Title :
SPECTRE: A dependable introspection framework via System Management Mode
Author :
Fengwei Zhang ; Leach, Kevin ; Kun Sun ; Stavrou, Angelos
Author_Institution :
Center for Secure Inf. Syst., George Mason Univ., Fairfax, VA, USA
Abstract :
Virtual Machine Introspection (VMI) systems have been widely adopted for malware detection and analysis. VMI systems use hypervisor technology for system introspection and to expose malicious activity. However, recent malware can detect the presence of virtualization or corrupt the hypervisor state thus avoiding detection. We introduce SPECTRE, a hardware-assisted dependability framework that leverages System Management Mode (SMM) to inspect the state of a system. Contrary to VMI, our trusted code base is limited to BIOS and the SMM implementations. SPECTRE is capable of transparently and quickly examining all layers of running system code including a hypervisor, the OS, and user level applications. We demonstrate several use cases of SPECTRE including heap spray, heap overflow, and rootkit detection using real-world attacks on Windows and Linux platforms. In our experiments, full inspection with SPECTRE is 100 times faster than similar VMI systems because there is no performance overhead due to virtualization.
Keywords :
Linux; invasive software; user interfaces; virtual machines; virtualisation; BIOS implementations; Linux platforms; SMM implementations; SPECTRE; VMI systems; Windows platforms; dependable introspection framework; hardware-assisted dependability framework; hypervisor technology; malicious activity; malware analysis; malware detection; real-world attacks; rootkit detection; system management mode; virtual machine introspection systems; virtualization; Biomedical monitoring; Hardware; Kernel; Linux; Malware; Monitoring; SMM; introspection; memory attacks;
Conference_Titel :
Dependable Systems and Networks (DSN), 2013 43rd Annual IEEE/IFIP International Conference on
Conference_Location :
Budapest
Print_ISBN :
978-1-4673-6471-3
DOI :
10.1109/DSN.2013.6575343
