EPA-RIMM: A Framework for Dynamic SMM-based Runtime Integrity Measurement

Brian Delgado
Portland State University

This talk provides a short overview of EPA-RIMM, an Extensible Performance-Aware Runtime Integrity Measurement Mechanism being developed at Portland State University. EPA-RIMM identifies the presence of hypervisor and operating system-resident rootkits by detecting unexpected changes in system state. The talk will introduce our Xen and Linux-based prototypes, our extensions to open-source UEFI firmware, the achieved performance, and detection capabilities.

EPA-RIMM features a System Management Mode (SMM)-based measurement agent that operates in a de-privileged virtual machine, leveraging a protection policy applied by Intel’s SMI Transfer Monitor (STM). This applies the principle of least privilege to the measurement agent while still accomplishing effective rootkit detection. EPA-RIMM minimizes its impact on the system by decomposing large measurements into sequences of smaller inspections to reduce the time spent in a single SMM session. With its extensible measurement API, EPA-RIMM can dynamically vary the monitored resources on each inspection to complicate an attacker’s ability to derive the measurement target. EPA-RIMM also utilizes its measurement API to avoid building host software contextual information into the measurement agent. These features of EPA-RIMM make SMM-based measurements flexible, more secure, and effective. EPA-RIMM’s results suggest that it can meet production-level performance goals while monitoring key OS and hypervisor data structures for signs of attack.

🔎 Boot Integrity