Skip to main content

Nighthawk: Transparent System Introspection from Ring -3

Part of the Lecture Notes in Computer Science book series (LNSC,volume 11736)

Abstract

During the past decade, virtualization-based (e.g., virtual machine introspection) and hardware-assisted approaches (e.g., x86 SMM and ARM TrustZone) have been used to defend against low-level malware such as rootkits. However, these approaches either require a large Trusted Computing Base (TCB) or they must share CPU time with the operating system, disrupting normal execution. In this paper, we propose an introspection framework called Nighthawk that transparently checks system integrity at runtime. Nighthawk leverages the Intel Management Engine (IME), a co-processor that runs in isolation from the main CPU. By using the IME, our approach has a minimal TCB and incurs negligible overhead on the host system on a suite of indicative benchmarks. We use Nighthawk to check the integrity of the system software and firmware of a host system at runtime. The experimental results show that Nighthawk can detect real-world attacks against the OS, hypervisors, and System Management Mode while mitigating several classes of evasive attacks.

L. Zhou—Work was done while visiting COMPASS lab at Wayne State University.

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-29962-0_11
  • Chapter length: 22 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   79.99
Price excludes VAT (USA)
  • ISBN: 978-3-030-29962-0
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   99.99
Price excludes VAT (USA)
Fig. 1.
Fig. 2.
Fig. 3.
Fig. 4.
Fig. 5.
Fig. 6.

Notes

  1. 1.

    Expanding on Intel’s privilege rings, userspace applications are said to have ring 3 privilege while the kernel has ring 0 privilege. The IME is said to have ring -3 privilege [12, 40].

  2. 2.

    Cache contention and bus bandwidth limits may incur overhead.

  3. 3.

    While this offset can be system-dependent, in most Linux setups, kernel virtual addresses are 0xc0000000 bytes from the corresponding physical address.

  4. 4.

    Even when SMRAM is locked, using our HECI-based communication channel, we incur roughly 17 ms to perform end-to-end integrity checking.

References

  1. Adore-ng (2018). https://github.com/trimpsyw/adore-ng/

  2. RootKits List (2018). https://github.com/d30sa1/RootKits-List-Download

  3. Abramson, D., et al.: Intel virtualization technology for directed I/O. Intel Technol. J. 10(3), 179–192 (2006)

    CrossRef  Google Scholar 

  4. Azab, A.M., et al.: Hypervision across worlds: real-time kernel protection from the arm trustzone secure world. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS) (2014)

    Google Scholar 

  5. Azab, A.M., Ning, P., Wang, Z., Jiang, X., Zhang, X., Skalsky, N.C.: HyperSentry: enabling stealthy in-context measurement of hypervisor integrity. In: Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS) (2010)

    Google Scholar 

  6. Chevalier, R., Villatel, M., Plaquin, D., Hiet, G.: Co-processor-based behavior monitoring: application to the detection of attacks against the system management mode. In: Proceedings of the 33rd Annual Computer Security Applications Conference (2017)

    Google Scholar 

  7. Combs, G.: Wireshark (2019). https://www.wireshark.org

  8. Corna, N.: ME cleaner: tool for partial deblobbing of Intel ME/TXE firmware images (2017). https://github.com/corna/me_cleaner

  9. Duflot, L., Levillain, O., Morin, B., Grumelard, O.: Getting into the SMRAM: SMM Reloaded. CanSecWest (2009)

    Google Scholar 

  10. Erica, P., Peter, E.: Intel’s Management Engine is a security hazard, and users need a way to disable it (2017). https://www.eff.org/deeplinks/2017/05/intels-management-engine-security-hazard-and-users-need-way-disable-it

  11. Ermolov, M., Goryachy, M.: Disabling Intel ME 11 via undocumented mode (2017). http://blog.ptsecurity.com/2017/08/disabling-intel-me.html

  12. Ermolov, M., Goryachy, M.: How to Hack a Turned-Off Computer, or Running Unsigned Code in Intel Management Engine. Black Hat Europe (2017)

    Google Scholar 

  13. Gael, H.I.: Intel AMT and the Intel ME (2009). https://intel.com/en-us/blogs/2011/12/14/intelr-amt-and-the-intelr-me

  14. Garfinkel, T., Pfaff, B., Chow, J., Rosenblum, M., Boneh, D.: Terra: a virtual machine-based platform for trusted computing. In: ACM SIGOPS Operating Systems Review (2003)

    Google Scholar 

  15. Github: ToorKit (2015). https://github.com/deb0ch/toorkit

  16. Intel: Innovation Engine (2015). https://en.wikichip.org/wiki/intel/innovation_engine

  17. Intel Corporation: Intel 3 Series Express Chipset Family (2007). https://www.intel.com/Assets/PDF/datasheet/316966.pdf

  18. Intel Corporation: Intel Trusted Execution Technology (Intel TXT): Software Development Guide (2017). https://www.intel.com/content/dam/www/public/us/en/documents/guides/intel-txt-software-development-guide.pdf

  19. Jang, D., Lee, H., Kim, M., Kim, D., et al.: Atra: address translation redirection attack against hardware-based external monitors. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (2014)

    Google Scholar 

  20. Jiang, X., Wang, X., Xu, D.: Stealthy malware detection through VMM-based out-of-the-box semantic view reconstruction. In: Proceedings of the 14th ACM conference on Computer and Communications Security (CCS) (2007)

    Google Scholar 

  21. Jones, S.T., Arpaci-Dusseau, A.C., Arpaci-Dusseau, R.H.: VMM-based hidden process detection and identification using Lycosid. In: Proceedings of the fourth ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE) (2008)

    Google Scholar 

  22. Koromilas, L., Vasiliadis, G., Athanasopoulos, E., Ioannidis, S.: GRIM: leveraging GPUs for kernel integrity monitoring. In: Monrose, F., Dacier, M., Blanc, G., Garcia-Alfaro, J. (eds.) RAID 2016. LNCS, vol. 9854, pp. 3–23. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-45719-2_1

    CrossRef  Google Scholar 

  23. Lee, H., et al.: KI-Mon: a hardware-assisted event-triggered monitoring platform for mutable kernel object. In: USENIX Security Symposium (2013)

    Google Scholar 

  24. Lipp, M., Schwarz, M., Gruss, D., Prescher, T., Haas, W., Fogh, A., et al.: Meltdown: reading kernel memory from user space. In: Proceedings of the 27th Conference on USENIX Security Symposium (2018)

    Google Scholar 

  25. Malka, M., Amit, N., Ben-Yehuda, M., Tsafrir, D.: rIOMMU: efficient IOMMU for I/O devices that employ ring buffers. In: ACM SIGPLAN Notices (2015)

    Google Scholar 

  26. McCalpin, J.D.: STREAM (2018). http://www.cs.virginia.edu/stream/ref.html

  27. Moon, H., Lee, H., Lee, J., Kim, K., Paek, Y., Kang, B.B.: Vigilare: toward snoop-based kernel integrity monitor. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security (CCS) (2012)

    Google Scholar 

  28. National Institute of Standards, NIST: National Vulnerability Database (2018). http://nvd.nist.gov

  29. Partow, A.: General Purpose Hash Function Algorithms (2018). http://www.partow.net/programming/hashfunctions

  30. Perkins, J.H., et al.: Automatically patching errors in deployed software. In: Proceedings of the ACM SIGOPS 22nd Symposium on Operating Systems Principles (2009)

    Google Scholar 

  31. Persmule: Neutralize ME firmware on SandyBridge and IvyBridge platforms (2016). https://hardenedlinux.github.io/firmware/2016/11/17/neutralize_ME_firmware_on_sandybridge_and_ivybridge.html

  32. Petroni Jr, N.L., Fraser, T., Molina, J., Arbaugh, W.A.: Copilot-a Coprocessor-based Kernel Runtime Integrity Monitor. In: USENIX Security Symposium (2004)

    Google Scholar 

  33. Ruan, X.: Platform Embedded Security Technology Revealed: Safeguarding the Future of Computing with Intel Embedded Security and Management Engine. Apress (2014)

    Google Scholar 

  34. Seshadri, A., Luk, M., Qu, N., Perrig, A.: SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In: Proceedings of the 21st ACM Symposium on Operating Systems Principles (SOSP) (2007)

    Google Scholar 

  35. Sklyarov, D.: Intel ME: flash file system explained. Black Hat Europe (2017)

    Google Scholar 

  36. Sklyarov, D.O.: ME: The Way of the Static Analysis. TROOPERS17 (2017)

    Google Scholar 

  37. Spensky, C., Hu, H., Leach, K.: LO-PHI: low-observable physical host instrumentation for malware analysis. In: NDSS (2016)

    Google Scholar 

  38. Stewin, P., Bystrov, I.: Understanding DMA malware. In: Flegel, U., Markatos, E., Robertson, W. (eds.) DIMVA 2012. LNCS, vol. 7591, pp. 21–41. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-37300-8_2

    CrossRef  Google Scholar 

  39. Synopsys: embARC (2019). https://embarc.org/embarc_osp/doc/build/html/arc/arc.html

  40. Tereshkin, A., Wojtczuk, R.: Introducing ring-3 rootkits. Black Hat USA (2009)

    Google Scholar 

  41. The Fedora Project: TBoot (2018). https://sourceforge.net/projects/tboot

  42. UPnP Forum: MeshCommander (2018). http://www.meshcommander.com/

  43. Wei, J., Payne, B.D., Giffin, J., Pu, C.: Soft-timer driven transient kernel control flow attacks and defense. In: 2008 Annual Computer Security Applications Conference (ACSAC) (2008)

    Google Scholar 

  44. Wojtczuk, R., Rutkowska, J.: Attacking SMM memory via Intel CPU cache poisoning. Invisible Things Lab (2009)

    Google Scholar 

  45. Yao, J.: SMM Protection in EDK II (2017). https://uefi.org/sites/default/files/resources/Jiewen

  46. Zhang, F., Leach, K., Stavrou, A., Wang, H., Sun, K.: Using hardware features for increased debugging transparency. In: 2015 IEEE Symposium on Security and Privacy (SP) (2015)

    Google Scholar 

  47. Zhang, F., Wang, H., Leach, K., Stavrou, A.: A framework to secure peripherals at runtime. In: Kutyłowski, M., Vaidya, J. (eds.) ESORICS 2014. LNCS, vol. 8712, pp. 219–238. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-11203-9_13

    CrossRef  Google Scholar 

  48. Zhang, F., Wang, J., Sun, K., Stavrou, A.: Hypercheck: A hardware-assistedintegrity monitor (2014)

    CrossRef  Google Scholar 

Download references

Acknowledgments

Lei Zhou was supported by the China Scholarship Council at Wayne State University. This work is supported in part by the National Natural Science Foundation of China under Grant Number 61632009, the Guangdong Provincial Natural Science Foundation under Grant Number 2017A030308006.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Fengwei Zhang .

Editor information

Editors and Affiliations

Appendices

A Appendix: Intel ME

An overview of system components and the IME is shown in Fig. 7.

Fig. 7.
figure 7

Adapted from Ruan [33]

Overview of the IME. We use its isolation features to provide transparent system introspection capabilities. The left shows the IME in relation to other parts of a host system. The right shows the IME’s memory layout on our prototype.

B Appendix: Code added in Intel IME

Properties of our custom IME added code are shown in Table 5. All told, we wrote 400 lines of new C code and 270 lines of new assembly code, all of which fit in an IME firmware image less than 2 KB in size.

Table 5. Introspection code added in custom IME firmware

C Appendix: Remote Communication Protocol

Here we present the details about remote communication protocol between remote server and IME in target machine.

Table 6. Communication commands in Nighthawk, each consisting of an operation and corresponding object. Any Command can be combined with any Object.

D Appendix: Performance of the IME Core

We run experiments to investigate the computational capabilities of the IME. In particular, we develop a CPU speed testing benchmark, which we inject into the memcpy function in the IME. That is, this benchmark executes every time memcpy is invoked. The testing program is a nested-loop (inner loop: n, outer loop: m) function with 15 instructions in the inner loop such that \(n\times m=10^6\). We read the time stamp counter at the beginning and the end of the benchmark—denoted as \(T_1\) and \(T_2\), and thus approximate the average speed of the IME CPU using the formula \(v\approx \frac{15\times 10^{6}\times (n\times m)}{(T_2-T_1)}\). We sweep \( n = {100,200,...,10000}\) and \(m = {100,200,1000}\); the experimental result shows that the IME CPU executes approximately 15 million instructions each second. Compared to the target system’s main CPU (which can execute billions of instructions per second), the IME CPU has a significantly lower performance.

Rights and permissions

Reprints and Permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Zhou, L., Xiao, J., Leach, K., Weimer, W., Zhang, F., Wang, G. (2019). Nighthawk: Transparent System Introspection from Ring -3. In: Sako, K., Schneider, S., Ryan, P. (eds) Computer Security – ESORICS 2019. ESORICS 2019. Lecture Notes in Computer Science(), vol 11736. Springer, Cham. https://doi.org/10.1007/978-3-030-29962-0_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-29962-0_11

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-29961-3

  • Online ISBN: 978-3-030-29962-0

  • eBook Packages: Computer ScienceComputer Science (R0)