DriverShield - Windows Kernel Driver Security Glossary

Concise definitions of BYOVD, IOCTL, Authenticode, DSE, CFI, EDR, YARA, MITRE ATT&CK, Sigma, and other kernel driver security terms.

Windows Kernel Driver Security Glossary

Concise definitions of BYOVD, kernel driver, IOCTL, Authenticode, EDR, CFI, DSE, HVCI, YARA, Sigma, MITRE ATT&CK, and other terms used across DriverShield analyses and the broader kernel security ecosystem.

BYOVD - Bring Your Own Vulnerable Driver. Attack technique loading a legitimate but flawed signed kernel driver to gain Ring-0 primitives.
Kernel Driver - Ring-0 Windows binary with unrestricted access to physical memory, hardware registers, and the system call table.
IOCTL - I/O Control code. 32-bit dispatch identifier used by user mode to call into kernel drivers via DeviceIoControl.
Authenticode - Microsoft's PKCS#7 PE code-signing format containing the signer chain, signature, and timestamp.
EDR - Endpoint Detection and Response. Kernel-instrumented security software, a primary BYOVD target.
CFI - Control Flow Integrity. Compile-time mitigation restricting indirect call targets.
DSE - Driver Signature Enforcement. Windows 64-bit requirement for signed kernel drivers.
HVCI - Hypervisor-Protected Code Integrity. VBS feature enforcing W^X on kernel pages.
YARA - Pattern-matching language used to classify malware and known-vulnerable binaries.
Sigma - Generic SIEM detection format translatable into Splunk, ELK, Sentinel queries.
MITRE ATT&CK - Knowledge base of real-world adversary techniques. Driver behaviour maps to specific ATT&CK technique IDs.

Continue to the analysis methodology for pipeline details or the FAQ for common questions.