{"id":51018541,"url":"https://github.com/yasindce1998/barzakh","last_synced_at":"2026-06-21T14:00:59.352Z","repository":{"id":357131671,"uuid":"1235524702","full_name":"yasindce1998/Barzakh","owner":"yasindce1998","description":"A controlled, white-hat UEFI bootkit simulation environment for academic research and defensive detection engineering.","archived":false,"fork":false,"pushed_at":"2026-06-21T04:00:05.000Z","size":547,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-21T05:20:29.600Z","etag":null,"topics":["bootkit","c","defensive-security","kernel","kernel-module","malware","offensive-security","python","rootkit","security","uefi","uefi-boot","uefi-development"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/yasindce1998.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-11T12:07:55.000Z","updated_at":"2026-06-21T04:00:11.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/yasindce1998/Barzakh","commit_stats":null,"previous_names":["yasindce1998/aegis-boot","yasindce1998/barzakh"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/yasindce1998/Barzakh","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yasindce1998%2FBarzakh","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yasindce1998%2FBarzakh/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yasindce1998%2FBarzakh/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yasindce1998%2FBarzakh/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/yasindce1998","download_url":"https://codeload.github.com/yasindce1998/Barzakh/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yasindce1998%2FBarzakh/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34610832,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-21T02:00:05.568Z","response_time":54,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bootkit","c","defensive-security","kernel","kernel-module","malware","offensive-security","python","rootkit","security","uefi","uefi-boot","uefi-development"],"created_at":"2026-06-21T14:00:57.238Z","updated_at":"2026-06-21T14:00:59.346Z","avatar_url":"https://github.com/yasindce1998.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Project Barzakh\n\n**⚠️ ACADEMIC RESEARCH PROJECT - DEFENSIVE SECURITY ONLY ⚠️**\n\nA production-ready UEFI bootkit research platform for studying firmware-level security threats and defenses.\n\n## ⚖️ Legal \u0026 Ethical Notice\n\nThis project is developed **strictly for academic research purposes** under institutional oversight:\n\n- ✅ Must operate in air-gapped, virtualized environments only\n- ✅ Contains multiple hardware-rooted kill-switches preventing unauthorized execution\n- ❌ NOT for weaponization, deployment, or malicious use\n- ❌ Violating these constraints may result in legal consequences\n\n**By accessing this repository, you agree to use it solely for legitimate security research and educational purposes.**\n\n## 📋 Project Overview\n\nBarzakh safely models Tactics, Techniques, and Procedures (TTPs) from known in-the-wild bootkits to:\n- Validate Measured Boot integrity against UEFI execution tampering\n- Develop robust detection capabilities (Barzakh-Scanner)\n- Produce peer-reviewed academic research on defensive methodologies\n\n### Reference Adversaries\n- **BlackLotus** (CVE-2023-24932): Secure Boot bypass via vulnerable bootloaders\n- **CosmicStrand/FinSpy**: Firmware persistence via DXE driver implantation\n- **Lojax**: SPI flash persistence surviving OS reinstalls\n\n## 🏗️ Architecture\n\n```\n┌─────────────────────────────────────────────────────────────┐\n│  Firmware (SEC/PEI) → DXE Phase → Barzakhkit Hooks       │\n│  → Boot Device Selection → OS Bootloader                    │\n│  → ExitBootServices Intercept → TPM Attestation             │\n│  → OS Kernel (Infection Complete)                           │\n└─────────────────────────────────────────────────────────────┘\n```\n\n### Core Components\n\n1. **BootkitPkg** (Offensive Emulation)\n   - DXE phase driver injection\n   - Boot Services table hooking\n   - ExitBootServices interception\n   - MSR hooking for stealth emulation\n\n2. **AttestationPkg** (Defensive Telemetry)\n   - TPM PCR querying [0, 2, 4, 7]\n   - TCG Event Log extraction\n   - Ground truth data generation\n\n3. **Barzakh Scanner** (Detection Engine — Rust)\n   - 18 specialized detectors for bootkit artifact detection\n   - Target: ≥85% TPR, \u003c5% FPR, ROC-AUC ≥0.92\n   - See [`src/barzakh-scanner-rs/README.md`](src/barzakh-scanner-rs/README.md)\n\n## 🔒 Security Safeguards\n\n### Hardware-Rooted Kill-Switches\n- **UUID Binding**: Cryptographically bound to whitelisted SMBIOS UUIDs\n- **TPM EK Pinning**: Bound to specific TPM Endorsement Keys\n- **Time-Bomb**: Hardcoded expiry date enforcement\n- **Air-Gap**: No network connectivity in test environment\n\n### Operational Security\n- QEMU + OVMF virtualization only (no bare metal)\n- Append-only GPG-signed audit logs\n- AES-256 encrypted cold storage\n- No pre-compiled binaries in repository\n- All commits must be GPG-signed\n\n## 🛠️ Technology Stack\n\n| Component | Technology |\n|-----------|-----------|\n| Development Kit | EDK II (UEFI Development Kit) |\n| Languages | C11 (EDK II), Rust (Scanner) |\n| Virtualization | QEMU + KVM + OVMF |\n| Security Module | TPM 2.0 (swtpm) |\n| Guest OS | Windows 10/11, Ubuntu Linux |\n\n## 📁 Repository Structure\n\n```\nbarzakh/\n├── docs/\n│   ├── SETUP.md                    # Environment setup guide\n│   ├── ARCHITECTURE.md             # Technical architecture\n│   └── TESTING.md                  # Testing strategy\n├── src/\n│   ├── BootkitPkg/                 # UEFI bootkit emulation\n│   │   ├── DxeInject/              # DXE phase injection + kill-switches\n│   │   └── ExitBootHook/           # ExitBootServices interception\n│   ├── AttestationPkg/             # TPM attestation \u0026 telemetry\n│   │   ├── TpmAttestation/         # PCR monitoring\n│   │   └── EventLogExtractor/      # TCG event log parsing\n│   └── barzakh-scanner-rs/           # Detection engine (Rust)\n│       ├── crates/barzakh-core/    # Library: 18 detectors + reports\n│       └── crates/barzakh-cli/     # CLI binary\n├── scripts/\n│   ├── build.sh                    # EDK II compilation\n│   ├── qemu-run.sh                 # QEMU test harness with vTPM\n│   ├── nvram-recovery.py           # NVRAM backup/restore\n│   ├── audit-log.sh                # GPG-signed audit logging\n│   └── validate-environment.sh     # Pre-flight checks\n├── tests/                          # Test suite\n│   ├── unit/                       # Unit tests\n│   ├── integration/                # Integration tests\n│   └── corpus/                     # Test corpus samples\n├── .github/workflows/              # CI/CD pipeline\n├── CONTRIBUTING.md\n└── SECURITY.md\n```\n\n## 🚀 Quick Start\n\n### Prerequisites\n\n1. **Hardware Requirements**\n   - Air-gapped lab environment or isolated VLAN\n   - Dedicated test machines with TPM 2.0\n   - Minimum 16GB RAM, 100GB storage\n\n3. **Software Requirements**\n   - Linux host (Ubuntu 22.04+ recommended)\n   - QEMU 7.0+ with KVM support\n   - EDK II development environment\n   - swtpm (software TPM emulator)\n   - Rust toolchain (stable)\n   - GCC 11+ or Clang 14+\n\n### Environment Setup\n\n1. **Clone EDK II and dependencies**\n   ```bash\n   # See docs/SETUP.md for detailed instructions\n   git clone https://github.com/tianocore/edk2.git\n   cd edk2\n   git checkout edk2-stable202405  # Pinned version\n   git submodule update --init --recursive\n   ```\n\n2. **Build OVMF**\n   ```bash\n   # Configure EDK II environment\n   source edksetup.sh\n   \n   # Build OVMF with TPM support\n   build -a X64 -t GCC5 -p OvmfPkg/OvmfPkgX64.dsc -D TPM2_ENABLE=TRUE\n   ```\n\n3. **Setup Barzakh**\n   ```bash\n   cd /path/to/barzakh\n   \n   # Configure environment variables\n   export WORKSPACE=/path/to/edk2\n   export PACKAGES_PATH=$WORKSPACE:$(pwd)/src\n   \n   # Run pre-flight checks\n   ./scripts/validate-environment.sh\n   ```\n\n## 🧪 Usage\n\n### Building the Bootkit (Research Only)\n```bash\n# Build all UEFI packages\n./scripts/build.sh\n\n# This creates:\n# - BootkitPkg DXE drivers\n# - AttestationPkg modules\n# - Signed artifacts with SBOM\n```\n\n### Running in Test Environment\n```bash\n# Launch QEMU with vTPM and bootkit\n./scripts/qemu-run.sh\n\n# Features:\n# - Air-gap enforcement\n# - vTPM integration\n# - Audit logging\n# - NVRAM snapshots\n```\n\n### Using Barzakh Scanner\n```bash\n# Build the scanner\ncd src/barzakh-scanner-rs\ncargo build --release\n\n# Scan a firmware/memory dump\n./target/release/barzakh-cli --target /path/to/firmware.bin --report --format html --output report.html\n\n# With baseline comparison\n./target/release/barzakh-cli --target firmware.bin --baseline baseline.json --report\n\n# Run specific detectors\n./target/release/barzakh-cli --target firmware.bin --scan-types pcr,memory,hook\n```\n\n### Running Tests\n```bash\n# Run scanner tests\ncd src/barzakh-scanner-rs\ncargo test\n\n# Check formatting \u0026 lint\ncargo fmt --check\ncargo clippy -- -D warnings\n\n# Security audit\ncargo audit\n```\n\n## 📊 Detection Targets\n\n| Metric | Target |\n|--------|--------|\n| True Positive Rate (TPR) | ≥85% |\n| False Positive Rate (FPR) | \u003c5% |\n| ROC-AUC | ≥0.92 |\n| Mean Time to Detect | \u003c500ms |\n\n## 📝 Documentation\n\n- [`docs/SETUP.md`](docs/SETUP.md) - Environment setup instructions\n- [`docs/ARCHITECTURE.md`](docs/ARCHITECTURE.md) - System architecture\n- [`docs/TESTING.md`](docs/TESTING.md) - Testing strategy\n- [`src/barzakh-scanner-rs/README.md`](src/barzakh-scanner-rs/README.md) - Scanner documentation\n- [`tests/README.md`](tests/README.md) - Test suite guide\n- [`CONTRIBUTING.md`](CONTRIBUTING.md) - Contribution guidelines\n- [`SECURITY.md`](SECURITY.md) - Security policy\n\n## 🤝 Contributing\n\nThis is a controlled research project. Contributions are limited to:\n- Authorized researchers on the project team\n- Institutional collaborators with signed agreements\n- Peer reviewers during academic publication process\n\nSee [`CONTRIBUTING.md`](CONTRIBUTING.md) for detailed guidelines.\n\n## 📜 License\n\nThis project is released under a restrictive academic research license. See [`LICENSE`](LICENSE) for details.\n\n**Key restrictions:**\n- Academic and educational use only\n- No commercial use\n- No weaponization or malicious deployment\n- Must maintain all safety mechanisms\n- Must comply with institutional oversight\n\n## 🔐 Responsible Disclosure\n\nIf you discover a novel vulnerability during research:\n1. **Immediate embargo** - Do not disclose publicly\n2. **Notify Principal Investigator** within 24 hours\n3. **90-day coordinated disclosure** to affected vendors\n4. See [`SECURITY.md`](SECURITY.md) for full procedure\n\n## 📞 Contact\n\n**Principal Investigator:** Yasin  \n**Institution:** Dead Lock Corp \n**Email:** yasindce1998@gmail.com\n\n**For vulnerability reports:** security@deadlockcorp.edu\n\n## ⚠️ Disclaimer\n\nThis software is provided for academic research purposes only. The authors and affiliated institutions:\n- Make no warranties regarding fitness for any purpose\n- Accept no liability for misuse or unauthorized deployment\n- Require strict adherence to institutional oversight and legal frameworks\n- Reserve the right to terminate access for policy violations\n\n**USE AT YOUR OWN RISK. UNAUTHORIZED USE MAY VIOLATE LAWS.**\n\n---\n\n## 🎓 Research Contributions\n\nThis project models real-world threats including BlackLotus (CVE-2023-24932), CosmicStrand, LoJax, MoonBounce, and MosaicRegressor. Key research contributions:\n\n- PCR replay algorithm for TPM attestation validation\n- FV-based detection to reduce false positives\n- Automated CI/CD pipeline for bootkit research\n- Ground truth validation framework using test corpus\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fyasindce1998%2Fbarzakh","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fyasindce1998%2Fbarzakh","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fyasindce1998%2Fbarzakh/lists"}