Nighthawk: Transparent System Introspection from Ring -3
Document Type
Conference Proceeding
Publication Date
2019
Abstract
During the past decade, virtualization-based (e.g., virtual machine introspection) and hardware-assisted approaches (e.g., x86 SMM and ARM TrustZone) have been used to defend against low-level malware such as rootkits. However, these approaches either require a large Trusted Computing Base (TCB) or they must share CPU time with the operating system, disrupting normal execution. In this paper, we propose an introspection framework called NIGHTHAWK that transparently checks system integrity at runtime. NIGHTHAWK leverages the Intel Management Engine (IME), a co-processor that runs in isolation from the main CPU. By using the IME, our approach has a minimal TCB and incurs negligible overhead on the host system on a suite of indicative benchmarks. We use NIGHTHAWK to check the integrity of the system software and firmware of a host system at runtime. The experimental results show that NIGHTHAWK can detect real-world attacks against the OS, hypervisors, and System Management Mode while mitigating several classes of evasive attacks.
Publication Information
Zhou, Lei; Xiao, Jidong; Leach, Kevin; Weimer, Westley; Zhang, Fengwei; and Wang, Guojun. (2019). "Nighthawk: Transparent System Introspection from Ring -3". In K. Sako, S. Schneider, and P. Ryan (Eds.), Computer Security: ESORICS 2019 (Lecture Notes in Computer Science series, Volume 11736, pp. 217-238). Springer. https://doi.org/10.1007/978-3-030-29962-0_11
Comments
Computer Security: ESORICS 2019 is volume 11736 of the Lecture Notes in Computer Science book series.