Adversaries have a large and continually growing set of known weaknesses for software applications and the operating systems (“OS”) that those applications run on. Exploiting these weaknesses has allowed adversaries to deploy viruses, worms, Trojan horses, and OS rootkits on an untold number of systems. In recent years, various researchers have begun focusing their attention on the lower layers of the hardware/software stack, expanding the set of known weaknesses into new areas.
Peripherals capable of Direct Memory Access (“DMA”) can, without authorization, read the contents of the screen, search for strings or keys in memory, change data, escalate the privileges of processes, or inject code. Malicious virtual machine managers (“VMMs”) exist where malicious code executes at a privilege level below the OS, thereby providing backdoor functionality that is invisible to the OS. Device firmware involved in the computer boot process has also being targeted. Malicious modifications to the boot-related firmware stored in the system's Basic Input/Output System (“BIOS”), Peripheral Component Interconnect (“PCI”) expansion and option ROMs, and Extensible Firmware Interface (“EFI”) have been demonstrated. Malicious modifications to this boot-related firmware can bootstrap a rootkit before the OS loads.
One potential defense against malicious rootkits, VMMs, and modified boot firmware is to use DMA to monitor system memory for unauthorized changes. One such proof-of-concept PCI device that uses DMA reads to image a host computer's memory is named “Tribble.” Another prototype PCI device named “Copilot” uses DMA to detect rootkits by tracking changes to the OS kernel, loaded kernel modules (drivers), and critical data structures. While Copilot was designed to detect OS-level rootkits, the technique would also be applicable to detecting malicious VMMs.
In order to prevent devices like Tribble and Copilot detecting deeply-buried malware, a malware researcher has developed techniques that block DMA to regions of memory occupied by malware. This DMA blocking technique is possible because the system's memory controller handles memory access from the central processing unit (“CPU”) and DMA-capable devices slightly differently. Malware that wishes to remain hidden changes several configuration registers in the memory controller so that the CPU still has access to the region of memory occupied by the malware, but any attempted DMA to that memory region is redirected to another location.
Another hardware-layer defense is the Trusted Platform Module (“TPM”). The TPM provides a hardware-based random number generator, protected generation and storage of cryptographic keys, “attestation” of boot process integrity, and “sealing” (encryption) of data based on attestation values. Attestation involves calculating a cryptographic hash of boot-related firmware, boot loaders, and the OS. The resulting cryptographic hashes for each stage of the boot process are compared against know good values before transferring execution to that stage. A TPM-enabled system would be capable of detecting many forms of firmware modifications.
The hardware/software stack, current and emerging threats, and conventional defenses are shown graphically in FIG. 1. As FIG. 1 illustrates, system defenders lack defenses at the lower layers of the hardware/software stack that can effectively deal with malware threats at higher layers of the stack.