Runtime Integrity Measurement with System Management Mode
Detecting unexpected changes in a system’s runtime environment is critical to resilience yet challenging in today’s production servers. In this talk I will describe our solution: runtime integrity measurement for the operating system kernel and hypervisor using System Management Mode (SMM). SMM is a general purpose, widely available mechanism on x86 CPUs used for a variety of critical runtime management tasks such as including managing CPU power states and handling thermal throttling. It is a promising approach to runtime monitoring because it runs at a higher privilege than host software, an advantage when host software has been compromised, and its hardware-protected memory (SMRAM) is strongly isolated from host software as it can only be read or written from SMM. However, key challenges include the possibility of severe performance impacts, semantic gaps between SMM and host software, high overheads, overly broad access permissions, and lack of flexibility. Our Linux and Xen prototype results show that our approach, EPA-RIMM, meets performance goals while continuously monitoring code and data for signs of attack, and that it is effective at detecting a number of recent exploits.
Email us at occoe@pdx.edu if you would like to receive the link to the seminar.