Remote Monitoring of Memory Data Structures for Malware Detection in a TALOS II Architecture
Abstract
New forms of malware, namely fileless malware and rootkits, pose a threat to traditional anti-malware. In particular, Rootkits have the capacity to obscure the present state of memory from the user space of a target machine. If this happens, anti-malware running in the user space of an affected machine cannot be trusted to operate properly. To combat this threat, this research proposes the remote monitoring of memory from a second, secure processor running OpenBMC, serving as a baseboard management controller for a POWER9 processor, which is assumed vulnerable to exploitation. The baseboard management controller includes an application called pdbg, used for debugging POWER9 processors. This application allows for both reading and writing to registers and system memory of the POWER9 processor from the baseboard management controller directly via the xC;field replaceable unit support interface bus. This research developed a program to run on the baseboard management controller which utilizes pdbg to traverse the process tree active in the memory of the POWER9 processor. By traversing this data structure, it can view the entire process tree remotely, verifying whether information in memory is being hidden from user space on the POWER9.
Document Details
- Document Type
- Technical Report
- Publication Date
- Mar 25, 2021
- Accession Number
- AD1144416
Entities
People
- Robert A. Willburn
Organizations
- Air Force Institute of Technology