EPA-RIMM: A Framework for Dynamic SMM-based Runtime Integrity Measurement

Abstract: Runtime integrity measurements identify unexpected changes in operating systems and hypervisors during operation, enabling early detection of persistent threats. System Management Mode, a privileged x86 CPU mode, has the potential to effectively perform such rootkit detection. Previously proposed SMM-based approaches demonstrated effective detection capabilities, but at a cost of performance degradation and software side effects. In this paper we introduce our solution to these problems, an SMM-based Extensible, Performance Aware Runtime Integrity Measurement Mechanism called EPA-RIMM. The EPA-RIMM architecture features a performance-sensitive design that decomposes large integrity measurements and schedules them to control perturbation and side effects. EPA-RIMM's decomposition of long-running measurements into shorter tasks, extensibility, and use of SMM complicates the efforts of malicious code to detect or avoid the integrity measurements. Using a Minnowboard-based prototype, we demonstrate its detection capabilities and performance impacts. Early results are promising, and suggest that EPA-RIMM will meet production-level performance constraints while continuously monitoring key OS and hypervisor data structures for signs of attack.