EPA-RIMM: A Framework for Dynamic SMM-based Runtime Integrity Measurement

TL;DR

EPA-RIMM is a novel SMM-based framework that enhances runtime integrity measurement by decomposing tasks for minimal performance impact, improving detection of persistent threats in operating systems and hypervisors.

Contribution

The paper introduces EPA-RIMM, an extensible, performance-aware SMM-based integrity measurement system that addresses previous performance issues and complicates malicious evasion.

Findings

Effective detection of rootkits demonstrated on prototype

Achieves performance suitable for production environments

Decomposes large measurements into shorter, manageable tasks

Abstract

Runtime integrity measurements identify unexpected changes in operating systems and hypervisors during operation, enabling early detection of persistent threats. System Management Mode, a privileged x86 CPU mode, has the potential to effectively perform such rootkit detection. Previously proposed SMM-based approaches demonstrated effective detection capabilities, but at a cost of performance degradation and software side effects. In this paper we introduce our solution to these problems, an SMM-based Extensible, Performance Aware Runtime Integrity Measurement Mechanism called EPA-RIMM. The EPA-RIMM architecture features a performance-sensitive design that decomposes large integrity measurements and schedules them to control perturbation and side effects. EPA-RIMM's decomposition of long-running measurements into shorter tasks, extensibility, and use of SMM complicates the efforts of malicious code to detect or avoid the integrity measurements. Using a Minnowboard-based prototype, we demonstrate its detection capabilities and performance impacts. Early results are promising, and suggest that EPA-RIMM will meet production-level performance constraints while continuously monitoring key OS and hypervisor data structures for signs of attack.