Abstract
To guarantee the network computing system security, the effective method is illegal or malicious software detection. Most of the former researches implement it on OS kernel or hypervisor level. However, if the system is attacked by the ring 0 or ring 1 level risks, the OS kernel or hypervisor is unable to provide the trusted base, which may cause an incorrect result. To solve the shortcomings, we choose the System Management Mode (SMM) to build a trusted execution environment. The SMM is a special cpu mode in the x86 architecture, which could create a security and isolated area on firmware level for malicious attacks detection.
In this paper, we remotely interrupt the local system, and design a secure module in SMM to obtain messages from registers and physical memory space. Those messages are used to back analyze the software executing code segment for further information comparing. Beside the local detection, we use remote attestation approach for verifying the secure module. Our approach resists the attack surface under the OS level, and advances state-of-the-art detecting transparently. Furthermore, the analysis process could implement in the server to reduce the overheads on the client platform.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Al-Saleh, M.I., Abuhjeela, F.M., Al-Sharif, Z.A.: Investigating the detection capabilities of antiviruses under concurrent attacks. Int. J. Inf. Secur. 14(4), 387–396 (2014)
Abazari, F., Analoui, M., Takabi, H.: Effect of anti-malware software on infectious nodes in cloud environment. IEEE Comput. Secur. 58, 139–148 (2016)
Kang, M.H., Park, J.S., Froscher, J.N.: Access control mechanisms for inter-organizational workflow. In: Proceedings of the Sixth ACM Symposium on Access Control Models & Technologies, pp. 66–74 (2015)
Tang, S., Li, X., Huang, X., et al.: Achieving simple, secure and efficient hierarchical access control in cloud computing. IEEE Trans. Comput. 61(4), 2325–2331 (2016)
Saravanakumar, C., Arun, C.: Survey on interoperability, security, trust, privacy standardization of cloud computing. In: International Conference on Contemporary Computing and Informatics (IC3I) (2014)
Jain, P., Rane, D., Patidar, S.: A survey and analysis of cloud model-based security for computing secure cloud bursting and aggregation in renal environment. In: World Congress on IEEE Information and Communication Technologies (WICT), pp. 456–461 (2011)
Hofmann, O.S., Kim, S., Dunn, A.M., Lee, M.Z.: Inktag: secure applications on an untrusted operating system. In: ACM SIGARCH Computer Architecture News, vol. 41(1), pp. 265–278 (2013)
Zhang, F., Wang, H., Leach, K., Stavrou, A.: A framework to secure peripherals at runtime. In: Kutyłowski, M., Vaidya, J. (eds.) ESORICS 2014. LNCS, vol. 8712, pp. 219–238. Springer, Heidelberg (2014). doi:10.1007/978-3-319-11203-9_13
Kim, J., Kim, D., Park, J., Kim, J., Kim, H.: An efficient Kernel introspection system using a secure timer on TrustZone, 25(4), 863–872 (2015)
Bauman, E., Ayoade, G., Lin, Z.: A survey on hypervisor-based monitoring: approaches, applications, and evolutions. ACM Comput. Surv. (CSUR) 48(1), 10 (2015)
Xie, X., Wang, W.: Rootkit detection on virtual machines through deep information extraction at hypervisor-level. Commun. Netw. Secur. 411(6), 498–503 (2013)
Zhang, N., Sun, K., Lou, W., Hou, Y.T., Jajodia, S.: Now you see me: hide and seek in physical address space. In: ACM Symposium on Information, Computer and Communications Security, pp. 321–331 (2015)
Pfoh, J., Schneider, C., Eckert, C.: Nitro: hardware-based system call tracing for virtual machines. In: Iwata, T., Nishigaki, M. (eds.) IWSEC 2011. LNCS, vol. 7038, pp. 96–112. Springer, Heidelberg (2011). doi:10.1007/978-3-642-25141-2_7
Zhou, L., Liu, X., Liu, Q., Wang, G.: A cleanroom monitoring system for network computing service based on remote attestation. In: 2016 IEEE Trustcom (2016, accepted)
Embleton, S., Sparks, S., Zou, C.: SMM rootkit: a new breed of OS independent malware. Secur. Commun. Netw. 6(12), 1590–1605 (2013)
Xu, W., Zhang, X., Hu, H., Ahn, G., Seifert, J.: Remote attestation with domain-based integrity model and policy analysis. IEEE Trans. Dependable Secure Comput. 9(3), 429–442 (2012)
Reina, A., et al.: When hardware meets software: a bulletproof solution to forensic memory acquisition, pp. 79–88 (2012)
Korkin, I., Nesterov, I.: Applying memory forensics to rootkit detection. In: ADFSL Conference on Digital Forensics, Security and Law (2014)
Huang, Y., et al.: HMTT: a hybrid hardware/software tracing system for bridging the DRAM access trace’s semantic gap. ACM Trans. Architect. Code Optim. (TACO) 11(1), 7 (2014)
Acknowledgments
This work is supported in part by the National Natural Science Foundation of China under Grant Numbers 61632009, 61472451 and 61272151, the High Level Talents Program of Higher Education in Guangdong Province under Funding Support Number 2016ZJ01.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Zhou, L., Shu, Y., Wang, G. (2016). A Software Detection Mechanism Based on SMM in Network Computing. In: Wang, G., Ray, I., Alcaraz Calero, J., Thampi, S. (eds) Security, Privacy and Anonymity in Computation, Communication and Storage. SpaCCS 2016. Lecture Notes in Computer Science(), vol 10067. Springer, Cham. https://doi.org/10.1007/978-3-319-49145-5_14
Download citation
DOI: https://doi.org/10.1007/978-3-319-49145-5_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-49144-8
Online ISBN: 978-3-319-49145-5
eBook Packages: Computer ScienceComputer Science (R0)