A coprocessor-based introspection framework via intel management engine
During the past decade, virtualization-based (e.g., virtual machine introspection) and hardware-assisted approaches (e.g., x86 SMM and ARM TrustZone) have been used to defend against low-level malware such as rootkits. However, these approaches either require a large Trusted Computing Base (TCB) or...
Saved in:
| Main Authors: | , , , , , , |
|---|---|
| Format: | text |
| Language: | English |
| Published: |
Institutional Knowledge at Singapore Management University
2021
|
| Subjects: | |
| Online Access: | https://ink.library.smu.edu.sg/sis_research/6734 https://ink.library.smu.edu.sg/context/sis_research/article/7737/viewcontent/A_Coprocessor_Based_Introspection_Framework_Via_Intel_Management_Engine.pdf |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Singapore Management University |
| Language: | English |
| id |
sg-smu-ink.sis_research-7737 |
|---|---|
| record_format |
dspace |
| spelling |
sg-smu-ink.sis_research-77372022-01-27T10:56:04Z A coprocessor-based introspection framework via intel management engine ZHOU, Lei ZHANG, Fengwei XIAO, Jidong LEACH, Kevin WEIMER, Westley DING, Xuhua WANG, Guojun During the past decade, virtualization-based (e.g., virtual machine introspection) and hardware-assisted approaches (e.g., x86 SMM and ARM TrustZone) have been used to defend against low-level malware such as rootkits. However, these approaches either require a large Trusted Computing Base (TCB) or they must share CPU time with the operating system, disrupting normal execution. In this article, we propose an introspection framework called NIGHTHAWK that transparently checks system integrity and monitor the runtime state of target system. NIGHTHAWK leverages the Intel Management Engine (IME), a co-processor that runs in isolation from the main CPU. By using the IME, our approach has a minimal TCB and incurs negligible overhead on the host system on a suite of indicative benchmarks. We use NIGHTHAWK to introspect the system software and firmware of a host system at runtime. The experimental results show that NIGHTHAWK can detect real-world attacks against the OS, hypervisors, and System Management Mode while mitigating several classes of evasive attacks. Additionally, NIGHTHAWK can monitor the runtime state of host system against the suspicious applications running in target machine. 2021-07-01T07:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/6734 info:doi/10.1109/TDSC.2021.3071092 https://ink.library.smu.edu.sg/context/sis_research/article/7737/viewcontent/A_Coprocessor_Based_Introspection_Framework_Via_Intel_Management_Engine.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Intel ME system management mode introspection integrity transparency Databases and Information Systems Information Security |
| institution |
Singapore Management University |
| building |
SMU Libraries |
| continent |
Asia |
| country |
Singapore Singapore |
| content_provider |
SMU Libraries |
| collection |
InK@SMU |
| language |
English |
| topic |
Intel ME system management mode introspection integrity transparency Databases and Information Systems Information Security |
| spellingShingle |
Intel ME system management mode introspection integrity transparency Databases and Information Systems Information Security ZHOU, Lei ZHANG, Fengwei XIAO, Jidong LEACH, Kevin WEIMER, Westley DING, Xuhua WANG, Guojun A coprocessor-based introspection framework via intel management engine |
| description |
During the past decade, virtualization-based (e.g., virtual machine introspection) and hardware-assisted approaches (e.g., x86 SMM and ARM TrustZone) have been used to defend against low-level malware such as rootkits. However, these approaches either require a large Trusted Computing Base (TCB) or they must share CPU time with the operating system, disrupting normal execution. In this article, we propose an introspection framework called NIGHTHAWK that transparently checks system integrity and monitor the runtime state of target system. NIGHTHAWK leverages the Intel Management Engine (IME), a co-processor that runs in isolation from the main CPU. By using the IME, our approach has a minimal TCB and incurs negligible overhead on the host system on a suite of indicative benchmarks. We use NIGHTHAWK to introspect the system software and firmware of a host system at runtime. The experimental results show that NIGHTHAWK can detect real-world attacks against the OS, hypervisors, and System Management Mode while mitigating several classes of evasive attacks. Additionally, NIGHTHAWK can monitor the runtime state of host system against the suspicious applications running in target machine. |
| format |
text |
| author |
ZHOU, Lei ZHANG, Fengwei XIAO, Jidong LEACH, Kevin WEIMER, Westley DING, Xuhua WANG, Guojun |
| author_facet |
ZHOU, Lei ZHANG, Fengwei XIAO, Jidong LEACH, Kevin WEIMER, Westley DING, Xuhua WANG, Guojun |
| author_sort |
ZHOU, Lei |
| title |
A coprocessor-based introspection framework via intel management engine |
| title_short |
A coprocessor-based introspection framework via intel management engine |
| title_full |
A coprocessor-based introspection framework via intel management engine |
| title_fullStr |
A coprocessor-based introspection framework via intel management engine |
| title_full_unstemmed |
A coprocessor-based introspection framework via intel management engine |
| title_sort |
coprocessor-based introspection framework via intel management engine |
| publisher |
Institutional Knowledge at Singapore Management University |
| publishDate |
2021 |
| url |
https://ink.library.smu.edu.sg/sis_research/6734 https://ink.library.smu.edu.sg/context/sis_research/article/7737/viewcontent/A_Coprocessor_Based_Introspection_Framework_Via_Intel_Management_Engine.pdf |
| _version_ |
1770576056690933760 |