populatessuperpi

AFrameworktoSecurePeripheralsatRuntimeFengweiZhang1,HainingWang2,KevinLeach3,andAngelosStavrou11GeorgeMasonUniversity,Fairfax,VA,USA2CollegeofWilliamandMary,Williamsburg,VA,USA3UniversityofVirginia,Charlottesville,VA,USAAbstract.
Securehardwareformsthefoundationofasecuresystem.
However,securinghardwaredevicesremainsanopenresearchproblem.
Inthispaper,wepresentIOCheck,aframeworktoenhancethesecu-rityofI/Odevicesatruntime.
ItleveragesSystemManagementMode(SMM)toquicklychecktheintegrityofI/Ocongurationsandrmware.
IOCheckisagnostictotheoperatingsystem.
Weuserandom-pollingandevent-drivenapproachestoswitchintoSMM.
WeimplementaprototypeofIOCheckandconductextensiveexperimentsonphysicalmachines.
OurexperimentalresultsshowthatIOChecktakes10millisecondstochecktheintegrityofanetworkcardandavideocard.
Also,IOCheckintroducesalowoverheadonWindowsandLinuxplatforms.
WeshowthatIOCheckachievesafasterswitchingtimethantheDynamicRootofTrustMeasurementapproach.
Keywords:Integrity,Firmware,I/OCongurations,SMM.
1IntroductionAshardwaredeviceshavebecomemorecomplex,rmwarefunctionalityhasex-panded,exposingnewvulnerabilitiestoattackers.
TheNationalVulnerabilitiesDatabase(NVD[1])showsthat183rmwarevulnerabilitieshavebeenfoundsince2011.
TheCommonVulnerabilitiesandExposures(CVE)listfromMitreshows537entriesthatmatchthekeyword'rmware,'and94newrmwarevul-nerabilitieswerefoundin2013[2].
Arecentstudyshowsthat40,000serversareremotelyexploitableduetovulnerablemanagementrmware[3].
Attackerscanexploitthesevulnerabilitiesinrmware[4]ortoolsforupdatingrmware[5].
AftercompromisingthermwareofanI/Odevice(e.
g.
,NICcard),attackersaltermemoryviaDMA[4,6,7]orcompromisesurroundingI/Odevices[8,9].
Fortunately,theInputOutputMemoryManagementUnit(IOMMU)mechanismcanprotectthehostmemoryfromDMAattacks.
ItmapseachI/Odevicetoaspecicareainthehostmemorysothatanyinvalidaccessfails.
IntelVirtualiza-tionTechnologyforDirectedI/O(VT-d)isoneexampleofIOMMU.
AMDalsohasitsownI/OvirtualizationtechnologycalledAMD-Vi.
However,IOMMUcannotalwaysbetrustedasacountermeasureagainstDMAattacks,asitreliesonaawlesscongurationtooperatecorrectly[10].
Inparticular,researchershavedemonstratedseveralattacksagainstIOMMU[11–13].
M.
KutylowskiandJ.
Vaidya(Eds.
):ESORICS2014,PartI,LNCS8712,pp.
219–238,2014.
cSpringerInternationalPublishingSwitzerland2014220F.
Zhangetal.
StaticRootofTrustforMeasurement(SRTM)[14]withhelpfromtheTrustPlatformModule(TPM)[15]canchecktheintegrityofthermwareandI/Ocongurationswhilebooting.
Itusesaxedorimmutablepieceoftrustedcode,calledtheCoreRootofTrustforMeasurement(CRTM),containedintheBIOSatthestartoftheentirebootingchain,andeverypieceofcodeinthechainismeasuredbythepredecessorcodebeforeitisexecuted,includingrmware.
However,SRTMonlysecuresthebootingprocessandcannotprovideruntimeintegritychecking.
TrustComputingGroupintroducedDynamicRootofTrustforMeasurement(DRTM)[16].
Toimplementthistechnology,InteldevelopedTrustedeXecutionTechnology(TXT)[17],providingatrustedwaytoloadandexecutesystemsoftware(e.
g.
,OSorVMM).
TXTusesanewCPUinstruction,SENTER,tocontrolthesecureenvironment.
IntelTXTdoesnotmakeanyassumptionsaboutthesystemstate,anditprovidesadynamicrootoftrustforLateLaunch.
Thus,TXTcanbeusedtochecktheruntimeintegrityofI/Ocongurationsandrmware.
AMDhasasimilartechnologycalledSecureVirtualMachine,anditusestheSKINITinstructiontoenterthesecureenvironment.
However,bothTXTandSVMintroduceasignicantoverheadonthelateLaunchOperation(e.
g.
,theSKINITinstructionin[18]).
Inthispaper,wepresentIOCheck,aframeworktoenhancethesecurityofI/Odevicesatruntime.
ItleveragesSystemManagementMode(SMM),aCPUmodeinthex86architecture,toquicklychecktheintegrityofI/Ocongurationsandrmware.
IOCheckidentiesthetargetI/Odevicesonthemotherboardandcheckstheintegrityoftheircorrespondingcongurationsandrmware.
Incontrasttoexistingrmwareintegritycheckingsystems[19,20],ourapproachisbasedonSMMinsteadofProtectedMode(PM).
WhilePM-basedapproachesassumethebootingprocessissecureandtheOSistrusted,ourapproachonlyassumesasecureBIOSboottosetupSMM,whichiseasilyachievedviaSRTM.
ThesuperiorityofSMMoverPMistwo-fold.
First,wecanreducetheTrustedComputingBase(TCB)oftheanalysisplatform.
SimilartoViper[20]andNAVIS[19],IOCheckisaruntimeintegritycheckingsystem.
ViperandNAVISassumetheOSistrustedandusesoftwareinPMtochecktheintegrity,whileIOCheckusesSMMwithoutrelyingontheOS,resultinginamuchsmallerTCB.
IOCheckisalsoimmunetoattacksagainsttheOS,facilitatingastrongerthreatmodelthanthecheckingsystemsrunningintheOS.
Second,weachieveamuchhigherperformancecomparedtotheDRTMapproaches[18]runninginPM.
DRTMdoesnotrelyonanysystemcode;itcanprovideadynamicrootoftrustforintegritychecking.
IOCheckcanachievethesamesecuritygoalbecauseSMMisatrustedandisolatedexecutionenvironment.
However,IOCheckisabletoachieveamuchhigherperformanceoverIntelTXTorAMDSVMapproaches.
Baseduponexperimentalresults,SMMswitchingtimetakesmicroseconds,whiletheswitchingoperationoftheDRTMapproach[18]takesmilliseconds.
WeimplementaprototypeofoursystemusingdierentmethodstoenterSMM.
First,wedeveloparandompolling-basedintegritycheckingsystemthatcheckstheintegrityofI/Odevices,whichcanmitigatetransientattacks[21,22].
AFrameworktoSecurePeripheralsatRuntime221Tofurtherdefendagainsttransientattacks,wealsoimplementanevent-drivensystemthatcheckstheintegrityofanetworkcard'smanagementrmware.
WeconductextensiveexperimentstoevaluateIOCheckonbothMicrosoftWindowsandLinuxsystems.
TheexperimentalresultsshowthattheSMMcodetakesabout10millisecondstocheckPCIcongurationspaceandrmwareofNICandVGA.
ThroughtestingIOCheckwithpopularbenchmarks,IOCheckincursabouta2%overheadwhenwesettherandompollinginstructionintervalbetween[1,0x]1.
WealsocompareIOCheckwiththeDRTMapproach;ourresultsindicatethatoursystem'sswitchingtimeisthreeordersofmagnitudefasterthanDRTM.
Furthermore,theswitchingtimeofIOCheckisconstantwhiletheswitchingoperationinDRTMdependsonthesizeoftheloadedsecurecode.
Contributions.
Thisworkmakesthefollowingcontributions:–WeprovideaframeworkthatcheckstheintegrityofI/Odevicesatruntime.
–IOCheckisOS-agnosticandisimplementedinSMM.
–Weimplementaprototypethatusesrandom-pollingandevent-drivenap-proachestomitigatetransientattacks.
–Wedemonstratetheeectivenessofoursystembycheckingtheintegrityofapopularnetworkcardandvideocard,andweshowthatoursystemintroducesalowoperatingoverheadonbothWindowsandLinuxplatforms.
2Background2.
1ComputerHardwareArchitectureTheCentralProcessingUnit(CPU)connectstotheNorthbridgeviatheFront-SideBus.
TheNorthbridgecontainstheMemoryManagementUnit(MMU)andIOMMU,collectivelycalledtheMemoryControllerHub(MCH).
TheNorth-bridgealsoconnectstothememory,graphicscard,andSouthbridge.
TheSouth-bridgeconnectsavarietyofI/OdevicesincludingUSB,SATA,andSuperI/O,amongothers.
TheBIOSisalsoconnectedtotheSouthbridge.
Figure2inAp-pendixshowsthehardwarearchitectureofatypicalcomputer.
2.
2FirmwareRootkitsArmwarerootkitcreatesapersistentmalwareimageinhardwaredevicessuchasnetworkcards,disks,andtheBIOS.
Thecapabilitiesofrmwarerootkitscanbesummarizedthusly.
First,rmwarerootkitscanmodifythehostmemoryviaDMAifasystemdoesnothaveanIOMMUorifitisincorrectlycongured.
Second,acompromiseddevicecanaccesssensitivedatathatpassesthroughit[23].
Forinstance,aNICrootkitcaneavesdropnetworkpacketscontainingpasswords.
Third,ahardwaredevicewithmaliciousrmwaremaybeabletocompromisesurroundingdevicesviapeer-to-peercommunication.
Forexample,acompromisedNICmayaccessGPUmemory[24].
Lastbutnotleast,anadvancedrmwarerootkitcanevensurvivearmwareupdate[25].
1Ittakesabout.
5storun0xinstructions.
Table2explainsthisfurther.
222F.
Zhangetal.
2.
3SystemManagementModeandCorebootSystemManagementMode(SMM)isaCPUmodeinthex86architecture.
ItissimilartoRealandProtectedModes.
Itprovidesanisolatedexecutionenvi-ronmentforimplementingsystemcontrolfunctionssuchaspowermanagement.
SMMisinitializedbytheBIOS.
Beforethesystembootsup,theBIOSloadstheSMMcodeintoSystemManagementRAM(SMRAM),aspecialmemoryregionthatisinaccessiblefromotherCPUmodes.
SMMistriggeredbyassertingtheSystemManagementInterrupt(SMI)pinonthemotherboard.
Bothhardwareandsoftwareareabletoassertthispin,althoughthespecicmethoddependsonthechipset.
Afterassertion,thesystemautomaticallysavesitsCPUstatesintoSMRAMandthenexecutestheSMIhandlercode.
AnRSMinstructionisexecutedattheendoftheSMIhandertoswitchbacktoProtectedMode.
Coreboot[26]aimstoreplacelegacyBIOSinmostcomputers.
Itperformssomehardwareinitializationandthenexecutesadditionalbootlogic,calledapayload.
Withtheseparationofhardwareinitializationandlaterbootlogic,CorebootprovidesexibilitytoruncustombootloadersoraUniedExtensibleFirmwareInterface(UEFI).
ItswitchestoProtectedModeearlyinthebootingprocessandiswrittenmostlyinClanguage.
GoogleChromebooksaremanufac-turedandshippedwithCoreboot.
3ThreatModelandAssumptions3.
1ThreatModelWeconsidertwoattackscenarios.
First,weconsideranattackerwhogainscon-trolofahostthroughasoftwarevulnerabilityandthenattemptstoremainresi-dentinastealthymanner.
Weassumesuchanattackerinstallsrmwarerootkits(specically,abackdoor[23])afterinfectingtheOSsothatthemaliciouscoderemainseveniftheuserreinstallstheOS.
Inthesecondscenario,weassumethermwareitselfcanberemotelyexploitedduetovulnerabilities.
Forinstance,Duotetal.
[4]demonstrateanattackthatremotelycompromisesaBroadcomNICwithcraftedUDPpackets.
Additionally,Bonkoskietal.
[3]showabueroverowvulnerabilityinmanagementrmwarethataectedthousandsofservers.
3.
2AssumptionsAnattackerisabletotamperwiththermwarebyexploitingzero-dayvulner-abilities.
SinceIOCheckdoesnotrelyontheoperatingsystem,weassumetheattackerhasring0privilege.
Thus,attackersaregrantedmorecapabilitiesinourworkthanthoseOS-basedsystems[19,20].
WeassumethesystemisequippedwithSRTM,inwhichCRTMistrustedsothatitcanperformaself-measurementoftheBIOS.
OncetheSMMcodeissecurelyloadedintotheSMRAM,welocktheSMRAMintheBIOS.
WeassumetheSMMissecureafterlockingSMRAM,andwewilldiscussattacksagainstSMMinSection7.
Moreover,weassumetheattackerdoesnothavephysicalaccesstooursystem.
AFrameworktoSecurePeripheralsatRuntime223SystemManagementModeNetworkCardGraphicsCardDiskControllerOtherI/ODevice.
.
.
2)CheckFirmwareI/OCongurations3)FoundAttackAudibleTone1)RandomPoling-basedorEvent-drivenTriggeringEnterSMM4)ExecuteRSMExitSMMTargetMachineExternalMachineSerialCableFig.
1.
ArchitectureofIOCheck4SystemFrameworkFigure1showsthearchitectureofIOCheck.
Thetargetmachineconnectstotheexternalmachineviaaserialcable.
Inthetargetmachine,theboxontheleftlistsalloftheI/Odevicesonamotherboard;theboxontherightrepresentstheSystemManagementModecodethatcheckstheintegrityofI/Ocongurationsandrmware.
Theframeworkperformsfourstepsforeachcheck:1)thetargetmachineswitchesintoSMM;2)theSMIhandlercheckstheintegrityoftargetI/Odevices;3)ifapotentialattackhasbeenfound,thetargetmachineplaysanaudibletoneandSMMsendsamessagetotheexternalmachineviatheserialcable;and4)thetargetmachineexecutestheRSMinstructiontoexitSMM.
Thesestepsarefurtherdescribedbelow.
4.
1TriggeringanSMIIngeneral,therearesoftware-andhardware-basedmethodstotriggeranSMI.
Insoftware,wecanwritetoanACPIporttoraiseanSMI.
Forexample,Intelchipsetsuseport0x2basspeciedbytheSouthbridgedatasheet.
OurtestbedwithaVIAVT8237rSouthbridgeuses0x52fastheSMItriggerport[27].
Intermsofhardware-basedmethods,therearemanyhardwaredevicesthatcanbeusedtoraiseanSMI,includingkeyboards,networkcards,andhardwaretimers.
ThealgorithmfortriggeringSMIsplaysanimportantroleinthesystemdesign.
Ingeneral,therearepolling-basedandevent-drivenapproachesusedtogenerateSMIs.
Thepolling-basedapproachpollsthestateofatargetsystematregularintervals.
Whenweusethisapproachtochecktheintegrityofatargetsystem,itcomparesthenewlyretrievedstatewithaknownpristinestatetoseeifanymaliciouschangeshaveoccurred.
However,pollingatregularintervalsinthesystemissusceptibletotransient[21]orevasionattacks[22].
Transientattacksareaclassofattacksthatdonotproducepersistentchangeswithinavictim'ssystem.
Polling-basedsystemssuerfromtransientattacksbecausetheyinferintrusionsbaseduponthepresenceofaninconsistentstate.
Transientattackscanthusavoiddetectionbyremoveanyevidencebeforeapollingeventandresumingmaliciousactivitybetweenpolls.
Mitigatingthese224F.
Zhangetal.
attacksrequireseither1)minimizingthepollingwindowsothatthereislessofachanceforthemalwaretocleanitsevidence,or2)randomizingthepollingwindowsothatmalwarecannotlearnapatternforcleaningitsevidence.
WeimplementthesemethodsinIOCheckviaperformancecounterstotriggerSMIs.
Moreover,wecanuseanevent-driventriggeringmethodtofurthermitigatetransientattacks.
Polling-basedsystemsarelikelytomisseventsbetweentwochecksthatanevent-drivenapproachwouldnot.
Forinstance,wecantriggerSMIswhenaregionofmemorychanges,allowingustomonitorthestate,in-cludingmaliciouschanges.
4.
2CheckingI/OCongurationsandFirmwareCongurationsofI/ODevices.
Beforethesystembootsup,theBIOSinitializesallofthehardwaredevicesonthemotherboardandpopulatescor-respondingcongurationspacesforeachone.
Thesedevicesrelyonthecon-gurationstooperatecorrectly.
HereweusethePCIcongurationspaceandIOMMUcongurationasexamples.
PCICongurationSpace:EachPCIorPCIecontrollerhasacongurationspace.
Devicedriversreadthesecongurationstodeterminewhatresources(e.
g.
,memory-mappedlocation)havebeenassignedbytheBIOStothedevices.
NotethatthePCIcongurationsshouldbestaticaftertheBIOSinitialization.
How-ever,anattackerwithring0privilegecanmodifythePCIcongurationspace.
Forexample,theattackercanrelocatethedevicememorybychangingtheBaseAddressRegisterinthePCIcongurationspace.
Additionally,PCI/PCIede-vicesthatsupportMessageSignaledInterrupts(MSI)containregistersinthePCIcongurationspacetocongureMSIdelivery.
WojtczukandRutkowskademonstratethattheattackerinthedriverdomainofaVMcangeneratema-liciousMSIstocompromiseaXenhypervisor[13].
NotethatIOCheckassumesthePCIcongurationremainsthesameaftertheBIOSinitializationanddoesnotconsider"Plug-and-Play"PCI/PCIedevices.
IOMMUCongurations:IOMMUrestrictsmemoryaccessfromI/Odevices.
Forexample,itcanpreventaDMAattackfromacompromisedI/Odevice.
IOMMUiscomprisedofasetofDMARemappingHardwareUnits(DRHU).
TheyareresponsiblefortranslatingaddressesfromI/Odevicestophysicaladdressesinthehostmemory.
TheDRHUrstidentiesaDMArequestbyBDF-ID(Bus,Device,Functionnumber).
Then,itusesBDF-IDtolocatethepagetablesasso-ciatedwiththerequestedI/Ocontroller.
Finally,ittranslatestheDMAVirtualAddress(DVA)toaHostPhysicalAddress(HPA),muchlikeMMUtranslation.
AlthoughIOMMUgivesuseectiveprotectionfromDMAattacks,itreliesonpropercongurationstooperatecorrectly.
Severaltechniqueshavebeendemon-stratedtobypassIOMMU[11,13].
WecanmitigatetheseattacksbycheckingtheintegrityofthecriticalcongurationsofIOMMUatruntime.
Table4inAppendixshowsthestaticcongurationofIOMMU.
AFrameworktoSecurePeripheralsatRuntime225FirmwareIntegrity.
WeaimtocheckthermwareofI/Odevicesincludingthenetworkcard,graphicscard,diskcontroller,keyboard,andmouse.
WedescribetheprocessofcheckingaNIC,VGA,andtheBIOSasexamples.
NetworkInterfaceController:Modernnetworkcardscontinuetoincreaseincomplexity.
NICsusuallyincludeaseparateon-chipprocessorandmemorytosupportvariousfunctions.
Typically,aNICloadsitsrmwarefromElectricErasableProgrammableRead-OnlyMemory(EEPROM)toashmemory,anditthenexecutesthecodeontheon-chipprocessor.
IOCheckstoresahashvalueoftheoriginalrmwareimageandcheckstheintegrityoftheNIC'srmwareatruntime.
Forsomenetworkcards[28],wecanmonitortheinstructionpointeroftheon-chipCPUthroughtheNIC'sdebuggingregisters.
Thiscanrestricttheinstructionpointertothecodesectionofthememoryregion.
Iftheinstructionpointerpointstoamemoryregionthatstoresheaporstackdata,thenacodeinjectionorcontrolowhijackingmayhaveoccurred.
Monitoringtheintegrityofthestaticcodeandinstructionpointercanpreventanattackerfrominjectingmaliciouscodeintothermware;however,itcannotdetectadvancedattacks,suchasReturnOrientedProgrammingattacks,sincetheytechnicallydonotinjectanycode.
Todetecttheseattacks,wecanimple-mentashadowstacktoprotectthecontrolowintegrityoftheNICrmware.
Duotetal.
implementedasimilarconceptinNAVIS[19].
Wewillstudythecontrolowintegrityofthermwareinfuturework.
VideoGraphicsAdapter:TheVideoGraphicsAdapter(VGA)normallyre-quiresdevice-specicinitialization,andthemotherboardBIOSdoesnothavetheknowledgeofallpossiblevendor-specicinitializationprocedures.
Fortu-nately,thePCIexpansionROM(i.
e.
,optionROM)canbeexecutedtoinitializetheVGAdevice.
TheVGAexpansionROMcodeisstoredonthedevice,andthismechanismallowsROMtocontainmultipleimagesthatsupportdierentprocessorarchitectures(e.
g,x86,HPRISC).
However,theROMcodeonthede-vicecanbeashedwithacustomizedimage[29]ormaliciouscode[30].
IOCheckusesSMMtoensuretheintegrityoftheVGAoptionROMatruntime.
BasicInputOutputSystem:Asmentionedbefore,SRTMcanchecktheintegrityoftheBIOSatthebootingtime,whichhelpsustosecurelyloadtheSMMcodefromtheBIOStotheSMRAM.
Afterthesystembootsup,attackerswithring0privilegemightmodifytheBIOSusingvarioustools(e.
g.
,ashrom[31]).
However,theyarenotabletoaccesslockedSMRAM.
Thus,wecanusetheSMMcodetochecktheruntimeintegrityoftheBIOS.
AlthoughthemodiedBIOSwithmaliciouscodecannotbeexecuteduntilthesystemresetsandSRTMwilldetectthisBIOSattackbeforebooting,wecandetectthisattackearlierthanSRTM,whichprovidesruntimedetectionandservesasacomplementarydefense.
Earlierdetectionofsuchattackscanalsolimitthedamagetheywreakagainstthesystem.
NotethatweassumeCRTMintheBIOSisimmutableandtrusted,butattackerscanmodifyanyotherBIOScode(e.
g.
,ACPItables).
Otherwise,wecannotperformSRTMcorrectly.
226F.
Zhangetal.
4.
3ReportinganAlertandExitingSMMThelaststageofIOCheckistoreportanyalertstoahumanoperator.
Weaccomplishthistaskbyplayinganaudibletonetonotifyauserthatapotentialattackmayhappen.
Todistinguishthetypeofattack,weusedierenttonefrequencyforavarietyofI/Oattacks.
Inaddition,weuseaserialcabletoconnectthetargetmachinetotheexternalmachine.
IOCheckassumesattackerswithring0privilege,whichmeanstheyareabletomodifyhardwareregisterstoblockSMIassertionsandlaunchaDenial-of-Service(DoS)attackagainstoursystem.
WeusetheexternalmachinetodetecttheDoSattack.
Forexample,therandompolling-basedtriggeringinIOCheckmustgenerateSMIsatleasteverymaximumtimeinterval,whereupontheexternalmachineexpectsamessagefromSMMviatheserialcable.
Iftheexternalmachinedoesnotreceivealogmessageintheinterval,weconcludethataDoSattackhasoccurred.
Wealsouseasecretkeytoauthenticatethelogmessagestoavoidfakemessages.
Specically,thetargetmachineestablishesasharedsecretkeywiththeexternalmachineintheBIOSwhilebooting.
SincewetrusttheBIOSatstartup,wecanstorethesecretinthetrustedSMRAM.
Later,onlytheSMIhandlercanaccessit,whichpreventsattackersfromspoongmessages.
NotethatthereportingstageexecuteswithinSMM.
EvenifanattackdisablesthePCspeakerorserialconsoleinPM,wecanenableitinSMMandguaranteethatanaudibletoneandaserialmessageisdelivered.
Afterthereportingstage,theSMIhandlersimplyexecutestheRSMinstructiontoexitfromSMM.
5SystemImplementationWeimplementaprototypeofIOChecksystemusingtwophysicalmachines.
ThetargetmachineusesanASUSM2V-MXSEmotherboardwithanAMDK8NorthbridgeandaVIAVT8237rSouthbridge.
Ithasa2.
2GHzAMDLE-1250CPUand2GBKingstonDDR2RAM.
WeuseaPCIe-basedIntel82574LGigabitEthernetControllerandaPCI-basedJatonVIDEO-498PCI-DLPNvidiaGeForce9500GTasthetestingdevices.
ToprogramSMM,weuseopen-sourceBIOS,Coreboot.
SinceIOCheckisOS-agnostic,weinstallMicrosoftWindows7andCentOS5.
5onthetargetmachine.
TheexternalmachineisaDellInspiron15RlaptopwithUbuntu12.
04LTS.
Itusesa2.
4GHzIntelCorei5-2430MCPUand6GBDDR3RAM.
5.
1TriggeringanSMIWeimplementarandompolling-basedtriggeringalgorithmtocheckintegrityofI/OcongurationsandrmwarebyusingperformancecounterstogenerateSMIs.
Theperformancemonitoringregisterscounthardwareeventssuchasin-structionretirement,L1cachemiss,orbranchmisprediction.
Thex86machinesprovidefourofthesecountersfromwhichwecanselectaspecichardwareeventtocount[32].
TogenerateanSMI,werstcongureoneoftheperformancecoun-terstostoreitsmaximumvalue.
Next,weselectadesiredevent(e.
g.
,aretiredAFrameworktoSecurePeripheralsatRuntime227instructionorcachemiss)tocountsothatthenextoccurrenceofthateventwilloverowthecounter.
Finally,weconguretheLocalAdvancedProgrammableInterruptController(APIC)todeliveranSMIwhenanoverowoccurs.
Thus,weareabletotriggeranSMIforthedesiredevent.
TheperformancecountingeventisconguredbythePerfEvtSelregister,andtheperformancecounterissetbythePerfCtrregister[32].
TorandomlygenerateSMIs,werstgenerateapseudo-randomnumber,r,rangingfrom1tom,wheremisauser-congurablemaximumvalue.
Forex-ample,ausercouldsetmas0x(2161),sotherandomnumberresidesintheset[1,0x].
Next,wesettheperformancecountertoitsmaximumvalue(0x)minusthisrandomnumber(2481r).
WealsosetthedesiredeventinPerfEvtSelandstarttocounttheevent.
Thus,anSMIwillberaisedafterroccurrencesofthedesiredevent.
Weusealinear-congruentialalgorithmtogeneratethepseudo-randomnumber,r,inSMM.
Weusetheparametersofthelinear-congruentialalgorithmfromNumericalRecipes[33].
WeusetheTSCvalueastheinitialseedandsavethecurrentrandomnumberinSMRAMasthenextround'sseed.
Tofurthermitigatetransientattacks,weconsiderevent-driven-basedtrigger-ingapproaches.
Weimplementanevent-driven-basedversionofIOCheckforcheckingtheintegrityofaNIC'smanagementrmware,andthedetailedim-plementationisdescribedasfollows.
WhenamanagementpacketarrivesatthePHYinterfaceoftheNIC,themanageabilityrmwarestartstoexecute.
WeuseMessageSignalledInterrupts(MSI)totriggeranSMIwhenamanageabilitypacketarrivesatthenetworkcard.
First,wecongurethenetworkcardtode-liveranMSItotheI/OAPICwiththedeliverymodespeciedasSMI.
WhentheI/OAPICreceivesthisinterrupt,itautomaticallyassertstheSMIpin,andanSMIisgenerated.
Next,weusetheSMMcodetochecktheintegrityofthemanagementrmware.
NotethattheactofthistriggeringisgeneratedviaahardwareinterruptintheNIC,andthemanagementrmwarecodeisdecoupledfromthis.
Thus,wetriggeranSMIforeverymanageabilitypacketbeforethermwarehasanopportunitytoprocessit.
5.
2CheckingI/OCongurationsandFirmwareNetworkInterfaceController.
Weuseapopularcommercialnetworkcard,anIntel82574LGigabitPCIeEthernetController,asourtargetI/Odevice.
First,wecheckthePCIecongurationspaceofthenetworkcard.
TheNIConourtestbedisatbus3,device0,andfunction0.
Toreadthecongurationspace,weusestandardPCIreadstodumpthecontents.
WeuseastandardhashfunctionMD5[34]tohashthese256bytesofthecongurationandcomparethehashvaluewiththeoriginalonegeneratedduringbooting.
Networkmanagementisanincreasinglyimportantrequirementintoday'snet-workedcomputerenvironments,especiallyonservers.
ItroutesmanageabilitynetworktractoaManagementController(MC).
OneexampleofMCistheBaseboardManagementController(BMC)inIntelligentPlatformManagementInterface(IPMI).
Themanagementrmwareinevitablycontainsvulnerabilities228F.
Zhangetal.
thatcouldbeeasilyexploitedbyattackers.
Bonkoskietal.
[3]identiedmorethan400thousandIPMI-enabledserversrunningonpubliclyaccessibleIPaddressesthatareremotelyexploitableduetotextbookvulnerabilitiesinthemanagementrmware.
The82574LNIC[35]providestwodierentandmutuallyexclusivebusinterfacesformanageabilitytrac.
OneistheIntelproprietarySystemManage-mentBus(SMBus)interface,andtheotheristheNetworkController-SidebandInterface(NC-SI).
Foreachmanageabilityinterface,ithasitsownrmwarecodethatimplementsthefunctions.
Figure3inAppendixshowsahigh-levelarchitec-turalblockdiagramofthe82574LNIC.
ThemanagementrmwareofthesetwointerfacesisstoredinaNon-VolatileMemory(NVM).
TheNVMisI/OmappedmemoryintheNIC,andweusetheEEPROMReadRegister(EERD0x14)toreadit.
EERDisa32-bitregisterusedtocausetheNICtoreadindividualwordsintheEEPROM.
Toreadaword,wewritea1btotheStartReadeld.
TheNICreadsthewordfromtheEEPROMandplacesitintheReadDataeldandthensetstheReadDoneeldto1b.
WepolltheReadDonebittomakesurethatthedatahasbeenstoredintheReadDataeld.
Allofthecongurationandstatusregistersof82574LNIC,includingEERD,arememory-mappedwhenthesystembootsup.
ToaccessEERD,weusenormalmemoryread-and-writeoperations.
ThememoryaddressofEERDisINTEL82574LBASEplusEERDoset.
VideoGraphicsAdapter.
JatonVIDEO-498PCI-DLPGeForce9500GTisaPCI-basedvideocard.
Itisatbus7,device0,andfunction0onourtestbed.
SimilartothecheckingapproachofNIC,werstcheckthePCIcongurationspaceoftheVGAdevice.
Then,wechecktheintegrityoftheVGAexpansionROM.
TheVGAexpansionROMismemory-mapped,andthefour-byteregisteratoset0x30inthePCIcongurationspacespeciesthebaseaddressoftheexpansionROM.
Notethatbit0intheregisterenablestheaccessestotheexpansionROM.
PCIexpansionROMsmaycontainmultipleimagesfordierentarchitectures.
EachimagemustcontainaROMheaderandPCIdatastructure,whichspecifyimageinformationsuchascodetypeandsize.
Table5inAppendixshowstheformatsofROMheaderandPCIdatastructure.
Notethatweonlychecktheimageforx86architecturesinceourtestbedisonIntelx86.
WerstusethebaseaddressofexpansionROMtolocatetheheaderoftherstimage.
Next,wereadthepointertoPCIdatastructureatoset0x18to0x19.
Then,weidentifythecodetypeatoset0x14inthePCIdatastructure.
IfthisimageisforIntelx86architecture,wechecktheintegrityofthisimagebycomparingthehashvalues.
Otherwise,werepeatthestepsaboveforthenextimage.
5.
3ReportinganAlertandExitingSMMToplayatone,weprogramtheIntel8253ProgrammableIntervalTimer(PIT)intheSMIhandlertogeneratetones.
The8253PITperformstimingandcountingfunctions,anditexistsinallx86machines.
Inmodernmachines,itisincludedasAFrameworktoSecurePeripheralsatRuntime229partofthemotherboard'sSouthbridge.
Thistimerhasthreecounters(Counters0,1,and2),andweusethethirdcounter(Counter2)togeneratetonesviathePCspeaker.
Inaddition,wecangeneratedierentkindsoftonesbyadjustingtheoutputfrequency.
IntheprototypeofIOCheck,acontinuoustonewouldbeplayedbythePCspeakerifaattackagainstNIChasbeenfound.
IfanattackagainstVGAhasbeenfound,anintermittenttonewouldbeplayed.
WeuseaserialcabletoprintstatusmessagesanddebugcorrespondingI/OdevicesinSMM.
TheprintkfunctioninCorebootprintsthestatusmessagestotheserialportonthetargetmachine.
WhenthetargetmachineexecutestheBIOScodeduringbooting,theexternalmachinesendsa16-byterandomnumbertothetargetmachinethroughtheserialcable.
Then,theBIOSwillstoretherandomnumberasasecretintheSMRAM.
Later,thestatusmessagesaresentwiththesecretforauthentication.
Werunaminicominstanceontheexternalmachineandverifyifthesecretiscorrect.
Ifastatusmessageisnotreceivedinanexpectedtimewindoworthesecretiswrong,weconcludethatanattackhasoccurred.
6EvaluationandExperimentalResults6.
1CodeSizeIntotal,thereare310linesofnewCcodeintheSMIhandler.
TheMD5hashfunctionhas140linesofCcode[34],andtherestofthecodeimplementsthermwareandPCIcongurationspacechecking.
AftercompilingtheCoreboot,thebinarysizeoftheSMIhandlerisonly1,409bytes,whichintroducesamin-imalTCBtooursystem.
The1,409-bytecodeencompassesallfunctionsandinstructionsrequiredtochecktheintegrityoftheNICandVGArmwareandtheirPCIcongurationspaces.
ThecodesizewillincreaseifwecheckmoreI/Odevices.
Additionally,otherstaticcodeexistsinCorebootrelatedtoenablingSMMtorunonaparticularchipset.
Forexample,aprintkfunctionisbuiltintotheSMMcodetoenablerawcommunicationoveraserialport.
6.
2AttackDetectionWeconductfourattacksagainstoursystemonbothWindowsandLinuxplat-forms.
TwoofthemareI/Ocongurationattacks,whichrelocatethedevicememorybymanipulatingthePCIcongurationspaceofNICandVGA.
TheothertwoattacksmodifythemanagementrmwareoftheNICandVGAoptionROM.
TheBaseAddressRegisters(BARs)inthePCIcongurationspaceareusedtomapthedevice'sregisterspace.
Theyresidefromoset0x10to0x27inthePCIcongurationspace.
Forexample,thememorylocationBAR0speciesthebaseaddressoftheinternalNICregisters.
Anattackercanrelocatethesememory-mappedregistersformaliciouspurposesbymanipulatingtheBAR0register.
Toconducttheexperiments,werstenableIOChecktocheckthePCIcongurationspace.
Next,wemodifythememorylocationspeciedbytheBAR0230F.
Zhangetal.
registeronWindowsandLinuxplatforms.
WewriteakernelmoduletomodifytheBAR0registerinLinuxandusetheRWEverything[36]tooltocongureitinWindows.
WealsomodifythemanagementrmwareofNICandtheVGAop-tionROM.
ThemanagementrmwareisstoredasaNon-Volatilememory,anditisI/Omappedmemory;theVGAoptionROMismemory-mapped.
TheseattacksarealsoconductedonbothWindowsandLinuxplatforms.
AfterwemodifyNIC'sPCIecongurationorthermware,IOCheckauto-maticallyplaysacontinuoustonetoalertusersand,theminicominstanceontheexternalmachineshowsanattackagainstNIChasbeenfound.
AfterthemodicationofVGA'sPCIcongurationoroptionROM,anintermittenttoneisplayedbythePCspeaker.
6.
3BreakdownofSMIHandlerRuntimeToquantifyhowmuchtimeeachindividualstepisrequiredtorun,webreakdowntheSMIhandlerintoeightoperations.
Theyare1)switchintotheSMM;2)checkthePCIecongurationofNIC;3)checkthermwareofNIC;4)checkthePCIcongurationofVGA;5)checktheoptionROMofVGA;6)sendastatusmessage;7)congurethenextSMI;and8)resumeProtectedMode.
Foreachoperation,wemeasuretheaveragetimetakeninSMM.
WeusetheTimeStampCounter(TSC)registertocalculatethetime.
TheTSCregisterstoresthenumberofCPUcycleselapsedsincepoweringon.
First,werecordtheTSCvaluesatthebeginningandendofeachoperation,respectively.
Next,weusetheCPUfrequencytodividethedierenceintheTSCregistertocalculatehowmuchtimethisoperation.
Werepeatthisexperiment40times.
Table1showstheaveragetimestakenforeachoperation.
WecanseethattheSMMswitchingandresumingtakeonly4and5microseconds,respectively.
Checking256bytesofthePCIe/PCIcongurationspaceregistertakesabout1millisecond.
The82574LNIChas70bytesofSMBusAdvancedPassThrough(APT)managementrmwareand138bytesofNC-SImanagementrmware.
Thesizeofx86expansionROMimageis1KBinthetestingVGA.
CheckingNIC'srmwaretakesabout1millisecond,whilecheckingVGA'soptionROMtakesabout5milliseconds.
Naturally,theTable1.
BreakdownofSMIHandlerRuntime(Time:s)OperationsMeanSTD95%CISMMswitching3.
920.
08[3.
27,3.
32]CheckNIC'sPCIeconguration1169.
392.
01[1168.
81,1169.
98]CheckNIC'srmware1268.
125.
12[1266.
63,1269.
60]CheckVGA'sPCIconguration1243.
602.
61[1242.
51,1244.
66]CheckVGA'sexpansionROM4609.
301.
30[4608.
92,4609.
68]Sendamessage2082.
953.
00[2082.
08,2083.
82]CongurethenextSMI1.
220.
06[1.
20,1.
24]SMMresume4.
580.
10[4.
55,4,61]Total10,383.
07AFrameworktoSecurePeripheralsatRuntime231sizeofthermwareaectsthetimeofthecheckingoperation.
Wesendastatusmessage(e.
g.
,I/OdevicesareOK)ineachrunoftheSMIhandler,whichisabout2milliseconds.
ThetimeistakestogeneratearandomnumberandcongureperformancecountersforthenextSMIisonly1.
22microseconds.
Thus,thetotaltimespentinSMMisabout10milliseconds.
Additionally,wecalculatethestandarddeviationand95%condenceintervalfortheruntimeofeachoperation.
6.
4SystemOverheadTomeasuresystemoverheadintroducedbythisapproach,weusetheSuperPI[37]programtobenchmarkoursystemonWindowsandLinux.
WerstrunthebenchmarkwithoutIOCheckenabled.
Then,werunitwithdierentrandom-pollingintervals.
Table2showstheexperimentalresults.
Therstcolumnshowstherandompollingintervalsusedintheexperiment.
Forexample,(0,0xf]meansarandomnumber,r,isgeneratedinthatinterval.
Weuseretiredinstruc-tionsasthecountingeventintheperformancecounter.
Thus,afterrunningrsequentialinstructions,anSMIwillbeasserted.
Thesecondcolumnalsoin-dicatesthetimeelapsed.
SincetheCPU(AMDK8)onourtestbedis3-waysuperscalar[38],weassumeanaveragenumberofinstructions-per-cycle(IPC)is3,andtheequationforthistransformationisT=I(CIPC),whereTistherealtime,Iisthenumberofinstructions,andCistheclockspeedontheCPU.
Table2.
RandomPollingOverheadIntroducedonMicrosoftWindowsandLinuxRandomPollingIntervalsBenchmarkRuntime(s)SystemSlowdownInstructionsTime(s)WindowsLinuxWindowsLinux1[1,0x](0,650,752]0.
2850.
3930.
0140.
0112[1,0xf](0,40,672]0.
2970.
3980.
0570.
0233[1,0x](0,2,542]0.
6090.
4631.
1670.
1904[1,0xf](0,158]4.
3591.
48014.
5122.
8055[1,0x](0,10]91.
98418.
38232646WecanseefromTable2thattheoverheadwillincreaseifwereducetherandom-pollinginterval,whilesmallintervalshaveahigherprobabilityofquicklydetectingattacks.
Intervalsinrows1and2introducelessthan6%overhead,sointervalssimilartoorbetweenthemaresuitablefornormalusersinpractice.
Otherintervalsinthetablehavelargeoverheadmakingthemunsuitableinprac-tice.
Theseresultsdemonstratethefeasibilityandscalabilityofourapproach.
6.
5ComparisonwiththeDRTMApproachIOCheckprovidesanewframeworkforcheckingrmwareandI/Odevicesatruntime.
Comparedtothewell-knownDRTMapproach(e.
g.
,Flicker[18]),SMMinIOCheckservesasimilarroleasthetrustedexecutionenvironmentinDRTM.
However,IOCheckachievesabetterperformanceincomparison.
AMDusestheSKINITinstructiontoperformDRTM,andIntelimplementsDRTMusingaCPU232F.
Zhangetal.
Table3.
ComparisonbetweenSMM-basedandDRTM-basedApproachesIOCheckFlicker[18]OperationSMMswitchingSKINITinstructionSizeofsecurecodeAny4KBTime3.
92s12msTrustBIOSbootYesNoinstructioncalledSENTER.
TheSMMswitchingoperationinIOCheckplaysthesameroleasSKINITorSENTERinstructionsintheDRTMapproach.
AsstatedintheTableIIofFlicker[18],thetimerequiredtoexecutetheSKINITinstructiondependsonthesizeoftheSecureLoaderBlock(SLB).
ItshowsalineargrowthinruntimeasthesizeoftheSLBincreases.
FromTable3,wecanseethattheSKINITinstructiontakesabout12millisecondsfor4KBofSLB.
However,SMMswitchingonlytakesabout4microseconds,whichisaboutthreeordersofmagnitudefasterthantheSKINITinstruction.
Furthermore,SMMswitchingtimeisindependentfromthesizeoftheSMIhandler.
ThisisbecauseIOCheckdoesnotneedtomeasurethesecurecodeeverytimebeforeexecutingit,andwelockthesecurecodeinSMRAM.
NotethatIOChecktruststheBIOSbootwhileFlickerdoesnot.
IOCheckrequiresasecureBIOSboottoensuretheSMMcodeissecurelyloadedintoSMRAM.
However,theDRTMapproach(e.
g.
,IntelTXT)alsorequiresthattheSMMcodeistrusted.
WojtczukandRutkowskademonstrateseveralattacks[12,39,40]againstIntelTXTbyusingSMMiftheSMM-TransferMonitorisnotpresent.
Fromthispointofview,bothsystemsmusttrusttheSMMcode.
7LimitationsandDiscussionsIOCheckisaruntimermwareandcongurationintegritycheckingframework.
Wealsodemonstratethefeasibilityofthisapproachusingacommercialnetworkcard.
However,thecurrentprototypeofIOCheckisspecictothetargetsystem,whichusesanIntel82574LnetworkcardandJATONVIDEO-498PCI-DLPNvidiavideocard.
Humaneortisrequiredtoexpandthefunctionality(e.
g.
,checkingBMCorDiskController).
SMMusesisolatedmemory(SMRAM)forexecution.
TheinitialsizeofSM-RAMis64KB,rangingfromSMMBASEtoSMMBASE+0xFFFF.
ThedefaultvalueofSMMBASEis0x30000,andCorebootrelocatesitto0xA0000.
AsthesizeofourSMIhandlercodeisonly1,409bytes,thesmallcapacityofSMRAMmaylimitthescalabilityofIOCheck.
However,thechipsetinourtestbedallowsforanadditional4MBmemoryinaregioncalledTSegwithinSMRAM.
Fur-thermore,SICE[41]demonstratesthatSMMcansupportupto4GBofisolatedmemorythatcanbeusedformemory-intensiveoperationssuchasvirtualization.
WojtczukandRutkowska[42]usecachepoisoningtobypasstheSMMlockbyconguringtheMemoryTypeRangeRegisters(MTRR)toforcetheCPUtoexecutecodefromthecache(whichtheyinjected)insteadofSMRAM.
Duotalsoindependentlyfoundthesamevulnerability[43].
ThisvulnerabilitywasxedAFrameworktoSecurePeripheralsatRuntime233withIntel'sadditionoftheSystemManagementRangeRegister(SMRR).
Morerecently,Butterworthetal.
[25]usedabueroverowvulnerabilityduringtheBIOSupdateprocessinSMM,althoughthiswasabugintheparticularBIOSversion.
OurSMMcodeinCorebootdoesnothavethesamevulnerablecodethatfacilitatesthisattack.
Tothebestofourknowledge,thereisnogeneralattackthatcanbypasstheSMMlockandcompromiseSMM.
TheimplementationofIOCheckcontains310linesofCcode.
Thispartofthecodemaycontainvulnerabilitiesthatcouldbeexploitedbyattackers.
Toreducethepossibilityofvulnerablecode,wesanitizetheinputoftheSMIhandlertoreducetheattacksurface.
Forinstance,wedonotacceptanydatainputtotheSMIhandlerexceptforthetargetrmwareandcongurations.
Wealsocarefullycheckthesizeoftheinputdatatoavoidoverowattacks[25].
SMMwasnotoriginallydesignedforsecuritypurposes.
Researchersmayar-guethatthismakesitunsuitableforsecurityoperations.
Additionally,somere-searchersfeelthatSMMisnotessentialtox86.
However,thereisnoindicationthatIntelwillremoveSMM.
Moreover,IntelintroducedtheSMM-TransferMon-itor[44]thatvirtualizesSMMcodeinordertodefeatattacks[40]againstTXT.
Inourcase,SMMcanbethoughtofasamechanismtoprovideanisolatedcom-putingenvironmentandhardwaresupporttomeetthesystem'srequirements.
8RelatedWorkToidentifymalwarerunninginI/Odevices,Lietal.
proposeVIPER[20],asoftware-basedattestationmethodtoverifytheintegrityofperipherals'rmware.
VIPERrunsaverierprogramonthehostmachine,andittruststheoperat-ingsystem.
NAVIS[19]isananomaly-detectionsystemcheckingthememoryaccessesperformedbytheNIC'son-chipprocessor.
ItbuildsamemorylayoutproleoftheNICandraisesanalertifanyunexpectedmemoryaccessisde-tected.
TheNAVISprogramrunsinsideoftheoperatingsystemandassumestheOSistrusted.
ComparedtoVIPERandNAVIS,IOCheckisnotrunninginthenormalProtectedMode.
ItusesSMMtochecktheintegrityofthermware,whichsignicantlyreducestheTCB.
Inaddition,IOCheckchecksthecongu-rationsofI/Odevices,whichfurtherprotectsthem.
CompromisedrmwarenormallyperformsDMAattacksagainstthemainmemory,andIOMMU(e.
g.
,IntelVT-dorAMD-Vi)isanecientdefense.
How-ever,Sangetal.
[11]identifyanarrayofvulnerabilitiesonIntelVT-d.
Wojtczuketal.
[12]useabugintheSINITmoduleoftheSENTERinstructiontomis-congureVT-d,andthenattackersareabletocompromisethesecurelyloadedhypervisorusingaclassicDMAattacksoitcanbypassIntelTXT.
AlthoughthemaingoalofthisattackistocircumventIntelTXT,wecanlearnthatVT-diseasytomiscongureandthenanattackercanlaunchaDMAattack.
Moreover,Stewin[10]explainsseveralreasonsthatwecannottrustIOMMUasacounter-measureagainstDMAattacks.
However,IOCheckisagenericframeworkthatcancheckIOMMUcongurationsandprovidefurtherprotectionforI/Odevices.
BARM[10]aimstodetectandpreventDMA-basedattacks.
Itisbasedonmodelingtheexpectedmemorybusactivityandcomparingittotheactual234F.
Zhangetal.
activity.
BARMreliesontheOSandsoftwareapplicationstorecordallI/ObusactivityintheformofI/Ostatistics,whileIOCheckusesSMMwithouttrustinganycodeinPM.
IronHide[45]isatooltoanalyzepotentialI/OattacksagainstPCs.
Itcanbeusedeitherasanoensiveordefensivetool.
Ontheoensiveside,itcanbeusedtosniouttheI/Obuses,spoofthebusaddressusedbyotherI/Ocontroller,andlog/injectkeystrokes.
Onthedefensiveside,itinjectsfaultsovertheI/ObusestosimulatevariousI/Oattacksandtoidentifyvariouspossiblevulnerabilities.
However,IronHiderequiresaspecializedPCI-Expressdevice,whileIOCheckusesexistingtechnologyinchipsets.
Recently,SMM-basedsystemshavebeenbrewinginthesecurityarea[46–50].
HyperCheck[46]checkstheintegrityofhypervisorsandusesanet-workcardtotransmittheregistersandmemorycontentstoaremoteserverforverication.
Therefore,acompromisednetworkcardwouldbeproblematicinHyperCheck.
HyperSentry[47]alsousesSMMforhypervisorintegritychecking,anditusesIntelligentPlatformManagementInterface(IPMI)tostealthilytrig-geranSMI.
IPMIreliesonBMCanditsrmwaretooperate,whileIOCheckcanmitigatethoseattacksagainstrmware.
Spectre[49]isaperiodicallypolling-basedsystemthatintrospectsthehostmemoryformalwaredetection.
ItusesSMMtoperiodicallycheckthehostmemoryforheapoverow,heapspray,androotkitattacks.
However,IOCheckaimstoenhancethesecurityofI/Odevices,andweuserandom-pollingandevent-drivenapproachestomitigatetransientattacksagainsttheperiodicpolling-basedsystems.
Inaddition,researchersuseSMMtoimplementstealthyrootkits[51],whichrequiresanunlockedSMRAMtoloadtherootkit.
Asexplainedin[51],allpost-2006machineshavelockedSMRAMintheBIOS.
IOChecklockstheSMMinCorebootsothatSMRAMisinaccessibleafterbooting.
9ConclusionsInthispaper,wepresentIOCheck,aframeworktoenhancethesecurityofI/Odevicesatruntime.
ItchecksthermwareandcongurationsofI/OdevicesanddoesnotrequirethetrustontheOS.
WeimplementaprototypeofIOCheckus-ingrandom-polling-basedandevent-drivenapproaches,anditisrobustagainsttransientattacks.
WedemonstratetheeectivenessofIOCheckbycheckingtheintegrityofIntel82574LNICandJatonVIDEO-498PCI-DLPVGA.
Theexper-imentalresultsshowthatIOCheckisabletosuccessfullydetectrmwareandI/Ocongurationattacks.
IOCheckonlytakesabout10millisecondstocheckthermwareandcongurations,anditintroducesalowoverheadonbothMi-crosoftWindowsandLinuxplatforms.
Furthermore,wecompareIOCheckwiththeDRTMapproachandshowthattheswitchingtimeofIOCheckisthreeordersofmagnitudefasterthanthatoftheDRTMapproach.
Acknowledgement.
Theauthorswouldliketothankallofthereviewersfortheirvaluablecommentsandsuggestions.
ThisworkissupportedbytheUnitedStatesAirForceResearchLaboratory(AFRL)throughContractFA8650-10-C-7024,NationalScienceFoundationCRIEquipmentGrantNo.
CNS-1205453,andAFrameworktoSecurePeripheralsatRuntime235ONRGrantN00014-13-1-0088.
Opinions,ndings,conclusionsandrecommen-dationsexpressedinthismaterialarethoseoftheauthorsanddonotnecessarilyreecttheviewsoftheU.
S.
Government,AirForce,orNavy.
References1.
NationalInstituteofStandards,NIST:NationalVulnerabilityDatabase,http://nvd.
nist.
gov(accesstimeMarch4,2014)2.
Mitre:Vulnerabilitylist,http://cve.
mitre.
org/cve/cve.
html3.
Bonkoski,A.
J.
,Bielawski,R.
,Halderman,J.
A.
:IlluminatingtheSecurityIssuesSurroundingLights-outServerManagement.
In:Proceedingsofthe7thUSENIXConferenceonOensiveTechnologies(WOOT2013)(2013)4.
Duot,L.
,Perez,Y.
A.
:CanYouStillTrustYourNetworkCardIn:Proceedingsofthe13thCanSecWestConference(CanSecWest2010)(2010)5.
Chen,K.
:ReversingandExploitinganAppleFirmwareUpdate.
BlackHat(2009)6.
Stewin,P.
,Bystrov,I.
:UnderstandingDMAMalware.
In:Flegel,U.
,Markatos,E.
,Robertson,W.
(eds.
)DIMVA2012.
LNCS,vol.
7591,pp.
21–41.
Springer,Heidelberg(2013)7.
Aumaitre,D.
,Devine,C.
:SubvertingWindows7x64KernelWithDMAAttacks.
In:HITBSecConfAmsterdam(2010)8.
Triulzi,A.
:ProjectMauxMk.
II.
In:CanSecWest(2008)9.
Sang,F.
,Nicomette,V.
,Deswarte,Y.
:I/OAttacksinIntelPC-basedArchitecturesandCountermeasures.
In:SysSecWorkshop(SysSec2011)(2011)10.
Stewin,P.
:APrimitiveforRevealingStealthyPeripheral-BasedAttacksontheComputingPlatform'sMainMemory.
In:Stolfo,S.
J.
,Stavrou,A.
,Wright,C.
V.
(eds.
)RAID2013.
LNCS,vol.
8145,pp.
1–20.
Springer,Heidelberg(2013)11.
Sang,F.
,Lacombe,E.
,Nicomette,V.
,Deswarte,Y.
:ExploitinganI/OMMUvul-nerability.
In:5thInternationalConferenceonMaliciousandUnwantedSoftware(MALWARE2010),pp.
7–14(2010)12.
Wojtczuk,R.
,Rutkowska,J.
:AnotherWaytoCircumventIntelTrustedExecu-tionTechnology(2009),http://invisiblethingslab.
com/resources/misc09/Another13.
Wojtczuk,R.
,Rutkowska,J.
:FollowingtheWhiteRabbit:SoftwareAttacksagainstIntelRVT-d(2011)14.
TrustedComputingGroup:TCGPCClientSpecicImplementationSpecicationforConventionalBIOS(February2012),http://www.
trustedcomputinggroup.
org/files/resourcefiles/CB0B2BFA-1A4B-B294-D0C3B9075B5AFF17/TCGPCClientImplementation1-21100.
pdf15.
TrustedComputingGroup:TPMMainSpecicationLevel2Version1.
2,Revision116(2011),http://www.
trustedcomputinggroup.
org/resources/tpm_main_specification16.
TrustedComputingGroup:TCGD-RTMArchitectureDocumentVersion1.
0.
0(June2013),http://www.
trustedcomputinggroup.
org/resources/drtmarchitecturespecification17.
Intel:TrustedExecutionTechnology,http://www.
intel.
com/content/www/us/en/trusted-execution-technology/trusted-execution-technology-security-paper.
html18.
McCune,J.
,Parno,B.
,Perrig,A.
,Reiter,M.
,Isozaki,H.
:Flicker:AnExe-cutionInfrastructureforTCBMinimization.
In:Proceedingsofthe3rdACMSIGOPS/EuroSysEuropeanConferenceonComputerSystems(2008)236F.
Zhangetal.
19.
Duot,L.
,Perez,Y.
-A.
,Morin,B.
:WhatIfYouCan'tTrustYourNetworkCardIn:Sommer,R.
,Balzarotti,D.
,Maier,G.
(eds.
)RAID2011.
LNCS,vol.
6961,pp.
378–397.
Springer,Heidelberg(2011)20.
Li,Y.
,McCune,J.
,Perrig,A.
:VIPER:VerifyingtheIntegrityofPERipherals'Firmware.
In:Proceedingsofthe18thACMConferenceonComputerandCom-municationsSecurity(CCS2011)(2011)21.
Moon,H.
,Lee,H.
,Lee,J.
,Kim,K.
,Paek,Y.
,Kang,B.
:Vigilare:TowardSnoop-basedKernelIntegrityMonitor.
In:Proceedingsofthe19thACMConferenceonComputerandCommunicationsSecurity(CCS2012)(2012)22.
Wang,J.
,Sun,K.
,Stavrou,A.
:ADependabilityAnalysisofHardware-AssistedPollingIntegrityCheckingSystems.
In:Proceedingsofthe42ndAnnualIEEE/IFIPInternationalConferenceonDependableSystemsandNetworks(DSN2012)(2012)23.
Zaddach,J.
,Kurmus,A.
,Balzarotti,D.
,Blass,E.
O.
,Francillon,A.
,Goodspeed,T.
,Gupta,M.
,Koltsidas,I.
:ImplementationandImplicationsofaStealthHard-DriveBackdoor.
In:Proceedingsofthe29thAnnualComputerSecurityApplicationsConference(ACSAC2013)(2013)24.
Triulzi,A.
:TheJediPacketTrickTakesOvertheDeathstar:TakingNICBack-doorstotheNextLevel.
In:The12thAnnualCanSecWestConference(2010)25.
Butterworth,J.
,Kallenberg,C.
,Kovah,X.
:BIOSChronomancy:FixingtheCoreRootofTrustforMeasurement.
In:Proceedingsofthe20thACMConferenceonComputerandCommunicationsSecurity(CCS2013)(2013)26.
Coreboot:Open-SourceBIOS,http://www.
coreboot.
org/27.
VIA:VT8237RSouthbridge,http://www.
via.
com.
tw/28.
BroadcomCorporation:BroadcomNetXtremeGigabitEthernetController,http://www.
broadcom.
com/products/BCM575129.
Salihun,D.
:BIOSDisassemblyNinjutsuUncovered,http://bioshacking.
blogspot.
com/2012/02/bios-disassembly-ninjutsu-uncovered-1st.
html30.
Salihun,D.
:MaliciousCodeExecutioninPCIExpansionROM(June2012),http://resources.
infosecinstitute.
com/pci-expansion-rom/31.
Flashrom:Firmwareashutility,http://www.
flashrom.
org/32.
AdvancedMicroDevices,Inc.
:BIOSandKernelDeveloper'sGuideforAMDAthlon64andAMDOpteronProcessors33.
William,H.
,Teukolsky,S.
A.
,Vetterling,W.
T.
,Flannery,B.
P.
:NumericalRecipes:TheArtofScienticComputing.
CambridgeUniversityPress,NewYork(2007)34.
MD5HashFunctions,http://en.
wikipedia.
org/wiki/MD535.
Intel:82574GigabitEthernetControllerFamily:Datasheet,http://www.
intel.
com/content/www/us/en/ethernet-controllers/82574l-gbe-controller-datasheet.
html36.
Je:RWEverythingTool,http://rweverything.
com/37.
SuperPI,http://www.
superpi.
net/38.
AdvancedMicroDevices,Inc.
:AMDK8Architecture,http://commons.
wikimedia.
org/wiki/File:AMD_K8.
PNG39.
Wojtczuk,R.
,Rutkowska,J.
:AttackingIntelTrustExecutionTechnologies(2009),http://invisiblethingslab.
com/resources/bh09dc/Attacking40.
Wojtczuk,R.
,Rutkowska,J.
:AttackingIntelTXTviaSINITCodeExecutionHijacking(November2011),http://www.
invisiblethingslab.
com/resources/2011/AttackingIntelTXTviaSINIThijacking.
pdf41.
Azab,A.
M.
,Ning,P.
,Zhang,X.
:SICE:AHardware-levelStronglyIsolatedCom-putingEnvironmentforx86Multi-corePlatforms.
In:Proceedingsofthe18thACMConferenceonComputerandCommunicationsSecurity(CCS2011)(2011)AFrameworktoSecurePeripheralsatRuntime23742.
Wojtczuk,R.
,Rutkowska,J.
:AttackingSMMMemoryviaIntelCPUCachePoi-soning(2009)43.
Duot,L.
,Levillain,O.
,Morin,B.
,Grumelard,O.
:GettingintotheSMRAM:SMMReloaded.
In:Proceedingsofthe12thCanSecWestConference(CanSecWest2009)(2009)44.
Intel:IntelR64andIA-32ArchitecturesSoftwareDeveloper'sManual45.
Sang,F.
L.
,Nicomette,V.
,Deswarte,Y.
:ATooltoAnalyzePotentialI/OAttacksAgainstPCs.
IEEESecurity&Privacy(2013)46.
Zhang,F.
,Wang,J.
,Sun,K.
,Stavrou,A.
:HyperCheck:AHardware-assistedIn-tegrityMonitor.
IEEETransactionsonDependableandSecureComputing(2013)47.
Azab,A.
M.
,Ning,P.
,Wang,Z.
,Jiang,X.
,Zhang,X.
,Skalsky,N.
C.
:HyperSentry:EnablingStealthyIn-ContextMeasurementofHypervisorIntegrity.
In:Proceed-ingsofthe17thACMConferenceonComputerandCommunicationsSecurity(CCS2010)(2010)48.
Reina,A.
,Fattori,A.
,Pagani,A.
,Cavallaro,L.
,Bruschi,D.
:WhenHardwareMeetsSoftware:ABulletproofSolutiontoForensicMemoryAcquisition.
In:Pro-ceedingsoftheAnnualComputerSecurityApplicationsConference(ACSAC2012)(2012)49.
Zhang,F.
,Leach,K.
,Sun,K.
,Stavrou,A.
:SPECTRE:ADependableIntrospec-tionFrameworkviaSystemManagementMode.
In:Proceedingsofthe43rdAnnualIEEE/IFIPInternationalConferenceonDependableSystemsandNetworks(DSN2013)(2013)50.
Zhang,Y.
,Pan,W.
,Wang,Q.
,Bai,K.
,Yu,M.
:HypeBIOS:EnforcingVMIso-lationwithMinimizedandDecomposedCloudTCB.
Technicalreport,VirginiaCommonwealthUniversity(2012)51.
Embleton,S.
,Sparks,S.
,Zou,C.
:SMMrootkits:ANewBreedofOSIndependentMalware.
In:Proceedingsofthe4thInternationalConferenceonSecurityandPrivacyinCommunicationNetworks(SecureComm2008)(2008)52.
PCI-SIG:PCILocalBusSpecicationRevision3.
0,http://www.
pcisig.
com/specifications/AppendixTable4.
IOMMUCongurationsRegister/TableNameDescriptionRoot-entrytableaddressDenesthebaseaddressoftheroot-entrytable(rst-leveltableidentiedbybusnumber)DomainmappingtablesIncludesroot-entrytableandcontext-entrytables(second-leveltablesidentiedbydeviceandfunctionnum-bers)PagetablesDenesmemoryregionsandaccesspermissionsofI/Ocontrollers(third-leveltables)DMAremappingACPItableDenesthenumberofDRHUspresentinthesystemandI/Ocontrollersassociatedwitheachofthem238F.
Zhangetal.
CPUNorthbridge(memorycontrollerhub)MMUandIOMMUGraphiccardslotMemorybusMemoryslotsSouthbridge(I/Ocontrollerhub)PCIbusPCIslotsBIOSSuperI/OLPCbusKeyboardMouseSerialportIDESATAAudioUSBCMOSFront-sidebusPCIebusInternalbusFig.
2.
TypicalHardwareLayoutofaComputerPHYMACTransmitSwitch,FilterRx/TxFIFONC-SIRMIII/FSMBusI/FRx/TxFIFORx/TxDMAPCIeI/FLinkManagementControllerOperatingSystemRMIISMBusPCIeFig.
3.
ArchitectureBlockDiagramofIntel82574L[35]Table5.
PCIExpansionROMFormat[52](a)PCIExpansionROMHeaderFormatforx86OsetLengthValueDescription0h155hROMsignature,byte11h1AAHROMsignature,byte22h1xxInitializationsize3h3xxEntrypointforINITfunction6h-17h12hxxReserved18h-19h2xxPointertoPCIdatastructure(b)PCIDataStructureFormatOsetLengthDescription0h4Signature,thestring"PCIR"4h2Vendoridentication6h2Deviceidentication8h2ReservedAh2PCIdatastructurelengthCh1PCIdatastructurerevisionDh3Classcode10h2Imagelength12h2Revisionlevelofcode/data14h1Codetype15h1Indicator162Reserved