Abstract
During the past decade, virtualization-based (e.g., virtual machine introspection) and hardware-assisted approaches (e.g., x86 SMM and ARM TrustZone) have been used to defend against low-level malware such as rootkits. However, these approaches either require a large Trusted Computing Base (TCB) or they must share CPU time with the operating system, disrupting normal execution. In this paper, we propose an introspection framework called Nighthawk that transparently checks system integrity at runtime. Nighthawk leverages the Intel Management Engine (IME), a co-processor that runs in isolation from the main CPU. By using the IME, our approach has a minimal TCB and incurs negligible overhead on the host system on a suite of indicative benchmarks. We use Nighthawk to check the integrity of the system software and firmware of a host system at runtime. The experimental results show that Nighthawk can detect real-world attacks against the OS, hypervisors, and System Management Mode while mitigating several classes of evasive attacks.
L. Zhou—Work was done while visiting COMPASS lab at Wayne State University.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
Cache contention and bus bandwidth limits may incur overhead.
- 3.
While this offset can be system-dependent, in most Linux setups, kernel virtual addresses are 0xc0000000 bytes from the corresponding physical address.
- 4.
Even when SMRAM is locked, using our HECI-based communication channel, we incur roughly 17 ms to perform end-to-end integrity checking.
References
Adore-ng (2018). https://github.com/trimpsyw/adore-ng/
RootKits List (2018). https://github.com/d30sa1/RootKits-List-Download
Abramson, D., et al.: Intel virtualization technology for directed I/O. Intel Technol. J. 10(3), 179–192 (2006)
Azab, A.M., et al.: Hypervision across worlds: real-time kernel protection from the arm trustzone secure world. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS) (2014)
Azab, A.M., Ning, P., Wang, Z., Jiang, X., Zhang, X., Skalsky, N.C.: HyperSentry: enabling stealthy in-context measurement of hypervisor integrity. In: Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS) (2010)
Chevalier, R., Villatel, M., Plaquin, D., Hiet, G.: Co-processor-based behavior monitoring: application to the detection of attacks against the system management mode. In: Proceedings of the 33rd Annual Computer Security Applications Conference (2017)
Combs, G.: Wireshark (2019). https://www.wireshark.org
Corna, N.: ME cleaner: tool for partial deblobbing of Intel ME/TXE firmware images (2017). https://github.com/corna/me_cleaner
Duflot, L., Levillain, O., Morin, B., Grumelard, O.: Getting into the SMRAM: SMM Reloaded. CanSecWest (2009)
Erica, P., Peter, E.: Intel’s Management Engine is a security hazard, and users need a way to disable it (2017). https://www.eff.org/deeplinks/2017/05/intels-management-engine-security-hazard-and-users-need-way-disable-it
Ermolov, M., Goryachy, M.: Disabling Intel ME 11 via undocumented mode (2017). http://blog.ptsecurity.com/2017/08/disabling-intel-me.html
Ermolov, M., Goryachy, M.: How to Hack a Turned-Off Computer, or Running Unsigned Code in Intel Management Engine. Black Hat Europe (2017)
Gael, H.I.: Intel AMT and the Intel ME (2009). https://intel.com/en-us/blogs/2011/12/14/intelr-amt-and-the-intelr-me
Garfinkel, T., Pfaff, B., Chow, J., Rosenblum, M., Boneh, D.: Terra: a virtual machine-based platform for trusted computing. In: ACM SIGOPS Operating Systems Review (2003)
Github: ToorKit (2015). https://github.com/deb0ch/toorkit
Intel: Innovation Engine (2015). https://en.wikichip.org/wiki/intel/innovation_engine
Intel Corporation: Intel 3 Series Express Chipset Family (2007). https://www.intel.com/Assets/PDF/datasheet/316966.pdf
Intel Corporation: Intel Trusted Execution Technology (Intel TXT): Software Development Guide (2017). https://www.intel.com/content/dam/www/public/us/en/documents/guides/intel-txt-software-development-guide.pdf
Jang, D., Lee, H., Kim, M., Kim, D., et al.: Atra: address translation redirection attack against hardware-based external monitors. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (2014)
Jiang, X., Wang, X., Xu, D.: Stealthy malware detection through VMM-based out-of-the-box semantic view reconstruction. In: Proceedings of the 14th ACM conference on Computer and Communications Security (CCS) (2007)
Jones, S.T., Arpaci-Dusseau, A.C., Arpaci-Dusseau, R.H.: VMM-based hidden process detection and identification using Lycosid. In: Proceedings of the fourth ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE) (2008)
Koromilas, L., Vasiliadis, G., Athanasopoulos, E., Ioannidis, S.: GRIM: leveraging GPUs for kernel integrity monitoring. In: Monrose, F., Dacier, M., Blanc, G., Garcia-Alfaro, J. (eds.) RAID 2016. LNCS, vol. 9854, pp. 3–23. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-45719-2_1
Lee, H., et al.: KI-Mon: a hardware-assisted event-triggered monitoring platform for mutable kernel object. In: USENIX Security Symposium (2013)
Lipp, M., Schwarz, M., Gruss, D., Prescher, T., Haas, W., Fogh, A., et al.: Meltdown: reading kernel memory from user space. In: Proceedings of the 27th Conference on USENIX Security Symposium (2018)
Malka, M., Amit, N., Ben-Yehuda, M., Tsafrir, D.: rIOMMU: efficient IOMMU for I/O devices that employ ring buffers. In: ACM SIGPLAN Notices (2015)
McCalpin, J.D.: STREAM (2018). http://www.cs.virginia.edu/stream/ref.html
Moon, H., Lee, H., Lee, J., Kim, K., Paek, Y., Kang, B.B.: Vigilare: toward snoop-based kernel integrity monitor. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security (CCS) (2012)
National Institute of Standards, NIST: National Vulnerability Database (2018). http://nvd.nist.gov
Partow, A.: General Purpose Hash Function Algorithms (2018). http://www.partow.net/programming/hashfunctions
Perkins, J.H., et al.: Automatically patching errors in deployed software. In: Proceedings of the ACM SIGOPS 22nd Symposium on Operating Systems Principles (2009)
Persmule: Neutralize ME firmware on SandyBridge and IvyBridge platforms (2016). https://hardenedlinux.github.io/firmware/2016/11/17/neutralize_ME_firmware_on_sandybridge_and_ivybridge.html
Petroni Jr, N.L., Fraser, T., Molina, J., Arbaugh, W.A.: Copilot-a Coprocessor-based Kernel Runtime Integrity Monitor. In: USENIX Security Symposium (2004)
Ruan, X.: Platform Embedded Security Technology Revealed: Safeguarding the Future of Computing with Intel Embedded Security and Management Engine. Apress (2014)
Seshadri, A., Luk, M., Qu, N., Perrig, A.: SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In: Proceedings of the 21st ACM Symposium on Operating Systems Principles (SOSP) (2007)
Sklyarov, D.: Intel ME: flash file system explained. Black Hat Europe (2017)
Sklyarov, D.O.: ME: The Way of the Static Analysis. TROOPERS17 (2017)
Spensky, C., Hu, H., Leach, K.: LO-PHI: low-observable physical host instrumentation for malware analysis. In: NDSS (2016)
Stewin, P., Bystrov, I.: Understanding DMA malware. In: Flegel, U., Markatos, E., Robertson, W. (eds.) DIMVA 2012. LNCS, vol. 7591, pp. 21–41. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-37300-8_2
Synopsys: embARC (2019). https://embarc.org/embarc_osp/doc/build/html/arc/arc.html
Tereshkin, A., Wojtczuk, R.: Introducing ring-3 rootkits. Black Hat USA (2009)
The Fedora Project: TBoot (2018). https://sourceforge.net/projects/tboot
UPnP Forum: MeshCommander (2018). http://www.meshcommander.com/
Wei, J., Payne, B.D., Giffin, J., Pu, C.: Soft-timer driven transient kernel control flow attacks and defense. In: 2008 Annual Computer Security Applications Conference (ACSAC) (2008)
Wojtczuk, R., Rutkowska, J.: Attacking SMM memory via Intel CPU cache poisoning. Invisible Things Lab (2009)
Yao, J.: SMM Protection in EDK II (2017). https://uefi.org/sites/default/files/resources/Jiewen
Zhang, F., Leach, K., Stavrou, A., Wang, H., Sun, K.: Using hardware features for increased debugging transparency. In: 2015 IEEE Symposium on Security and Privacy (SP) (2015)
Zhang, F., Wang, H., Leach, K., Stavrou, A.: A framework to secure peripherals at runtime. In: Kutyłowski, M., Vaidya, J. (eds.) ESORICS 2014. LNCS, vol. 8712, pp. 219–238. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-11203-9_13
Zhang, F., Wang, J., Sun, K., Stavrou, A.: Hypercheck: A hardware-assistedintegrity monitor (2014)
Acknowledgments
Lei Zhou was supported by the China Scholarship Council at Wayne State University. This work is supported in part by the National Natural Science Foundation of China under Grant Number 61632009, the Guangdong Provincial Natural Science Foundation under Grant Number 2017A030308006.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Appendix: Intel ME
An overview of system components and the IME is shown in Fig. 7.
Adapted from Ruan [33]
Overview of the IME. We use its isolation features to provide transparent system introspection capabilities. The left shows the IME in relation to other parts of a host system. The right shows the IME’s memory layout on our prototype.
B Appendix: Code added in Intel IME
Properties of our custom IME added code are shown in Table 5. All told, we wrote 400 lines of new C code and 270 lines of new assembly code, all of which fit in an IME firmware image less than 2 KB in size.
C Appendix: Remote Communication Protocol
Here we present the details about remote communication protocol between remote server and IME in target machine.
D Appendix: Performance of the IME Core
We run experiments to investigate the computational capabilities of the IME. In particular, we develop a CPU speed testing benchmark, which we inject into the memcpy function in the IME. That is, this benchmark executes every time memcpy is invoked. The testing program is a nested-loop (inner loop: n, outer loop: m) function with 15 instructions in the inner loop such that \(n\times m=10^6\). We read the time stamp counter at the beginning and the end of the benchmark—denoted as \(T_1\) and \(T_2\), and thus approximate the average speed of the IME CPU using the formula \(v\approx \frac{15\times 10^{6}\times (n\times m)}{(T_2-T_1)}\). We sweep \( n = {100,200,...,10000}\) and \(m = {100,200,1000}\); the experimental result shows that the IME CPU executes approximately 15 million instructions each second. Compared to the target system’s main CPU (which can execute billions of instructions per second), the IME CPU has a significantly lower performance.
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Zhou, L., Xiao, J., Leach, K., Weimer, W., Zhang, F., Wang, G. (2019). Nighthawk: Transparent System Introspection from Ring -3. In: Sako, K., Schneider, S., Ryan, P. (eds) Computer Security – ESORICS 2019. ESORICS 2019. Lecture Notes in Computer Science(), vol 11736. Springer, Cham. https://doi.org/10.1007/978-3-030-29962-0_11
Download citation
DOI: https://doi.org/10.1007/978-3-030-29962-0_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-29961-3
Online ISBN: 978-3-030-29962-0
eBook Packages: Computer ScienceComputer Science (R0)