Nighthawk: Transparent System Introspection from Ring -3

Authors

Lei Zhou, Central South University
Jidong Xiao, Boise State UniversityFollow
Kevin Leach, University of Michigan
Westley Weimer, University of Michigan
Fengwei Zhang, Wayne State University
Guojun Wang, Guangzhou University

Document Type

Conference Proceeding

Publication Date

2019

Abstract

During the past decade, virtualization-based (e.g., virtual machine introspection) and hardware-assisted approaches (e.g., x86 SMM and ARM TrustZone) have been used to defend against low-level malware such as rootkits. However, these approaches either require a large Trusted Computing Base (TCB) or they must share CPU time with the operating system, disrupting normal execution. In this paper, we propose an introspection framework called NIGHTHAWK that transparently checks system integrity at runtime. NIGHTHAWK leverages the Intel Management Engine (IME), a co-processor that runs in isolation from the main CPU. By using the IME, our approach has a minimal TCB and incurs negligible overhead on the host system on a suite of indicative benchmarks. We use NIGHTHAWK to check the integrity of the system software and firmware of a host system at runtime. The experimental results show that NIGHTHAWK can detect real-world attacks against the OS, hypervisors, and System Management Mode while mitigating several classes of evasive attacks.

Comments

Computer Security: ESORICS 2019 is volume 11736 of the Lecture Notes in Computer Science book series.

Publication Information

Zhou, Lei; Xiao, Jidong; Leach, Kevin; Weimer, Westley; Zhang, Fengwei; and Wang, Guojun. (2019). "Nighthawk: Transparent System Introspection from Ring -3". In K. Sako, S. Schneider, and P. Ryan (Eds.), Computer Security: ESORICS 2019 (Lecture Notes in Computer Science series, Volume 11736, pp. 217-238). Springer. https://doi.org/10.1007/978-3-030-29962-0_11