美国韦恩州立大学（Wayne State University, USA）Fengwei Zhang博士学术报告通知
撰稿人：彭滔 发布时间：2018年5月11日 17:17
题目: Nighthawk: Transparent System Introspection from Ring -3
报告人: Fengwei Zhang博士，美国韦恩州立大学（Wayne State University, USA）
During the past decade, virtualization-based approaches (e.g., VMI) and hardware-assisted approaches (e.g., SMM and TrustZone) have been proposed to ensure the integrity of the system at runtime and defend against low-level malware such as rootkits. However, these approaches either require a large Trusted Computing Base (TCB) or disrupt the normal execution due to sharing the main CPU. In this paper, we propose a novel introspection framework called Nighthawk, which transparently checks the integrity of the system at runtime. Nighthawk leverages Intel Management Engine (ME), a co-processor running independently from the main CPU, so our approach has a minimal TCB and introduces almost zero overhead to the host system. To demonstrate the effectiveness of our approach, we use Nighthawk to check the integrity of the system software and firmware of the host system at runtime. The experimental results show that Nighthawk is able to detect real-world attacks against OS, hypervisor, and system management mode. Additionally, Nighthawk introduces almost zero overhead to the host system on our tested benchmarks.
Fengwei Zhang is an Assistant Professor and Director of the COMputer And Systems Security (COMPASS) lab at Wayne State University. He received his Ph.D. degree in computer science from George Mason University in 2015. His research interests are in the areas of systems security, with a focus on trustworthy execution, transparent malware debugging, transportation security, and plausible deniability encryption. He has been published at top security venues including IEEE S&P, USENIX Security, NDSS, IEEE TIFS, and IEEE TDSC. He is a recipient of the Distinguished Paper Award in ACSAC 2017.