Andrea Monzani (University of Milan), Antonio Parata (University of Milan), Andrea Oliveri (EURECOM), Simone Aonzo (EURECOM), Davide Balzarotti (EURECOM), Andrea Lanzi (University of Milan)
Bring Your Own Vulnerable Driver (BYOVD) attacks abuse legitimate, digitally signed Windows drivers that contain hidden flaws, allowing adversaries to slip into kernel space, disable security controls, and sustain stealthy campaigns ranging from ransomware to state-sponsored espionage. Because most public sandboxes inspect only user-mode activity, this kernel-level abuse typically flies under the radar. In this work, we first introduce the first dynamic taxonomy of BYOVD behavior. Synthesized from manual investigation of real-world incidents and fine-grained kernel-trace analysis, it maps every attack to sequential stages and enumerates the key APIs abused at each step. Then, we propose a virtualization-based sandbox that follows every step of a driver's execution path, from the originating user-mode request down to the lowest-level kernel instructions, without requiring driver re-signing or host modifications. Finally, the sandbox automatically annotates every observed action with its corresponding taxonomy, producing a stage-by-stage report that highlights where and how a sample exhibits suspicious behavior. Tested against the current landscape of BYOVD techniques, we analyzed 8,779 malware samples that load 773 distinct signed drivers. It flagged suspicious behavior in 48 drivers, and subsequent manual verification led to the responsible disclosure of seven previously unknown vulnerable drivers to Microsoft, their vendors, and public threat-intelligence platforms. Our results demonstrate that deep, transparent tracing of kernel control flow can expose BYOVD abuse that eludes traditional analysis pipelines, enriching the community's knowledge of driver exploitation and enabling proactive hardening of Windows defenses.