English

EPA-RIMM: A Framework for Dynamic SMM-based Runtime Integrity Measurement

Cryptography and Security 2018-05-11 v1

Abstract

Runtime integrity measurements identify unexpected changes in operating systems and hypervisors during operation, enabling early detection of persistent threats. System Management Mode, a privileged x86 CPU mode, has the potential to effectively perform such rootkit detection. Previously proposed SMM-based approaches demonstrated effective detection capabilities, but at a cost of performance degradation and software side effects. In this paper we introduce our solution to these problems, an SMM-based Extensible, Performance Aware Runtime Integrity Measurement Mechanism called EPA-RIMM. The EPA-RIMM architecture features a performance-sensitive design that decomposes large integrity measurements and schedules them to control perturbation and side effects. EPA-RIMM's decomposition of long-running measurements into shorter tasks, extensibility, and use of SMM complicates the efforts of malicious code to detect or avoid the integrity measurements. Using a Minnowboard-based prototype, we demonstrate its detection capabilities and performance impacts. Early results are promising, and suggest that EPA-RIMM will meet production-level performance constraints while continuously monitoring key OS and hypervisor data structures for signs of attack.

Keywords

Cite

@article{arxiv.1805.03755,
  title  = {EPA-RIMM: A Framework for Dynamic SMM-based Runtime Integrity Measurement},
  author = {Brian Delgado and Karen L. Karavanic},
  journal= {arXiv preprint arXiv:1805.03755},
  year   = {2018}
}

Comments

13 pages

R2 v1 2026-06-23T01:50:22.395Z