A software detection mechanism based on smm in network computing

Abstract

To guarantee the network computing system security, the effective method is illegal or malicious software detection. Most of the former researches implement it on OS kernel or hypervisor level. However, if the system is attacked by the ring 0 or ring 1 level risks, the OS kernel or hypervisor is unable to provide the trusted base, which may cause an incorrect result. To solve the shortcomings, we choose the System Management Mode (SMM) to build a trusted execution environment. The SMM is a special cpu mode in the x86 architecture, which could create a security and isolated area on firmware level for malicious attacks detection. In this paper, we remotely interrupt the local system, and design a secure module in SMM to obtain messages from registers and physical memory space. Those messages are used to back analyze the software executing code segment for further information comparing. Beside the local detection, we use remote attestation approach for verifying the secure module. Our approach resists the attack surface under the OS level, and advances state-of-the-art detecting transparently. Furthermore, the analysis process could implement in the server to reduce the overheads on the client platform.