Abstract
Computer systems are by design insecure and therefore are many security issues
around them. So, security practitioners are always trying to enhance security and
performing verification tasks to minimise the risk of potential threats become successful
attacks. These tasks are usually performed by security tools.
Thus concepts as: isolation, privilege and view are important in the context of
computer systems. Security tools must have good isolation, privilege and view of
the system. Then, security tools must operate isolated, have high privilege and
must have a global view of the system, but also good ability to view and act timely
in its own environment to enhance the chances of success when performing their
tasks and for not being hit by the problems they are trying to solve.
In this context, this research investigates the System Management Mode (SMM)
in the context of Intel processors, current security tools capitalising on SMM and
attacks and misuses of SMM to establish a set of requirements and then design
a generic architecture for SMM-based security tools. That generic architecture is
tested by building a proof of concept to measure the integrity of a file of the Xen
hypervisor. This measurement is limited to the minimum necessary to prove the
concept of the architecture.
The problem context addressed is a cloud computing environment, comprising
of one or more machines (chipsets). Each chipset hosts in its main memory
(DRAM) a virtualised environment comprising of one manager virtual machine,
one or more guest virtual machines and a hypervisor. We address our research investigation
in two levels: the vertical and the horizontal security level. The vertical
security level puts the problem in context, relating it to security issues on: cloud,
chipset, memory, virtualisation layer and cache memory. The horizontal security
level considers the research problem in its environment, relating it to security issues
on components of the bootup process and the processor, such as: Intel VMX,
TXT and SGX, BIOS and so on.
First, we investigate the SMM, its resources and components. Then, we analyse
SMM-based security tools and the opportunities to improve them. We also analyse
SMM attacks and how to thwart them. From the acquired knowledge, we establish
a set of requirements to use SMM for security purposes. Having the requirements,
we design a generic architecture for SMM-based security tools. To test the architecture,
we build a proof of concept comprising of a module to probe chipsets and a
SMM-based hypervisor integrity measurement tool.
The implementation of that architecture was done in a proof of concept designed
to have two modules: a manager and an agent. The manager module is
used for learning about and researching on the target machine, as for probing, setting
and clearing registers related to SMM. The manager can be used in the target machine or in a machine with the same chipset of the target machine. So, it can be
deployed in main memory. The agent basically comprises of two parts: a basic code
embodying management functions and a payload, where the security functions are
implemented. So the use of a payload is what makes the architecture generic since
any security task might be implemented and added in the agent by changing the
payload.
We conclude that any security tool can capitalising on SMM resources provided
that it meets the set of requirements established in this research: small, fast, persistent,
cooperative, isolated, resistant, complete and SMI-independent (meaning
that it can be started by any System management interruption, which occur in the
chipset); and stick to the proposed generic architecture.
around them. So, security practitioners are always trying to enhance security and
performing verification tasks to minimise the risk of potential threats become successful
attacks. These tasks are usually performed by security tools.
Thus concepts as: isolation, privilege and view are important in the context of
computer systems. Security tools must have good isolation, privilege and view of
the system. Then, security tools must operate isolated, have high privilege and
must have a global view of the system, but also good ability to view and act timely
in its own environment to enhance the chances of success when performing their
tasks and for not being hit by the problems they are trying to solve.
In this context, this research investigates the System Management Mode (SMM)
in the context of Intel processors, current security tools capitalising on SMM and
attacks and misuses of SMM to establish a set of requirements and then design
a generic architecture for SMM-based security tools. That generic architecture is
tested by building a proof of concept to measure the integrity of a file of the Xen
hypervisor. This measurement is limited to the minimum necessary to prove the
concept of the architecture.
The problem context addressed is a cloud computing environment, comprising
of one or more machines (chipsets). Each chipset hosts in its main memory
(DRAM) a virtualised environment comprising of one manager virtual machine,
one or more guest virtual machines and a hypervisor. We address our research investigation
in two levels: the vertical and the horizontal security level. The vertical
security level puts the problem in context, relating it to security issues on: cloud,
chipset, memory, virtualisation layer and cache memory. The horizontal security
level considers the research problem in its environment, relating it to security issues
on components of the bootup process and the processor, such as: Intel VMX,
TXT and SGX, BIOS and so on.
First, we investigate the SMM, its resources and components. Then, we analyse
SMM-based security tools and the opportunities to improve them. We also analyse
SMM attacks and how to thwart them. From the acquired knowledge, we establish
a set of requirements to use SMM for security purposes. Having the requirements,
we design a generic architecture for SMM-based security tools. To test the architecture,
we build a proof of concept comprising of a module to probe chipsets and a
SMM-based hypervisor integrity measurement tool.
The implementation of that architecture was done in a proof of concept designed
to have two modules: a manager and an agent. The manager module is
used for learning about and researching on the target machine, as for probing, setting
and clearing registers related to SMM. The manager can be used in the target machine or in a machine with the same chipset of the target machine. So, it can be
deployed in main memory. The agent basically comprises of two parts: a basic code
embodying management functions and a payload, where the security functions are
implemented. So the use of a payload is what makes the architecture generic since
any security task might be implemented and added in the agent by changing the
payload.
We conclude that any security tool can capitalising on SMM resources provided
that it meets the set of requirements established in this research: small, fast, persistent,
cooperative, isolated, resistant, complete and SMI-independent (meaning
that it can be started by any System management interruption, which occur in the
chipset); and stick to the proposed generic architecture.
| Original language | English |
|---|---|
| Qualification | Ph.D. |
| Awarding Institution |
|
| Thesis sponsors | |
| Award date | 1 May 2017 |
| Publication status | Unpublished - 2017 |