UEFI Bootkit模型与分析
唐文彬;陈熹;陈嘉勇;祝跃飞
【期刊名称】《计算机科学》 【年(卷),期】2012(039)010
【摘要】This paper analyzed the work mechanism and key technology of UEFI Bootkit, expanded the definition of Trojan according to it,illustrated the differences of hiding technology between UEFI Bootkit and Trojan,built a formal model of UEFI Bootkit cooperative concealment, showed an application of the model, proved the idea that detecting Bootkit before the operating system kernel starting can obtain a better effect than after the operating system starting. We designed and developed UEFI Bootkit detection system which works before the operating system kernel starts. The detection system was used to do practical test, and the results show UEFI Bootkit detection system obtains a good effect and has the accuracy.%分析了UEFI Bootkit的工作原理和关键技术;在Harold木马模型的基础上,给出了UEFI Bootkit的形式化描述;分析了UEFI Bootkit和木马在隐蔽技术方面的差异,建立了UEFI Bootkit协同隐藏的形式化模型;给出了模型的一个应用实例,理论证明了在操作系统内核启动前检测Bootkit比在操作系统启动完成后检测具有更好的效果;开发了一套在操作系统内核加载前就开始检测的UEFI Bootkit检测系统;使用检测系统进行了实际的测试,结果表明,UEFI Bootkit检测系统具有较好的检测效果,有效地验证了模型的准确性.
UEFI Bootkit模型与分析
