{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,30]],"date-time":"2025-10-30T08:28:43Z","timestamp":1761812923291,"version":"build-2065373602"},"publisher-location":"Cham","reference-count":62,"publisher":"Springer Nature Switzerland","isbn-type":[{"value":"9783032081230","type":"print"},{"value":"9783032081247","type":"electronic"}],"license":[{"start":{"date-parts":[[2025,10,31]],"date-time":"2025-10-31T00:00:00Z","timestamp":1761868800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"},{"start":{"date-parts":[[2025,10,31]],"date-time":"2025-10-31T00:00:00Z","timestamp":1761868800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2026]]},"DOI":"10.1007\/978-3-032-08124-7_26","type":"book-chapter","created":{"date-parts":[[2025,10,30]],"date-time":"2025-10-30T08:23:51Z","timestamp":1761812631000},"page":"452-473","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["BootMarker: UEFI Bootkit Defense via\u00a0Control-Flow Verification"],"prefix":"10.1007","author":[{"ORCID":"https:\/\/orcid.org\/0009-0004-3918-6583","authenticated-orcid":false,"given":"Jihoon","family":"Kwon","sequence":"first","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0009-0001-6881-9632","authenticated-orcid":false,"given":"Junho","family":"Lee","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0009-0009-4582-6299","authenticated-orcid":false,"given":"MyeongYeol","family":"Lee","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0009-0005-9899-422X","authenticated-orcid":false,"given":"HyunA","family":"Seo","sequence":"additional","affiliation":[]},{"given":"Jinho","family":"Jung","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2025,10,31]]},"reference":[{"key":"26_CR1","doi-asserted-by":"publisher","unstructured":"Akbal, E., Yakut, \u00d6.F., Dogan, S., Tuncer, T., Ertam, F.: A digital forensics approach for lost secondary partition analysis using master boot record structured hard disk drives. Sakarya University J. Comput. Inf. Sci. (2021). https:\/\/doi.org\/10.35377\/saucis...1022600","DOI":"10.35377\/saucis...1022600"},{"key":"26_CR2","unstructured":"AppArmor project: apparmor: Linux kernel security module (2024). https:\/\/apparmor.net\/"},{"key":"26_CR3","doi-asserted-by":"crossref","unstructured":"Bashun, V., Sergeev, A., Minchenkov, V., Yakovlev, A.: Too young to be secure: analysis of UEFI threats and vulnerabilities. In: Proceedings of the 13th Conference of Open Innovations Association FRUCT (FRUCT 2013) (2013)","DOI":"10.1109\/FRUCT.2013.6737940"},{"key":"26_CR4","unstructured":"binarly: Logofail exploited to deploy bootkitty, the first uefi bootkit for linux (2024). https:\/\/www.binarly.io\/blog\/logofail-exploited-to-deploy-bootkitty-the-first-uefi-bootkit-for-linux"},{"key":"26_CR5","doi-asserted-by":"crossref","unstructured":"Butterworth, J., Kallenberg, C., Kovah, X., Herzog, A.: Bios chronomancy: fixing the core root of trust for measurement. In: Proceedings of the 2013 ACM SIGSAC conference on Computer and Communications Security, pp. 25\u201336 (2013)","DOI":"10.1145\/2508859.2516714"},{"key":"26_CR6","doi-asserted-by":"publisher","unstructured":"Chevalier, R., et al.: Bootkeeper: validating software integrity properties on boot firmware images. In: Proceedings of the 9th ACM Conference on Data and Application Security and Privacy (CODASPY). pp. 315\u2013325. ACM, Dallas, TX, USA (2019). https:\/\/doi.org\/10.1145\/3292006.3300026","DOI":"10.1145\/3292006.3300026"},{"key":"26_CR7","doi-asserted-by":"crossref","unstructured":"Cooper, D., Polk, W., Regenscheid, A., Souppaya, M., et\u00a0al.: Bios protection guidelines. NIST Special Publication (2011)","DOI":"10.6028\/NIST.SP.800-147"},{"key":"26_CR8","unstructured":"Corporation, I.: Intel\u00ae64 and IA-32 architectures software developer\u2019s manual (2013). https:\/\/www.intel.com\/content\/www\/us\/en\/content-details\/782158\/. Combined Volumes 1-4"},{"key":"26_CR9","unstructured":"Duflot, L., Etiemble, D., Grumelard, O.: Using CPU system management mode to circumvent operating system security functions. CanSecWest\/core06 (2006)"},{"key":"26_CR10","unstructured":"Duflot, L., Levillain, O., Morin, B., Grumelard, O.: Getting into the smram: smm reloaded. In: CanSecWest Conference (2009)"},{"key":"26_CR11","unstructured":"ESET Research: Lojax: first uefi rootkit found in the wild, courtesy of the sednit group. Tech. rep., ESET (2018). https:\/\/www.welivesecurity.com\/2018\/09\/27\/lojax-first-uefi-rootkit-found-in-the-wild\/"},{"key":"26_CR12","unstructured":"Ezirim, K., Khoo, W., Koumantaris, G., Law, R., Perera, I.M.: Trusted platform module\u2013a survey. Graduate Center City Univ. New York 11 (2012)"},{"key":"26_CR13","unstructured":"GNU: Gnu grub 2 manual (2023). https:\/\/www.gnu.org\/software\/grub\/manual\/grub\/grub.html"},{"key":"26_CR14","doi-asserted-by":"publisher","unstructured":"Grill, B., Bacs, A., Platzer, C., Bos, H.: \u201cnice boots!\u201d\u2013a large-scale analysis of bootkits and new ways to stop them. In: Proceedings of the 12th DIMVA Conference (DIMVA 2015) (2015). https:\/\/doi.org\/10.1007\/978-3-319-20550-2_2","DOI":"10.1007\/978-3-319-20550-2_2"},{"key":"26_CR15","doi-asserted-by":"publisher","DOI":"10.1002\/spy2.93","author":"S Hosseinzadeh","year":"2020","unstructured":"Hosseinzadeh, S., Sequeiros, B., In\u00e1cio, P.R., Lepp\u00e4nen, V.: Recent trends in applying TPM to cloud computing. Secur. Priv. (2020). https:\/\/doi.org\/10.1002\/spy2.93","journal-title":"Secur. Priv."},{"key":"26_CR16","unstructured":"Kaspersky Lab GReAT Team: cosmicstrand: the discovery of a sophisticated UEFI firmware rootkit. Securelist (Kaspersky Lab) (2022). https:\/\/securelist.com\/cosmicstrand-uefi-firmware-rootkit\/106973\/"},{"key":"26_CR17","unstructured":"Kumar, N., Kumar, V.: Vbootkit 2.0-attacking windows 7 via boot sectors. In: Proceedings of the 7th Hack in the Box Security Conference (HITBSecConf 2009) (2009)"},{"key":"26_CR18","doi-asserted-by":"crossref","unstructured":"Kuzminykh, I., Yevdokymenko, M.: Analysis of security of rootkit detection methods. In: Proceedings of the 1st IEEE International Conference on Advanced Trends in Information Theory (ATIT 2019) (2019)","DOI":"10.1109\/ATIT49449.2019.9030428"},{"key":"26_CR19","unstructured":"ldpreload: Blacklotus uefi bootkit github repository (2023). https:\/\/github.com\/ldpreload\/BlackLotus. GitHub repository"},{"key":"26_CR20","unstructured":"Linux Kernel Documentation: kernel lockdown (2024). https:\/\/man7.org\/linux\/man-pages\/man7\/kernel_lockdown.7.html"},{"key":"26_CR21","unstructured":"Loucaides, J., Bulygin, Y.: Platform security assessment with chipsec. In: Proceedings of the 17th CanSecWest Conference (CanSecWest 2014) (2014)"},{"key":"26_CR22","unstructured":"Mannthey, K.: System management interrupt free hardware. In: Presentation slides: Linux Plumbers Conference, Portland, OR, USA (2009)"},{"key":"26_CR23","unstructured":"Mark Lechtik,Vasily Berdnikov,Denis Legezo,Ilya Borisov: Moonbounce: the dark side of uefi firmware (2022). https:\/\/securelist.com\/moonbounce-the-dark-side-of-uefi-firmware\/105468\/"},{"key":"26_CR24","unstructured":"Martin Smol\u00e1r,Anton Cherepanov: UEFI threats moving to the ESP: Introducing especter bootkit (2021). https:\/\/www.welivesecurity.com\/2021\/10\/05\/uefi-threats-moving-esp-introducing-especter-bootkit\/"},{"key":"26_CR25","unstructured":"Microsoft: kernel patch protection (2017). https:\/\/learn.microsoft.com\/en-us\/previous-versions\/windows\/hardware\/design\/dn613955(v=vs.85)?redirectedfrom=MSDN"},{"key":"26_CR26","unstructured":"Microsoft: windows secure boot key creation and management guidance (2022). https:\/\/learn.microsoft.com\/en-us\/windows-hardware\/manufacture\/desktop\/windows-secure-boot-key-creation-and-management-guidance?view=windows-11"},{"key":"26_CR27","unstructured":"Microsoft: Virtualization-based security (vbs) (2023). https:\/\/learn.microsoft.com\/en-us\/windows-hardware\/design\/device-experiences\/oem-vbs"},{"key":"26_CR28","unstructured":"Microsoft: Bitlocker overview (2024). https:\/\/learn.microsoft.com\/en-us\/windows\/security\/operating-system-security\/data-protection\/bitlocker\/"},{"key":"26_CR29","unstructured":"Microsoft: driver signing policy (2024). https:\/\/learn.microsoft.com\/en-us\/windows-hardware\/drivers\/install\/kernel-mode-code-signing-policy--windows-vista-and-later-"},{"key":"26_CR30","unstructured":"Microsoft: hypervisor-protected code integrity (hvci) (2024). https:\/\/learn.microsoft.com\/en-us\/windows-hardware\/drivers\/bringup\/device-guard-and-credential-guard"},{"key":"26_CR31","unstructured":"Microsoft: overview of early launch antimalware (2024). https:\/\/learn.microsoft.com\/en-us\/windows-hardware\/drivers\/install\/early-launch-antimalware"},{"key":"26_CR32","doi-asserted-by":"publisher","unstructured":"Nar, M., Kakisim, A.G., Yavuz, M.N., So\u011fukpinar, \u0130.: Analysis and comparison of disassemblers for opcode based malware analysis. In: 2019 4th International Conference on Computer Science and Engineering (UBMK) (2019). https:\/\/doi.org\/10.1109\/UBMK.2019.8907153","DOI":"10.1109\/UBMK.2019.8907153"},{"key":"26_CR33","unstructured":"NIST: Cve-2022-21894: Secure boot security feature bypass vulnerability (2022). https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2022-21894"},{"key":"26_CR34","unstructured":"Osborn, J.D., Challener, D.C.: Trusted platform module evolution. Johns Hopkins APL Technical Digest (Applied Physics Laboratory) (2013)"},{"key":"26_CR35","unstructured":"Redini, N., et al.: Bootstomp: on the security of bootloaders in mobile devices. In: 26th USENIX Security Symposium (USENIX Security) (2017)"},{"key":"26_CR36","unstructured":"Research, E.: Eset research discovers uefi secure boot bypass vulnerability (2025). https:\/\/www.eset.com\/us\/about\/newsroom\/press-releases\/eset-research-discovers-uefi-secure-boot-bypass-vulnerability\/?srsltid=AfmBOoqPDNlhAy9r53NIxbveKLUslmypMvcn_lkJoXdNi0A4nee6jqGF"},{"key":"26_CR37","unstructured":"Rossow, T.: Tpm 2.0, uefi and their impact on security and users\u2019 freedom (2013)"},{"key":"26_CR38","unstructured":"Samsung Knox: real-time kernel protection (2025). https:\/\/docs.samsungknox.com\/admin\/fundamentals\/whitepaper\/samsung-knox-mobile-security\/system-security\/real-time-kernel-protection\/"},{"key":"26_CR39","doi-asserted-by":"publisher","unstructured":"Segal, K.S., Gorelik, H.C., Brodt, O., Elbahar, Y., Elovici, Y., Shabtai, A.: Uefi memory forensics: a framework for uefi threat analysis. arXiv preprint arXiv:2501.16962 (2025). https:\/\/doi.org\/10.48550\/arXiv.2501.16962","DOI":"10.48550\/arXiv.2501.16962"},{"key":"26_CR40","unstructured":"SELinux Project: Selinux: security-enhanced linux (2017). https:\/\/selinuxproject.org\/page\/Main_Page"},{"key":"26_CR41","unstructured":"Shafiuzzaman, M., Desai, A., Sarker, L., Bultan, T.: Uefi vulnerability signature generation using static and symbolic analysis. arXiv preprint arXiv:2407.07166 (2024). DOIurlhttps:\/\/doi.org\/10.48550\/arXiv.2407.07166"},{"key":"26_CR42","unstructured":"Smol\u00e1r, M.: Blacklotus uefi windows bootkit (2023). https:\/\/www.welivesecurity.com\/2023\/03\/01\/blacklotus-uefi-bootkit-myth-confirmed\/"},{"key":"26_CR43","unstructured":"Soeder, D., Permeh, R.: eeye bootroot. BlackHat USA (2005)"},{"key":"26_CR44","unstructured":"Surve, P.P., Brodt, O., Yampolskiy, M., Elovici, Y., Shabtai, A.: Sok: security below the os\u2013a security analysis of uefi. arXiv preprint arXiv:2311.03809 (2023). DOIurlhttps:\/\/doi.org\/10.48550\/arXiv.2311.03809"},{"key":"26_CR45","doi-asserted-by":"crossref","unstructured":"Szaknis, M., Szczypiorski, K.: The design of the simple SMM rootkit. In: Proceedings of the 9th International Conference on Wireless Communication and Sensor Networks (ICWCSN 2022) (2022)","DOI":"10.1145\/3514105.3514114"},{"key":"26_CR46","unstructured":"Team, R.H.B.: Shim: A first-stage uefi bootloader (2024). https:\/\/github.com\/rhboot\/shim\/blob\/main\/README.md"},{"key":"26_CR47","unstructured":"TianoCore: Memory protection in SMM (2020). https:\/\/tianocore-docs.github.io\/ATBB-Memory_Protection_in_UEFI_BIOS\/draft\/memory-protection-in-SMM.html"},{"key":"26_CR48","unstructured":"Tianocore: Machine owner key (MOK) (2021). https:\/\/tianocore-docs.github.io\/Understanding_UEFI_Secure_Boot_Chain\/draft\/additional_secure_boot_chain_implementations\/machine_owner_key_mok.html"},{"key":"26_CR49","unstructured":"Tianocore: Uefi secure boot (2021). https:\/\/tianocore-docs.github.io\/Understanding_UEFI_Secure_Boot_Chain\/draft\/secure_boot_chain_in_uefi\/uefi_secure_boot.html"},{"key":"26_CR50","unstructured":"TianoCore: Platform initialization (2024). https:\/\/tianocore-docs.github.io\/edk2-UefiDriverWritersGuide\/draft\/3_foundation\/315_platform_initialization\/README.15.html"},{"key":"26_CR51","unstructured":"UEFI Forum: About uefi forum. https:\/\/uefi.org\/about"},{"key":"26_CR52","unstructured":"UEFI forum: Dxe dispatcher. https:\/\/uefi.org\/specs\/PI\/1.8\/V2_DXE_Dispatcher.html"},{"key":"26_CR53","unstructured":"UEFI forum: Services\u2014boot services. https:\/\/uefi.org\/specs\/UEFI\/2.10\/07_Services_Boot_Services.html"},{"key":"26_CR54","unstructured":"UEFI forum: Services\u2014runtime services. https:\/\/uefi.org\/specs\/UEFI\/2.10\/08_Services_Runtime_Services.html"},{"key":"26_CR55","unstructured":"UEFI forum: Uefi protocols. https:\/\/uefi.org\/specs\/PI\/1.8\/V4_UEFI_Protocols.html#efi-mm-communication-protocol-communicate"},{"key":"26_CR56","unstructured":"UEFI Forum: Boot manager. https:\/\/uefi.org\/specs\/PI\/1.8\/V2_Boot_Manager.html (2022)"},{"key":"26_CR57","unstructured":"UEFI Forum: Driver execution environment (dxe) phase (2022). https:\/\/uefi.org\/specs\/PI\/1.8\/V2_Overview.html"},{"key":"26_CR58","unstructured":"UEFI Forum: Pre-efi initialization overview (2022). https:\/\/uefi.org\/specs\/PI\/1.8A\/V1_Overview.html#pre-efi-initialization-pei-phase"},{"key":"26_CR59","unstructured":"UEFI Forum: Security (sec) phase information (2022). https:\/\/uefi.org\/specs\/PI\/1.8\/V1_Security_SEC_Phase_Information.html"},{"key":"26_CR60","unstructured":"UEFI forum: Uefi platform initialization specification (2024). https:\/\/uefi.org\/specs\/PI\/1.9\/"},{"key":"26_CR61","doi-asserted-by":"publisher","unstructured":"Yin, J., et al.: Finding SMM privilege-escalation vulnerabilities in Uefi firmware with protocol-centric static analysis. In: Proceedings of the 43rd IEEE Symposium on Security and Privacy (SP 2022), pp. 2629\u20132646 (2022). https:\/\/doi.org\/10.1109\/SP46214.2022.9833723","DOI":"10.1109\/SP46214.2022.9833723"},{"key":"26_CR62","doi-asserted-by":"publisher","unstructured":"Zhou, Y., Peng, G., Li, Z., Liu, S.: A survey on the evolution of bootkits attack and defense techniques. China Communications (2024). https:\/\/doi.org\/10.23919\/JCC.ja.2022-0409","DOI":"10.23919\/JCC.ja.2022-0409"}],"container-title":["Lecture Notes in Computer Science","Information Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-032-08124-7_26","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,30]],"date-time":"2025-10-30T08:24:18Z","timestamp":1761812658000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-032-08124-7_26"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,10,31]]},"ISBN":["9783032081230","9783032081247"],"references-count":62,"URL":"https:\/\/doi.org\/10.1007\/978-3-032-08124-7_26","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"value":"0302-9743","type":"print"},{"value":"1611-3349","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,10,31]]},"assertion":[{"value":"31 October 2025","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"ISC","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"International Conference on Information Security","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Seoul","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Korea (Republic of)","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2025","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"20 October 2025","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"22 October 2025","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"28","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"isw2025","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/isc25.skku.edu\/","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}}]}}