TWC: Small: System Infrastructure for SMM-based Runtime Integrity Measurement

TWC：小型：基于 SMM 的运行时完整性测量的系统基础设施

• 批准号: 1528185
• 负责人: Karen Karavanic
• 金额: $ 40.76万
• 依托单位: Portland State University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2015
• 资助国家: 美国
• 起止时间: 2015-08-01 至 2019-07-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1528185&HistoricalAwards=false
• 关键词: TWC; Small; System; Infrastructure; SMM

The World Wide Web and computer "clouds" have become widely used, and are interwoven into many activities of daily life, from shopping to socializing to education. But the data center servers that are the backbone of this richly connected world remain vulnerable to malicious software ("malware"). Over the past decade, attacks have increased in number and sophistication, motivated by both financial and political goals. The results include consumer concerns about identify theft and fraudulent charges, corporate concerns about millions of dollars in losses, and potential defense concerns. At the same time, the servers and data centers have become more complex, as both the hardware and the software have grown in capability. Thus protecting servers from attack has become increasingly urgent yet increasingly difficult. This project is developing a new approach for server security - monitoring for attacks will be integrated into the servers in a manner that will avoid unwieldy performance slowdowns. This project focuses on detecting rootkits that compromise operating system kernels and hypervisors. The research targets a specific class of solutions that make use of widely available hardware support to allow safe introspection of low-level system state at run time. Rootkit detection checks are implemented in System Management Mode (SMM), a special x86 processor mode entered as a result of a System Management Interrupt controlled by the BIOS, that has a higher priority than any system-level interrupt. Code running in SMM has access to a protected region of memory, providing protection of the rootkit detection code. This project is exploring and quantifying the performance impacts of various SMM-based rootkit detection approaches, and is developing new approaches in which the detection work can be scheduled adaptively to strike an appropriate balance between detection capability and performance degradation.

万维网和计算机“云”已被广泛使用，并与日常生活的许多活动交织在一起，从购物到社交再到教育。但是，作为这个高度互联世界的支柱的数据中心服务器仍然容易受到恶意软件的攻击。在过去十年中，出于经济和政治目的，攻击的数量和复杂程度都有所增加。调查结果包括消费者对身份盗窃和欺诈指控的担忧，企业对数百万美元损失的担忧，以及潜在的国防担忧。与此同时，服务器和数据中心也变得越来越复杂，因为硬件和软件的能力都在增长。因此，保护服务器免受攻击变得越来越紧迫，但也越来越困难。这个项目正在开发一种服务器安全的新方法——对攻击的监控将被集成到服务器中，以避免笨拙的性能下降。这个项目的重点是检测危及操作系统内核和管理程序的rootkit。该研究针对一类特定的解决方案，这些解决方案利用广泛可用的硬件支持，允许在运行时安全地自省低级系统状态。Rootkit检测检查是在系统管理模式（SMM）中实现的，SMM是一种特殊的x86处理器模式，由BIOS控制的系统管理中断（System Management Interrupt）导致进入，具有比任何系统级中断更高的优先级。在SMM中运行的代码可以访问受保护的内存区域，从而为rootkit检测代码提供保护。该项目正在探索和量化各种基于smm的rootkit检测方法对性能的影响，并正在开发新的方法，在这些方法中，检测工作可以自适应地安排，以在检测能力和性能下降之间取得适当的平衡。