The World Wide Web and computer "clouds" have become widely used, and are interwoven into many activities of daily life, from shopping to socializing to education. But the data center servers that are the backbone of this richly connected world remain vulnerable to malicious software ("malware"). Over the past decade, attacks have increased in number and sophistication, motivated by both financial and political goals. The results include consumer concerns about identify theft and fraudulent charges, corporate concerns about millions of dollars in losses, and potential defense concerns. At the same time, the servers and data centers have become more complex, as both the hardware and the software have grown in capability. Thus protecting servers from attack has become increasingly urgent yet increasingly difficult. This project is developing a new approach for server security - monitoring for attacks will be integrated into the servers in a manner that will avoid unwieldy performance slowdowns.
This project focuses on detecting rootkits that compromise operating system kernels and hypervisors. The research targets a specific class of solutions that make use of widely available hardware support to allow safe introspection of low-level system state at run time. Rootkit detection checks are implemented in System Management Mode (SMM), a special x86 processor mode entered as a result of a System Management Interrupt controlled by the BIOS, that has a higher priority than any system-level interrupt. Code running in SMM has access to a protected region of memory, providing protection of the rootkit detection code. This project is exploring and quantifying the performance impacts of various SMM-based rootkit detection approaches, and is developing new approaches in which the detection work can be scheduled adaptively to strike an appropriate balance between detection capability and performance degradation.
