Bring Your Own Vulnerable Driver (BYOVD) attacks abuse legitimate, digitally signed Windows drivers that contain hidden flaws, allowing adversaries to slip into kernel space, disable security controls, and sustain stealthy campaigns ranging from ransomware to state-sponsored espionage. Because most public sandboxes inspect only user-mode activity, this kernel-level abuse typically flies under the radar. In this work, we first introduce the first dynamic taxonomy of BYOVD behavior. Synthesized from manual investigation of real-world incidents and fine-grained kernel-trace analysis, it maps every attack to sequential stages and enumerates the key APIs abused at each step. Then, we propose a virtualization-based sandbox that follows every step of a driver's execution path, from the originating user-mode request down to the lowest-level kernel instructions, without requiring driver re-signing or host modifications. Finally, the sandbox automatically annotates every observed action with its corresponding taxonomy, producing a stage-by-stage report that highlights where and how a sample exhibits suspicious behavior. Tested against the current landscape of BYOVD techniques, we analyzed 8,779 malware samples that load 773 distinct signed drivers. It flagged suspicious behavior in 48 drivers, and subsequent manual verification led to the responsible disclosure of seven previously unknown vulnerable drivers to Microsoft, their vendors, and public threat-intelligence platforms. Our results demonstrate that deep, transparent tracing of kernel control flow can expose BYOVD abuse that eludes traditional analysis pipelines, enriching the community's knowledge of driver exploitation and enabling proactive hardening of Windows defenses.
Unveiling BYOVD Threats: Malware’s Use and Abuse of Kernel Drivers / A. Monzani, A. Parata, A. Oliveri, S. Aonzo, D. Balzarotti, A. Lanzi - In: Network and Distributed System Security (NDSS) Symposium 2026[s.l] : NDSS, 2026. - ISBN 979-8-9919276-8-0. - pp. 1-19 (( convegno Network and Distributed System Security (NDSS) Symposium 2026 tenutosi a San Diego, CA nel 2026 [10.14722/ndss.2026.231491].
Unveiling BYOVD Threats: Malware’s Use and Abuse of Kernel Drivers
A. Monzani;A. Parata;A. Lanzi
2026
Abstract
Bring Your Own Vulnerable Driver (BYOVD) attacks abuse legitimate, digitally signed Windows drivers that contain hidden flaws, allowing adversaries to slip into kernel space, disable security controls, and sustain stealthy campaigns ranging from ransomware to state-sponsored espionage. Because most public sandboxes inspect only user-mode activity, this kernel-level abuse typically flies under the radar. In this work, we first introduce the first dynamic taxonomy of BYOVD behavior. Synthesized from manual investigation of real-world incidents and fine-grained kernel-trace analysis, it maps every attack to sequential stages and enumerates the key APIs abused at each step. Then, we propose a virtualization-based sandbox that follows every step of a driver's execution path, from the originating user-mode request down to the lowest-level kernel instructions, without requiring driver re-signing or host modifications. Finally, the sandbox automatically annotates every observed action with its corresponding taxonomy, producing a stage-by-stage report that highlights where and how a sample exhibits suspicious behavior. Tested against the current landscape of BYOVD techniques, we analyzed 8,779 malware samples that load 773 distinct signed drivers. It flagged suspicious behavior in 48 drivers, and subsequent manual verification led to the responsible disclosure of seven previously unknown vulnerable drivers to Microsoft, their vendors, and public threat-intelligence platforms. Our results demonstrate that deep, transparent tracing of kernel control flow can expose BYOVD abuse that eludes traditional analysis pipelines, enriching the community's knowledge of driver exploitation and enabling proactive hardening of Windows defenses.
| File | Dimensione | Formato | |
|---|---|---|---|
|
ndss26_monzani.pdf
accesso aperto
Tipologia:
Publisher's version/PDF
Licenza:
Non specificato
Dimensione
1.06 MB
Formato
Adobe PDF
|
1.06 MB | Adobe PDF | Visualizza/Apri |
Pubblicazioni consigliate
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
