of the system is handed to a detection module of the trusted chain 2, the detection module mainly checks modules such as IDT, Osleader.com, Winload.efi and the like, if the modules are found to be tampered, the modules are covered by a backup module of a data area, and then the control right is handed back to the system;
and 6-3, when the Ntdetect.com is operated, the control right of the system is handed to a detection module of the trusted chain 3, the detection module mainly checks the modules such as Ntoskinl.exe and the like, if the modules are tampered, the modules are covered by a backup module of the data area, and then the control right is handed back to the system.
CN201911037212.6A 2019-10-29 2019-10-29 Rootkit universality detection method oriented to heterogeneous BIOS environment Withdrawn CN110795735A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911037212.6A CN110795735A (en) 2019-10-29 2019-10-29 Rootkit universality detection method oriented to heterogeneous BIOS environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911037212.6A CN110795735A (en) 2019-10-29 2019-10-29 Rootkit universality detection method oriented to heterogeneous BIOS environment

Publications (1)

Publication Number Publication Date
CN110795735A true CN110795735A (en) 2020-02-14

Family

ID=69441789

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911037212.6A Withdrawn CN110795735A (en) 2019-10-29 2019-10-29 Rootkit universality detection method oriented to heterogeneous BIOS environment

Country Status (1)

Country Link
CN (1) CN110795735A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112073187A (en) * 2020-08-28 2020-12-11 江苏卓易信息科技股份有限公司 Method for accelerating system trusted chain construction based on non-blocking mode
CN113094107A (en) * 2021-03-18 2021-07-09 深圳市道通智能汽车有限公司 Data protection method, device, equipment and computer storage medium

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112073187A (en) * 2020-08-28 2020-12-11 江苏卓易信息科技股份有限公司 Method for accelerating system trusted chain construction based on non-blocking mode
CN113094107A (en) * 2021-03-18 2021-07-09 深圳市道通智能汽车有限公司 Data protection method, device, equipment and computer storage medium
CN113094107B (en) * 2021-03-18 2023-12-22 深圳市塞防科技有限公司 Data protection method, device, equipment and computer storage medium

Similar Documents

Publication Publication Date Title
US9058492B1 (en) Techniques for reducing executable code vulnerability
Carmony et al. Extract Me If You Can: Abusing PDF Parsers in Malware Detectors.
Moser et al. Exploring multiple execution paths for malware analysis
EP3039608B1 (en) Hardware and software execution profiling
US20090271867A1 (en) Virtual machine to detect malicious code
US20050108562A1 (en) Technique for detecting executable malicious code using a combination of static and dynamic analyses
US8763128B2 (en) Apparatus and method for detecting malicious files
US8352484B1 (en) Systems and methods for hashing executable files
WO2011146305A2 (en) Extending an integrity measurement
Levine et al. A methodology to detect and characterize kernel level rootkit exploits involving redirection of the system call table
WO2019152752A1 (en) Systems and methods for preventing code insertion attacks
Case et al. HookTracer: A system for automated and accessible API hooks analysis
CN110795735A (en) Rootkit universality detection method oriented to heterogeneous BIOS environment
Keromytis Characterizing self-healing software systems
Zhou et al. Hardware-based on-line intrusion detection via system call routine fingerprinting
US8250652B1 (en) Systems and methods for circumventing malicious attempts to block the installation of security software
US8819822B1 (en) Security method for detecting intrusions that exploit misinterpretation of supplied data
Piromsopa et al. Survey of protections from buffer-overflow attacks
Levine et al. A methodology to characterize kernel level rootkit exploits that overwrite the system call table
KR101311367B1 (en) Method and apparatus for diagnosing attack that bypass the memory protection
Rauchberger et al. Longkit-A Universal Framework for BIOS/UEFI Rootkits in System Management Mode.
US10846405B1 (en) Systems and methods for detecting and protecting against malicious software
KR102425474B1 (en) BinTyper: Type confusion detection without source code
US11681798B2 (en) Security screening of a universal serial bus device
Li et al. Kernel malware core implementation: A survey

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication
WW01 Invention patent application withdrawn after publication

Application publication date: 20200214