Apparatus and method for runtime integrity verification

6 downloads 6465 Views 951KB Size Report
Dec 30, 2008 - (Continued). ( * ) Notice: Subject to any disclaimer, the term of this ..... of the invention. FIG. 1 is a block diagram of an electronic system in accor.
USOO8832454B2

(12) United States Patent

(10) Patent No.:

Khosravi et a]. (54)

(45) Date of Patent: 6,711,675 B1 *

3/2004 Spiegel et a1. .................. .. 713/2

INTEGRITY VERIFICATION

7,398,389 B2 *

7/2008

Teal et al. .... ..

713/164

7,409,546 B2 * 7,644,287 B2 *

8/2008 1/2010

Platt ............. .. Oerting et al. .

713/165 713/187

7,757,097 B2 *

7/2010 Atallah et 31‘ '

713/187

.

Inventors. Hormuad M. KhosraVI, Portland, OR (Us); Vlllcent J- Zlmmer, Federal Way, WA (US); Divya Naidu Kolar Slllldel‘,

Hillsboro, OR (US) (73)

Assignee: Intel Corporation, Santa Clara, CA

7,831,838 B2 * 11/2010 Marr et al. .................. .. 713/187 2003/0188231 A1 * 10/2003 Cronce ......................... .. 714/52

2003/0229777 A1

12/2003 Morais et al.

2005/0278563 A1 *

l2/2005

2006/0005015 A1 *

Notice:

(Continued)

Subject to any disclaimer, the term of this patent is extended or adjusted under 35 U.S.C. 154(b) by 818 days. _

_

_

_

_

FOREIGN PATENT DOCUMENTS

EP

1369764 A2

EP

1892839

piltent 1s subJect to a terrn1nal d1s-

Filed_

'

(65) (51)

(52)

130980 mailed on Mar. 24, 2011, 5 pages.

Prior Publication Data

(Continued)

Jul. 1, 2010

Int CL

Primary Examiner * Teshome Hailu

G06F 11/30

(2006-01)

G06F 21/64 G06F 21/52 US. Cl.

(2013.01) (2013.01)

(74) Attorney, Agent, or Firm 4 Jordan IP LaW, LLC

(57)

ABSTRACT

CPC ...... .. G06F 21/64 (2013.01); G06F 2221/2101

(58)

2/2008

Of?ce Action Received for Korean Patent Application No. 10-2009



US 2010/0169967 A1

12/2003

OTHER PUBLICATIONS

Dec 30 2008

'

A2

(Continued)

(21) Appl. No.: 12/317,852 (22)

Durham et a1. ................. .. 714/4

10006 Durham et 31' ~~~~~~~~~~~ ~' 713/164

(Us) (*)

*Sep. 9, 2014

APPARATUS AND METHOD FOR RUNTIME

_

(75)

US 8,832,454 B2

_

_

(201301); G06F 21/52 (2013 01)

In some embod1ments, a processor-based system may 1nclude

USPC ........................................................ .. 713/187

at least one processor, at least one memory coupled to the at

Field of Classi?cation Search USPC _______ __ 713/156’ 161’ 172, 173, 187, 188, 189;

least one processor, a code block, and code Which is execut able by the processor-based system to cause the processor

726/22225 See application ?le for complete search history,

based system to generate integrity information for the code block upon a restart of the processor-based system, securely store the integrity information, and validate the integrity of the code block during a runtime of the processor-based sys tem using the securely stored integrity information. Other

(56)

References Cited U.S. PATENT DOCUMENTS 6,023,586 A *

2/2000

embodiments are disclosed and claimed.

Gaisford et al. ............ .. 717/178

6,571,335 B1*

5/2003 O’Donnell et al. ..

6,587,947 B1*

7/2003

713/173

14 Claims, 7 Drawing Sheets

O’Donnell et al. ......... .. 713/187

SMRAM T -SEG DRAM

Runtime verification HPA

X Mbi! Serial

NOR Flash

BIOS

ME/Dmer

EFI System Panitiun

US 8,832,454 B2 Page 2 (56)

References Cited U.S. PATENT DOCUMENTS

2006/0047955 A1

3/2006 Prevost et al.

2008/0027867 2008/0104591 2008/0134321 2008/0163212

A1* A1* A1* A1*

1/2008 5/2008 6/2008 7/2008

2008/0244746 2009/0013406 2010/0095129 2011/0231668

A1 10/2008 Rozas et al. A1* 1/2009 A1* 4/2010 A1* 9/2011

Forbes et al. ................. .. 705/51 McCroryet a1. ................ .. 718/1 Rajagopalet a1. ............ .. 726/21 Zimmer et al. ............. .. 718/100

FOREIGN PATENT DOCUMENTS JP JP JP JP KR WO WO WO

2007-528083 2007257197 2008226160 2008234079 10-2003-0095301 00/28420 2000/028420 2005/101197

A A A A A A1 A1 A2

10/2007 10/2007 9/2008 10/2008 12/2003 5/2000 5/2000 10/2005

OTHER PUBLICATIONS

Extended European Search Report received for European Patent Application 09252869,4, mailed on Jul. 11, 2011, 7 Pages. Of?ce Action received for Japanese Patent Application 2009 -292870, mailed on Dec. 6, 2011, 9 Pages including 5 pages ofEnglish Trans lation. Of?ce Action received for Chinese Patent Application 2009102173004, mailed on Jan. 29, 2012, 22 Pages including 15 pages of English Translation.

Of?ce Action received for European Patent Application 09252869 .4, mailed on Mar. 22, 2012, 6 Pages. Bulygin, Y. et al., “Chipset Based Detection and Removal of Virtualization Malware a.k.a. DeepWatch”, Retrieved from the

Internet: retrieved on Apr. 17, 2012, Aug. 6, 2008, relevant pp. 18,19, 34.

Petroni, N. et al., “Copilotia Coprocessor-based Kernel Runtime Integrity Monitor”, proceedings of the 13th usenix security proceed ings ofthe 13th usenix security, San Diego, CA, USA; Aug. 9, 2004, 16 pages.

Embleton, S. et al., “SMM rootkits” Proceedings of the 4th Interna tional Conference on Security and Privacy in Communication Netowrks, Securecomm ’08, Jan. 1, 2008, 12 pages.

Gebhardt, C et al., “Preventing hypervisor-based rootkits With trusted execution technology”,Network Security, Elsevier Advanced Tech nology, vol. No. 11, Nov. 2000, pp. 7-12. Extended Search Report received for European application No. 120013446, mailed on May 7,2012, 11 pages.

Of?ce Action received for Japanese Application 2009-292870, mailed on Jun. 26, 2012, 8 Pages ofOf?ce action including 4 pages of

English translation. Final Of?ce Action Received for the Korean Patent Application No. 10-2009-130980, mailed on Mar. 29, 2012, 5 pages of Of?ce Action

including 2 pages of English translation. Of?ce Action received for Chinese Patent Application 200910217300.4, mailed on Nov. 5, 2012, 26 pages ofOf?ce Action including 16 pages of English translation. Of?ce Action received for Korean Patent Application No. 10-2009 130980, mailed on Jul. 29,2013, 10 Pages ofOf?ce Action including 5 pages of English Translation.

* cited by examiner

US. Patent

Sep. 9, 2014

Sheet 1 0f7

US 8,832,454 B2

10"!

f’ 11

(' 12

PROCESSOR

MEMORY

13

CODE BLOCK

14

k

NETWORK COMPONENT

Hg. 1 20’\

f 21

F 22

CPU

SYSTEM MANAGEMENT MEMORY

r 25 r CH'PSET

24

__EE_£___E_2 F

l

I E

r

26

ME

MEMORY _

_

_

_

r

27

I

,

PROCESSOR _

_

_

Hg.2

_

_

I

____J

NETWORK COMPONENT

US. Patent

Sep. 9, 2014

Sheet 2 0f7

US 8,832,454 B2

K-SO GENERATING INTEGRITY INFORMATION FOR A CODE BLOCK UPON RESTART OF THE PROCESSOR-BASED SYSTEM

I

31

SECURELY STORING THE I

INTEGRITY INFORMATION

5 r32

VALIDATING THE INTEGRITY OF THE CODE BLOCK DURING RUNTIME USING THE SECURELY STORED INTEGRITY iNFORMATION

I

r33

THE CODE BLOCK CORRESPONDS TO ONE OF A FIRMWARE ELEMENT, A BASIC INPUT OUTPUT

SYSTEM (BIOS) ELEMENT, AND A SYSTEM MANAGEMENT MODE (SMM) ELEMENT PERIODICALLY RE-VALIDATING THE INTEGRITY OF THE CODE BLOCK DURING RUNTIME USING THE SECURELY STORED INTEGRITY INFORMATION

I

r35 SECURELY STORING A LIST OF INTEGRITY INFORMATION CORRESPONDING TO A PLURALITY OF CODE BLOCKS

v

[- 36

SCANNING THE AT LEAST ONE MEMORY COUPLED TO THE AT LEAST ONE PROCESSOR FOR THE PLURALITY OF CODE BLOCKS AND VALIDATING THE INTEGRITY OF THE SCANNED CODE BLOCKS DURING RUNTIME USING THE SECURELY STORED LIST OF INTEGRITY INFORMATION

I

37

SENDING A REMOTE ALERT IF THE VALIDATION FAILS

Fig. 3

f

US. Patent

Sep. 9, 2014

Sheet 3 0f7

US 8,832,454 B2

GENERATING INTEGRITY INFORMATION FOR A CONTENTS OF A SYSTEM MANAGEMENT MEMORY UPON A RESTART OF THE PROCESSOR-BASED SYSTEM

40

41 v F TRANSFERRING THE INTEGRITY INFORMATION TO A MANAGEABILITY ENGINE CHIPSET OF THE PROCESSOR—BASED SYSTEM

y

m

m m

F

42

SECURELY STORING THE INTEGRITY INFORMATION IN A LOCATION ACCESSIBLE BY THE MANAGEABILITY ENGINE 43 v F VALIDATING A CONTENTS OF THE SYSTEM MANAGEMENT MEMORY WITH THE MANAGEABILITY ENGINE DURING A RUNTIME OF THE PROCESSOR-BASED SYSTEM USING THE SECURELY STORED INTEGRITY INFORMATION

v

f

44

PERIODICALLY RE-VALIDATING THE CONTENTS OF THE SYSTEM MANAGEMENT MEMORY WITH THE MANAGEABILITY ENGINE DURING THE RUNTIME OF THE PROCESSOR-BASED SYSTEM USING THE SECURELY STORED INTEGRITY INFORMATION

m

45 v F SCANNING THE SYSTEM MANAGEMENT MEMORY AND VALIDATING THE INTEGRITY OF THE SCANNED MEMORY USING THE SECURELY STORED INTEGRITY INFORMATION



r46

SENDING A REMOTE ALERT FROM MANAGEABILITY ENGINE D IF THE VALIDATION FAILS

Fig. 4

US. Patent

Sep. 9, 2014

Sheet 4 0f7

US 8,832,454 B2

ME receives SMM whitelist from BIOS over

HECI during system boot

50

J

ME uses PECOFF ?les to generate manifests and store

them securely in ?ash

51

J

When runtime integrity check jz timer expires

K.

+ ——>

53

ME scans host memory / SMRAM for SMM handlers & UEFI runtime tables

ME sends alert to remote lT/ AV server / service

ME validates integrity of 54 SMM/ BIOS code using J stored manifests

ME validates the pointers in

57

55

SMM handler dispatch table J point to valid code regions

lf integrity check fails

ME sets timer andNOwaits for next

timer interrupt

Fig. 5

Yes

US. Patent

70W

Sep. 9, 2014

Sheet 6 0f7

US 8,832,454 B2

F71 CPU

SMRAM T - SEG

Runtime verification HPA

[— 75

r 76

1%???” 85

ME

BIOS SPI

ME/Other

Fig. 7

EFI System Partition

US. Patent

Sep. 9, 2014

Sheet 7 0f7

US 8,832,454 B2

+ ----------------- --+

I DOS-stub

I

+ ————————————————— ——+

I File—Header

|

+ ————————————————— ——+

I optional header I -

-

-

-

-

-

-

-

I ~

-I

I

I -------------- --+

I data directories I

I I

| I

I(RVAs to direc—

I ——————————— ——+

I

Itories in sections)I

I

I

I

I ------- --+

I

I

I

I

EFI Image in memon

I

I

I

+ _________________ __+

I

I

I

EFI Image is a PE/COFF

I I section headers I IRVAS to section

I __.___+ I I I -_+ I

| I I

| I I

| l I

executable

I

I

bordersI

ME keeps a white-list

I

I

I

I

I

Of these for runtime

+ ————————————————— ——+FilePath, Args—>Schuffer, Args—>SrcSize, Address, &Index, Args—>ImageHandle, NULL,

40

a series of PECOFF executable images for the UEFI Pi SMM

); iquFrLERROR (Status) n Status ==

retum EFILINVALIDLPARAMETER;

45

} // Register the Image w/ the ME

CheckAndFixHeciForAccess ( ); if (lEFIiERROR (Status) H Status ==

EFIiBUFFERiTOOiSMALL) { return EFIiINVALIDiPARAMETER;

50

HeciIntegrityPacket—>ImageBase = Args—>Schuffer; HeciIntegrityPacket->ImageSize = Args—>SrcSize;

executables, or executable content beyond the authorized list in SMRAM, may constitute an attack. Advantageously, in addition to white-listing SMM at runt ime, some embodiments of the invention may monitor other entities at runtime. For example, some embodiments of the invention may monitor UEFI_SYSTEM_TABLE_RUNT

IME_SERVICES data objects and the associated function pointers and routines. For example, these entities may be passed from platform ?rmware into the OS kernel runtime in order to facilitate OS kernel runtime ?rmware interactions/

calls, such as GetTime( ), Get/Set( ) of UEFI variables, Cap

Status = HeciPacketS end(HeciIntegrityPacket);

suleUpdate( ). For example, some of these entities may be

if (lEFIiERROR (Status) H Status ==

EFIiBUFFERiTOOiSMALL) {

tion by the ME. For example, the T-SEG may be populated by infrastructure. Any attempt to hijack or modify these

EFILLOADiPEiIMAGEiATTRIBUTEiNONE

EFIiBUFFERiTOOiSMALL) {

monitored at runtime by the Manageability Engine (ME) in the chipset 76.

55

return EFIiINVALIDiPARAMETER;

co-located with the OS kernel at runtime and OS kernel protections may be utilized for these objects as Advanta

geously, providing runtime integrity veri?cation by the ME to protect these code and data objects may allow for a more

robust UEFI implementation.

In contrast with the above ?ow, an SMM rootkit may

attempt to add code into System Management RAM (SM

60

Although many of the embodiments described herein uti lize terminology associated with a particular execution envi ronment, those skilled in the art will appreciate that the inven tion is not limited to these speci?c embodiments and that equivalent routines and/ or structures may be implemented in

65

SMM-Rootkits-Securecom08.pd? or via a hardware attack,

other processor-based environments where security features are desired. Likewise, the various code modules, registers,

such as a cache-attack wherein T-SEG is aliased to main

and tables referred to herein may be described by other ter

RAM) sometime after the above load sequence. The rootkit could install itself via a BIOS bug, such as not setting the D_LCK bit in the chip set which makes SMRAM inaccessible (which BIOS normally sets prior to running option ROM’ s or

booting the OS) http://www.cs.ucf.edu/~czou/research/

US 8,832,454 B2 8

7 minology in other platforms while providing equivalent

generate integrity information for the contents of the

structures and/or performing equivalent functions. Those skilled in the art will appreciate that, given the

system management memory upon a restart of the

processor-based system;

bene?t of the present description, a numerous variety of other circuits and combinations of hardware and/or software may

transfer the integrity information to the manageability

be con?gured to implement various methods, circuits, and

securely store the integrity information in a location

engine of the chipset;

systems in accordance with the embodiments described herein and other embodiments of the invention. The examples of FIGS. 1 through 8 are non-limiting examples of suitable embodiments. The foregoing and other aspects of the invention are achieved individually and in combination. The invention

accessible by the manageability engine, wherein the integrity information corresponds to one or more code

blocks; periodically re-validate the contents of the system man agement memory during the runtime of the proces sor

based system using the securely stored integrity infor mation; and

should not be construed as requiring two or more of such

aspects unless expressly required by a particular claim. More

scan the system management memory and validate the

over, while the invention has been described in connection

integrity of the scanned memory using the securely stored integrity information. 6. The system of claim 5, further comprising:

with what is presently considered to be the preferred examples, it is to be understood that the invention is not limited to the disclosed examples, but on the contrary, is intended to cover various modi?cations and equivalent

arrangements included within the spirit and the scope of the invention. What is claimed is:

20

a network component and code to cause the manageability engine to send a remote alert if the validation fails.

7. The system of claim 5, wherein the location accessible

by the manageability engine comprises a memory subsystem of the manageability engine. 8. The system of claim 5, wherein the manageability engine

1. A processor-based system, comprising: at least one processor;

a code block; and

includes a separate processor and wherein at least a portion of the code is executable by the separate processor of the man

code which is executable by the processor-based system to

ageability engine.

at least one memory coupled to the at least one processor;

25

9. A method of performing runtime integrity veri?cation for a processor-based system, comprising:

cause the processor-based system to: generate integrity information for the code block upon a

restart of the processor-based system; securely store the integrity information, wherein the

30

securely storing the integrity information, wherein the

integrity information corresponds to one or more code

blocks;

integrity information corresponds to one or more code

validate an integrity of the code block during a runtime

of the processor-based system using the securely stored integrity information;

generating integrity information for a code block upon restart of the processor-based system;

blocks; 35

validating an integrity of the code block during runtime

using the securely stored integrity information;

securely store a list of integrity information correspond ing to a plurality of code blocks; and

securely storing a list of integrity information correspond

scan the at least one memory coupled to the at least one

scanning the at least one memory coupled to the at least one

processor for the plurality of code blocks and validate the integrity of the scanned code blocks during runt ime using the securely stored list of integrity informa tion. 2. The system of claim 1, wherein the code block corre sponds to one of a ?rmware element, a basic input output

ing to a plurality of code blocks: and 40

10. The method of claim 9, wherein the code block corre sponds to one of a ?rmware element, a basic input output 45

11. The method of claim 9, further comprising:

(SMM) element.

periodically re-validating the integrity of the code block during runtime using the securely stored integrity infor

3. The system of claim 1, further comprising code to cause 50

ing runtime using the securely stored integrity informa tion.

13. A method of performing runtime integrity veri?cation for a processor-based system, comprising: 55

5. A processor-based system, comprising:

sor-based system; transferring the integrity information to a manageability

a system management memory coupled to the at least one processor;

engine chipset of the processor-based system; 60

securely storing the integrity information in a location

accessible by the manageability engine, wherein the

at least one processor and the system management memory; and

integrity information corresponds to one or more code

code which is executable by the processor-based system to cause the manageability engine of the chipset to validate a contents of the system management memory during a runtime of the processor-based system, and further com prising code to cause the processor-based system to:

generating integrity information for the contents of a sys tem management memory upon a restart of the proces

at least one processor;

a chipset including a manageability engine coupled to the

mation. 12. The method of claim 9, further comprising: sending a remote alert if the validation fails.

4. The system of claim 1, further comprising: a network component and code to cause the processor based system to send a remote alert if the validation fails.

system (BIOS) element, and a system management mode

(SMM) element.

system (BIOS) element, and a system management mode the processor-based system to: periodically re-validate the integrity of the code block dur

processor for the plurality of code blocks and validating the integrity of the scanned code blocks during runtime using the securely stored list of integrity information.

blocks; validating a contents of the system management memory 65

with the manageability engine during a runtime of the

processor-based system using the securely stored integ

rity information;

US 8,832,454 B2 10 periodically re-validating the contents of the system man

agement memory With the manageability engine during the runtime of the processor-based system using the

securely stored integrity information; and scanning the system management memory and validating the integrity of the scanned memory using the securely stored integrity information. 14. The method of claim 13, further comprising: sending a remote alert from manageability engine if the validation fails. *

*

*

*

*

10