SPECTRE: A dependable introspection framework via System Management Mode

2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN) Pub Date : 2013-06-24 DOI:10.1109/DSN.2013.6575343

Fengwei Zhang, Kevin Leach, Kun Sun, A. Stavrou

{"title":"SPECTRE: A dependable introspection framework via System Management Mode","authors":"Fengwei Zhang, Kevin Leach, Kun Sun, A. Stavrou","doi":"10.1109/DSN.2013.6575343","DOIUrl":null,"url":null,"abstract":"Virtual Machine Introspection (VMI) systems have been widely adopted for malware detection and analysis. VMI systems use hypervisor technology for system introspection and to expose malicious activity. However, recent malware can detect the presence of virtualization or corrupt the hypervisor state thus avoiding detection. We introduce SPECTRE, a hardware-assisted dependability framework that leverages System Management Mode (SMM) to inspect the state of a system. Contrary to VMI, our trusted code base is limited to BIOS and the SMM implementations. SPECTRE is capable of transparently and quickly examining all layers of running system code including a hypervisor, the OS, and user level applications. We demonstrate several use cases of SPECTRE including heap spray, heap overflow, and rootkit detection using real-world attacks on Windows and Linux platforms. In our experiments, full inspection with SPECTRE is 100 times faster than similar VMI systems because there is no performance overhead due to virtualization.","PeriodicalId":163407,"journal":{"name":"2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)","volume":"41 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2013-06-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"69","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/DSN.2013.6575343","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 69

Abstract

Virtual Machine Introspection (VMI) systems have been widely adopted for malware detection and analysis. VMI systems use hypervisor technology for system introspection and to expose malicious activity. However, recent malware can detect the presence of virtualization or corrupt the hypervisor state thus avoiding detection. We introduce SPECTRE, a hardware-assisted dependability framework that leverages System Management Mode (SMM) to inspect the state of a system. Contrary to VMI, our trusted code base is limited to BIOS and the SMM implementations. SPECTRE is capable of transparently and quickly examining all layers of running system code including a hypervisor, the OS, and user level applications. We demonstrate several use cases of SPECTRE including heap spray, heap overflow, and rootkit detection using real-world attacks on Windows and Linux platforms. In our experiments, full inspection with SPECTRE is 100 times faster than similar VMI systems because there is no performance overhead due to virtualization.

查看原文本刊更多论文

SPECTRE:一个可靠的内省框架，通过系统管理模式

虚拟机自省(VMI)系统被广泛应用于恶意软件的检测和分析。VMI系统使用管理程序技术进行系统自省和暴露恶意活动。然而，最近的恶意软件可以检测到虚拟化的存在或破坏管理程序状态，从而避免检测。我们介绍SPECTRE，一个硬件辅助的可靠性框架，它利用系统管理模式(SMM)来检查系统的状态。与VMI相反，我们的可信代码库仅限于BIOS和SMM实现。SPECTRE能够透明、快速地检查运行中的系统代码的所有层，包括管理程序、操作系统和用户级应用程序。我们演示了SPECTRE的几个用例，包括堆喷雾、堆溢出和rootkit检测，这些用例使用了Windows和Linux平台上的真实攻击。在我们的实验中，SPECTRE的全面检查速度比类似的VMI系统快100倍，因为没有虚拟化带来的性能开销。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)

自引率

0.00%

发文量