Publication Type

Journal Article

Version

publishedVersion

Publication Date

7-2021

Abstract

During the past decade, virtualization-based (e.g., virtual machine introspection) and hardware-assisted approaches (e.g., x86 SMM and ARM TrustZone) have been used to defend against low-level malware such as rootkits. However, these approaches either require a large Trusted Computing Base (TCB) or they must share CPU time with the operating system, disrupting normal execution. In this article, we propose an introspection framework called NIGHTHAWK that transparently checks system integrity and monitor the runtime state of target system. NIGHTHAWK leverages the Intel Management Engine (IME), a co-processor that runs in isolation from the main CPU. By using the IME, our approach has a minimal TCB and incurs negligible overhead on the host system on a suite of indicative benchmarks. We use NIGHTHAWK to introspect the system software and firmware of a host system at runtime. The experimental results show that NIGHTHAWK can detect real-world attacks against the OS, hypervisors, and System Management Mode while mitigating several classes of evasive attacks. Additionally, NIGHTHAWK can monitor the runtime state of host system against the suspicious applications running in target machine.

Keywords

Intel ME, system management mode, introspection, integrity, transparency

Discipline

Databases and Information Systems | Information Security

Research Areas

Information Systems and Management

Publication

IEEE Transactions on Dependable and Secure Computing

Volume

18

Issue

4

First Page

1920

Last Page

1932

ISSN

1545-5971

Identifier

10.1109/TDSC.2021.3071092

Publisher

Institute of Electrical and Electronics Engineers

Download

Share

COinS