Authors: Stewin, Patrick
Title: Evaluating "Ring -3" Rootkits
Language (ISO): en
Abstract: In 2009, security researchers discovered a new, very powerful rootkit environment on x86 platforms [1]. That environment is based on Intel's Active Management Technology (iAMT) [2], which is completely isolated from the host. One part of iAMT is implemented as an embedded my-controller in the platform's memory controller hub. That my-controller is called Manageability Engine (ME) and includes a processor (ARCtangent-A4), read-only memory (ROM), static random access memory (SRAM) and direct memory access (DMA) engines. Furthermore, iAMT provides an isolated network channel (out-of-band (OOB) communication). To illustrate the power of the stealth enviroment, [1] called the iAMT environment in conjunction with rootkits "ring -3", following the x86 ring protection model. For our evaluation we implemented a prototype in form of a USB keyboard keystroke logger [3].1 Since we were unable to get an Intel developer board providing the "ring -3" environment, we had to use the exploit discovered by [1] to infiltrate our target platform. We monitor the keyboard buffer of the Linux based target platform via DMA. To find the physical address of the keyboard buffer we apply a search algorithm, that finds the USB product string and follows some pointers to the structure containing the buffer address. To exfiltrate captured keystrokes our prototype uses iAMT's OOB communication capabilities. [1] discussed countermeasures against "ring -3" rootkits, but they also provide approaches to defeat such countermeasures. Furthermore, it is doubtful if all the proposed countermeasures can be applied in practice.2 The goal of our evaluation is to find a reliable detection mechanism for "ring -3" rootkits. We assume that we can provoke delays when accessing the same resources as our prototype. For example, our prototype has to scan the host memory to find certain data structures and it also has use the network interface card to send keystroke codes. Another possibility is to initiate various DMA transfers using multiple devices. Only one device can be the bus master at a certain point in time. The next step is to design an experimental set-up that allows the measurement of delays and finally derive a reliable detection mechanism for "ring -3" rootkits.
URI: http://hdl.handle.net/2003/28930
http://dx.doi.org/10.17877/DE290R-1921
Issue Date: 2011-07-21
Is part of: SPRING - SIDAR Graduierten-Workshop über Reaktive Sicherheit, 21.-22. März 2011, Bochum, Deutschland
Appears in Collections:Presentations

Files in This Item:
File Description SizeFormat 
04.pdfDNB1.8 MBAdobe PDFView/Open


This item is protected by original copyright



This item is protected by original copyright rightsstatements.org