The research expands on previous studies, such as ScrewedDrivers and POPKORN that utilized symbolic execution
for automating the discovery of vulnerable drivers. It specifically
focuses on drivers that contain firmware access through port I/O and
memory-mapped I/O.

The names of some of the vulnerable drivers include AODDriver.sys,
ComputerZ.sys, dellbios.sys, GEDevDrv.sys, GtcKmdfBs.sys, IoAccess.sys,
kerneld.amd64, ngiodriver.sys, nvoclock.sys, PDFWKRNL.sys (CVE-2023-20598), RadHwMgr.sys, rtif.sys, rtport.sys, stdcdrv64.sys, and TdkLib64.sys (CVE-2023-35841).

Of the 34 drivers, six allow kernel memory access that can be abused
to elevate privilege and defeat security solutions. Twelve of the
drivers could be exploited to subvert security mechanisms like kernel address space layout randomization (KASLR).

Seven of the drivers, including Intel’s stdcdrv64.sys, can be utilized to erase firmware in the SPI flash memory, rendering the system unbootable. Intel has since issued a fix for the problem.

VMware said it also identified WDF drivers such as WDTKernel.sys and
H2OFFT64.sys that are not vulnerable in terms of access control, but can
be trivially weaponized by privileged threat actors to pull off what’s
called a Bring Your Own Vulnerable Driver (BYOVD) attack.