Dissertation/Thesis Abstract

Extensible Performance-aware Runtime Integrity Measurement
by Delgado, Brian G., Ph.D., Portland State University, 2020, 234; 27741720
Abstract (Summary)

Today’s interconnected world consists of a broad set of online activities including banking, shopping, managing health records, and social media while relying heavily on servers to manage extensive sets of data. However, stealthy rootkit attacks on this infrastructure have placed these servers at risk. Security researchers have proposed using an existing x86 CPU mode called System Management Mode (SMM) to search for rootkits from a hardware-protected, isolated, and privileged location. SMM has broad visibility into operating system resources including memory regions and CPU registers. However, the use of SMM for runtime integrity measurement mechanisms (SMM-RIMMs) would significantly expand the amount of CPU time spent away from operating system and hypervisor (host software) control, resulting in potentially serious system impacts. To be a candidate for production use, SMM RIMMs would need to be resilient, performant and extensible.

We developed the EPA-RIMM architecture guided by the principles of extensibility, performance awareness, and effectiveness. EPA-RIMM incorporates a security check description mechanism that allows dynamic changes to the set of resources to be monitored. It minimizes system performance impacts by decomposing security checks into shorter tasks that can be independently scheduled over time. We present a performance methodology for SMM to quantify system impacts, as well as a simulator that allows for the evaluation of different methods of scheduling security inspections. Our SMM-based EPA-RIMM prototype leverages insights from the performance methodology to detect host software rootkits at reduced system impacts. EPA-RIMM demonstrates that SMM-based rootkit detection can be made performance-efficient and effective, providing a new tool for defense.

Indexing (document details)
Advisor: Karavanic, Karen L.
Commitee: Wright, Charles V., Feng, Wu-chang, Wakeland, Wayne, Irvin, Bruce
School: Portland State University
Department: Computer Science
School Location: United States -- Oregon
Source: DAI-B 81/9(E), Dissertation Abstracts International
Subjects: Computer science
Keywords: Bios, Firmware, Performance, Rootkit, SSM, STM
Publication Number: 27741720
ISBN: 9781658492836
Copyright © 2021 ProQuest LLC. All rights reserved. Terms and Conditions Privacy Policy Cookie Policy