Nighthawk: Transparent System Introspection from Ring -3

Zhou, Lei; Xiao, Jidong; Leach, Kevin; Weimer, Westley; Zhang, Fengwei; Wang, Guojun

doi:10.1007/978-3-030-29962-0_11

Cited by 7 publications

(6 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Our results show that NIGHTHAWK can detect transient attacks if the attacking time is more than 700ms. However, if the attacking time is less than 400ms, the detection rate decreases linearly because NIGHTHAWK requires a certain amount of execution time, more details in previous work [14].…”

Section: Effectiveness Of Host State Monitoringmentioning

confidence: 99%

“…To improve the DMA effectiveness, we enable 4 µDMA channels to parallelly fetch at most 256KB target physical memory one time. More details about µDMA performance are in previous work [14].…”

Section: Efficiencymentioning

confidence: 99%

“…3. NIGHTHAWK[14] has been published in ESORICS 2019.OS. Furthermore, NIGHTHAWK is robust against page table manipulation attacks and transient attacks.• bedded Controller Interface (HECI, also called Management Engine Interface) to secure exchange data between host memory and IME.…”

mentioning

confidence: 99%

See 2 more Smart Citations

A Coprocessor-based Introspection Framework via Intel Management Engine

Zhou

Zhang

Xiao

et al. 2021

IEEE Trans. Dependable and Secure Comput.

Self Cite

View full text Add to dashboard Cite

During the past decade, virtualization-based (e.g., virtual machine introspection) and hardware-assisted approaches (e.g., x86 SMM and ARM TrustZone) have been used to defend against low-level malware such as rootkits. However, these approaches either require a large Trusted Computing Base (TCB) or they must share CPU time with the operating system, disrupting normal execution. In this paper, we propose an introspection framework called NIGHTHAWK that transparently checks system integrity and monitor the runtime state of target system. NIGHTHAWK leverages the Intel Management Engine (IME), a co-processor that runs in isolation from the main CPU. By using the IME, our approach has a minimal TCB and incurs negligible overhead on the host system on a suite of indicative benchmarks. We use NIGHTHAWK to introspect the system software and firmware of a host system at runtime. The experimental results show that NIGHTHAWK can detect real-world attacks against the OS, hypervisors, and System Management Mode while mitigating several classes of evasive attacks. Additionally, NIGHTHAWK can monitor the runtime state of host system against the suspicious applications running in target machine.

show abstract

Section: Effectiveness Of Host State Monitoringmentioning

confidence: 99%

Section: Efficiencymentioning

confidence: 99%

See 1 more Smart Citation

A Coprocessor-based Introspection Framework via Intel Management Engine

Zhou

Zhang

Xiao

et al. 2021

IEEE Trans. Dependable and Secure Comput.

Self Cite

View full text Add to dashboard Cite

show abstract

“…Then we respectively deploy the test approaches, where the domain 0 and VM both use Ubuntu 16.04 and kernel 4.15. Note that ring -3 based Nighthawk is installing on the same platform and does the same introspection work [11]. Thus, we install the Kernel- [8], Hypervisor- [65] and SMM-based defender [66], and use the mpstate to monitor each CPU utilization.…”

Section: ) Comparisonmentioning

confidence: 99%

“…The basic TEE approaches generally use hardware or hypervisor protection to construct isolated environments to protect sensitive computing. Popular hardware features are introduced into commercial machines as transparent and trusted computing bases due to the secure and isolated execution environment-e.g., Intel Management Mode (IME) [11], Intel System Management Mode (SMM) [12], and Trust-Zone [13]. However, the hardware-assisted approaches [14] present the problem of addressing the semantic gap between hardware and software, which requires cooperative technology [15] to construct a secure channel between the TEE and the target system to help transfer and analyze the software data in the TEE without leaking sensitive data.…”

Section: Introductionmentioning

confidence: 99%

RAitc: Securely Auditing the Remotely Executed Applications

2020

Self Cite

View full text Add to dashboard Cite

One of the most important security challenges in remote computing (e.g., cloud computing) is protecting users' applications running on the service platform from malicious attacks. Because remote users have little control over the platform, a malicious platform manager or platform-sharing guest acting as an adversary can easily create an untrustworthy execution environment. Prior studies have leveraged trusted third party (TTP)-based and trusted execution environment (TEE)-based approaches to mitigate such security issues, but these approaches still provide little transparency from the user's perspective. To address this challenge, we present a remote auditing approach based on an identified trust chain (RAitc) to analyze the correctness of remotely loaded applications. The chain is constructed with two goals: the first is to identify the remote platform to ensure that the user has a designated service system; the second is to build a trust chain from the user to the designated platform via verifiable computing-based module measurements and kernel-based application auditing. RAitc achieves a higher guarantee of safety in securely monitoring and verifying the integrity of remote applications executed by users. In addition, RAitc is both easier and more flexible for the extension of the trust base. Our implementation of RAitc protects users' remote execution environments while requiring an acceptable overhead on the target system in application auditing. We rigorously and comprehensively evaluated the effectiveness and performance of RAitc. The results show that RAitc performs effectively and has acceptable resource consumption.

show abstract

A Virtual Machine Protection Framework Against Compromised Hypervisor in Cloud Computing

Mahipal,

Ceronmani Sharmila

2023

Smart Innovation, Systems and Technologies

View full text Add to dashboard Cite

Nighthawk: Transparent System Introspection from Ring -3

Cited by 7 publications

References 21 publications

A Coprocessor-based Introspection Framework via Intel Management Engine

A Coprocessor-based Introspection Framework via Intel Management Engine

RAitc: Securely Auditing the Remotely Executed Applications

A Virtual Machine Protection Framework Against Compromised Hypervisor in Cloud Computing

Contact Info

Product

Resources

About