EPA-RIMM-V: Efficient Rootkit Detection for Virtualized Environments

Author

Tejaswini Ajay Vibhute, Portland State UniversityFollow

Sponsor

Portland State University. Department of Computer Science

First Advisor

Karen L. Karavanic

Term of Graduation

2018

Date of Publication

Spring 7-12-2018

Document Type

Thesis

Degree Name

Master of Science (M.S.) in Computer Science

Department

Computer Science

Language

English

Subjects

Virtual computer systems -- Security measures, Rootkits (Computer software)

DOI

10.15760/etd.6369

Physical Description

1 online resource (viii, 72 pages)

Abstract

The use of virtualized environments continues to grow for efficient utilization of the available compute resources. Hypervisors virtualize the underlying hardware resources and allow multiple Operating Systems to run simultaneously on the same infrastructure. Since the hypervisor is installed at a higher privilege level than the Operating Systems in the software stack it is vulnerable to rootkits that can modify the environment to gain control, crash the system and even steal sensitive information. Thus, runtime integrity measurement of the hypervisor is essential. The currently proposed solutions achieve the goal by relying either partially or entirely on the features of the hypervisor itself, causing them to lack stealth and leaving themselves vulnerable to attack.

We have developed a performance sensitive methodology for identifying rootkits in hypervisors from System Management Mode (SMM) while using the features of SMI Transfer Monitor (STM). STM is a recent technology from Intel and it is a virtual machine manager at the firmware level. Our solution extends a research prototype called EPA-RIMM, developed by Delgado and Karavanic at Portland State University. Our solution extends the state of the art in that it stealthily performs measurements of hypervisor memory and critical data structures using firmware features, keeps performance perturbation to acceptable levels and leverages the security features provided by the STM. We describe our approach and include experimental results using a prototype we have developed for Xen hypervisor on Minnowboard Turbot, an open hardware platform.

Rights

In Copyright. URI: http://rightsstatements.org/vocab/InC/1.0/ This Item is protected by copyright and/or related rights. You are free to use this Item in any way that is permitted by the copyright and related rights legislation that applies to your use. For other uses you need to obtain permission from the rights-holder(s).

Persistent Identifier

https://archives.pdx.edu/ds/psu/26028

Recommended Citation

Vibhute, Tejaswini Ajay, "EPA-RIMM-V: Efficient Rootkit Detection for Virtualized Environments" (2018). Dissertations and Theses. Paper 4485.
https://doi.org/10.15760/etd.6369