First Advisor

Karen L. Karavanic

Term of Graduation

Fall 2022

Date of Publication

12-2-2022

Document Type

Thesis

Degree Name

Master of Science (M.S.) in Computer Science

Department

Computer Science

Language

English

DOI

10.15760/etd.8115

Physical Description

1 online resource (xii, 103 pages)

Abstract

Continuous runtime integrity measurement mechanisms (RIMMs) can be used for timely detection of kernel and hypervisor rootkits. Researchers have proposed running RIMMs in privileged execution environments, such as the x86 architecture’s System Management Mode (SMM), to detect interference from rootkits that have gained control of the host operating system. However, the extended amount of time in SMM required to perform inspections can cause severe disruption to the host. A previously proposed RIMM design called EPA-RIMM addresses this by decomposing long inspections across multiple System Management Interrupts (SMI), the interrupt used to invoke SMM.

EPA-RIMM is intended for deployment on server-class computers. There are typically more cores available on server platforms than client platforms. In existing firmware implementations, all but one core are kept idle in SMM, so utilizing additional cores requires changes to the thread-unaware firmware runtime services that execute when SMM is entered. These idle cores could be utilized to improve detection of RIMM-aware scrubbing rootkits by allowing for more security inspections to be done in the same amount of time.

This thesis presents a new multicore version of EPA-RIMM that is capable of functioning on the Linux operating system. It is written in UEFI firmware--the most commonly used firmware specification. Adjustments are proposed to existing EPA-RIMM inspection and check scheduling design to facilitate multicore execution. Enhancements are also proposed to a UEFI implementation, EDK2, to add support for multicore execution in SMI handlers. Performance results are presented from a modified EPA-RIMM prototype utilizing all four cores of the Intel Atom-class MinnowBoard platform.

We found that the communication-related cryptographic operations should be parallelized as well as the inspection itself in order to achieve performance improvement. Although we were not able to fully parallelize HMAC, performance improvement was achieved within a realistic time-bound of less than 1.5 ms. Single-core inspection performed best with small Task sizes. Two-core inspection outperforms single-core when Task sizes are 2 KiB or greater. Four-core inspection outperforms when Task sizes are 4 KiB or greater.

Rights

© 2022 Alexander K. Freed

In Copyright. URI: http://rightsstatements.org/vocab/InC/1.0/ This Item is protected by copyright and/or related rights. You are free to use this Item in any way that is permitted by the copyright and related rights legislation that applies to your use. For other uses you need to obtain permission from the rights-holder(s).

Persistent Identifier

https://archives.pdx.edu/ds/psu/39177

Share

COinS