Export or edit this event...

Extensible, Performance-Aware, SMM-based Runtime Integrity Measurement

Portland State University - Fourth Avenue Building

Speaker - Dr. Karen Karavanic

Room FAB 86-01


Today's complex server platforms include software environments (both kernels and hypervisors) vulnerable to sophisticated malware called rootkits, that specifically target low-level resources such as kernel or hypervisor data structures. These attacks modify sensitive host software and hardware resources that control fundamental operations such as interrupt handling, memory access, and event handlers, resulting in a compromised system. In response to this vulnerability, researchers have developed Runtime Integrity Measurement Mechanisms (RIMMs) that aim to detect rootkits before financial or political damage occurs. One particularly promising approach is to run these rootkit detection checks in System Management Mode (SMM): SMM is a special x86 processor mode that privileged software such as kernel or hypervisor code cannot access; code running in SMM has access to a protected region of memory that cannot be inspected or overwritten by privileged software or applications, providing protection of the RIMM itself. This approach is currently infeasible due to performance constraints; interference with system software may lead to significant perturbation or even failure of the system and application software. In this talk I will describe the performance problems, showing results from our detailed performance study of the impacts of time spent in SMM. In addition, I will introduce our current project to develop a solution that stays within acceptable performance bounds. This talk should be accessible to students who have an understanding of Operating Systems foundations, for example by completing CS333 or CS533.