Autonomic Recovery: HyperCheck: A Hardware-Assisted Integrity Monitor

Abstract

Over the past few years, virtualization has been employed to environments ranging from densely populated cloud computing clusters to home desktop computers. Security researchers embraced virtual machine monitors (VMMs) as a new mechanism to guarantee deep isolation of untrusted software components. Unfortunately, their widespread adoption promoted VMMs as a prime target for attackers. In this paper, we present HyperCheck, a hardware-assisted tampering detection framework designed to protect the integrity of VMMs and, for some classes of attacks, the underlying operating system (OS). HyperCheck leverages the CPU System Management Mode (SMM), present in x86 systems, to securely generate and transmit the full state of the protected machine to an external server. Using HyperCheck, we were able to ferret-out rootkits that targeted the integrity of both the Xen hypervisor and traditional OSes. Moreover, HyperCheck is robust against attacks that aim to disable or block its operation. Our experimental results show that HyperCheck can produce and communicate a scan of the state of the protected software in less than 40ms.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Aug 01, 2013
Accession Number
ADA589948

Entities

People

  • Angelos Stavron
  • Anup Ghosh
  • Jiang Wang

Organizations

  • George Mason University

Tags

Communities of Interest

  • Cyber
  • Engineered Resilient Systems

DTIC Thesaurus Topics

  • Air Force
  • Air Force Research Laboratories
  • Computer Programs
  • Computers
  • Debugging
  • Denial Of Service Attack
  • Detection
  • Hypervisors
  • Information Operations
  • Intrusion Detection
  • Intrusion Detectors
  • Kernels (Operating System)
  • Malware
  • Operating Systems
  • Prototypes
  • Standards
  • Virtual Machines

Fields of Study

  • Computer science

Readers

  • Cybersecurity.
  • Parallel and Distributed Computing.

Technology Areas

  • Cyber