Dec 30, 2008 - (Continued). ( * ) Notice: Subject to any disclaimer, the term of this ..... of the invention. FIG. 1 is a block diagram of an electronic system in accor.
USOO8832454B2
(12) United States Patent
(10) Patent No.:
Khosravi et a]. (54)
(45) Date of Patent: 6,711,675 B1 *
3/2004 Spiegel et a1. .................. .. 713/2
INTEGRITY VERIFICATION
7,398,389 B2 *
7/2008
Teal et al. .... ..
713/164
7,409,546 B2 * 7,644,287 B2 *
8/2008 1/2010
Platt ............. .. Oerting et al. .
713/165 713/187
7,757,097 B2 *
7/2010 Atallah et 31‘ '
713/187
.
Inventors. Hormuad M. KhosraVI, Portland, OR (Us); Vlllcent J- Zlmmer, Federal Way, WA (US); Divya Naidu Kolar Slllldel‘,
Hillsboro, OR (US) (73)
Assignee: Intel Corporation, Santa Clara, CA
7,831,838 B2 * 11/2010 Marr et al. .................. .. 713/187 2003/0188231 A1 * 10/2003 Cronce ......................... .. 714/52
2003/0229777 A1
12/2003 Morais et al.
2005/0278563 A1 *
l2/2005
2006/0005015 A1 *
Notice:
(Continued)
Subject to any disclaimer, the term of this patent is extended or adjusted under 35 U.S.C. 154(b) by 818 days. _
_
_
_
_
FOREIGN PATENT DOCUMENTS
EP
1369764 A2
EP
1892839
piltent 1s subJect to a terrn1nal d1s-
Filed_
'
(65) (51)
(52)
130980 mailed on Mar. 24, 2011, 5 pages.
Prior Publication Data
(Continued)
Jul. 1, 2010
Int CL
Primary Examiner * Teshome Hailu
G06F 11/30
(2006-01)
G06F 21/64 G06F 21/52 US. Cl.
(2013.01) (2013.01)
(74) Attorney, Agent, or Firm 4 Jordan IP LaW, LLC
(57)
ABSTRACT
CPC ...... .. G06F 21/64 (2013.01); G06F 2221/2101
(58)
2/2008
Of?ce Action Received for Korean Patent Application No. 10-2009
’
US 2010/0169967 A1
12/2003
OTHER PUBLICATIONS
Dec 30 2008
'
A2
(Continued)
(21) Appl. No.: 12/317,852 (22)
Durham et a1. ................. .. 714/4
10006 Durham et 31' ~~~~~~~~~~~ ~' 713/164
(Us) (*)
*Sep. 9, 2014
APPARATUS AND METHOD FOR RUNTIME
_
(75)
US 8,832,454 B2
_
_
(201301); G06F 21/52 (2013 01)
In some embod1ments, a processor-based system may 1nclude
USPC ........................................................ .. 713/187
at least one processor, at least one memory coupled to the at
Field of Classi?cation Search USPC _______ __ 713/156’ 161’ 172, 173, 187, 188, 189;
least one processor, a code block, and code Which is execut able by the processor-based system to cause the processor
726/22225 See application ?le for complete search history,
based system to generate integrity information for the code block upon a restart of the processor-based system, securely store the integrity information, and validate the integrity of the code block during a runtime of the processor-based sys tem using the securely stored integrity information. Other
(56)
References Cited U.S. PATENT DOCUMENTS 6,023,586 A *
2/2000
embodiments are disclosed and claimed.
Gaisford et al. ............ .. 717/178
6,571,335 B1*
5/2003 O’Donnell et al. ..
6,587,947 B1*
7/2003
713/173
14 Claims, 7 Drawing Sheets
O’Donnell et al. ......... .. 713/187
SMRAM T -SEG DRAM
Runtime verification HPA
X Mbi! Serial
NOR Flash
BIOS
ME/Dmer
EFI System Panitiun
US 8,832,454 B2 Page 2 (56)
References Cited U.S. PATENT DOCUMENTS
2006/0047955 A1
3/2006 Prevost et al.
2008/0027867 2008/0104591 2008/0134321 2008/0163212
A1* A1* A1* A1*
1/2008 5/2008 6/2008 7/2008
2008/0244746 2009/0013406 2010/0095129 2011/0231668
A1 10/2008 Rozas et al. A1* 1/2009 A1* 4/2010 A1* 9/2011
Forbes et al. ................. .. 705/51 McCroryet a1. ................ .. 718/1 Rajagopalet a1. ............ .. 726/21 Zimmer et al. ............. .. 718/100
FOREIGN PATENT DOCUMENTS JP JP JP JP KR WO WO WO
2007-528083 2007257197 2008226160 2008234079 10-2003-0095301 00/28420 2000/028420 2005/101197
A A A A A A1 A1 A2
10/2007 10/2007 9/2008 10/2008 12/2003 5/2000 5/2000 10/2005
OTHER PUBLICATIONS
Extended European Search Report received for European Patent Application 09252869,4, mailed on Jul. 11, 2011, 7 Pages. Of?ce Action received for Japanese Patent Application 2009 -292870, mailed on Dec. 6, 2011, 9 Pages including 5 pages ofEnglish Trans lation. Of?ce Action received for Chinese Patent Application 2009102173004, mailed on Jan. 29, 2012, 22 Pages including 15 pages of English Translation.
Of?ce Action received for European Patent Application 09252869 .4, mailed on Mar. 22, 2012, 6 Pages. Bulygin, Y. et al., “Chipset Based Detection and Removal of Virtualization Malware a.k.a. DeepWatch”, Retrieved from the
Internet: retrieved on Apr. 17, 2012, Aug. 6, 2008, relevant pp. 18,19, 34.
Petroni, N. et al., “Copilotia Coprocessor-based Kernel Runtime Integrity Monitor”, proceedings of the 13th usenix security proceed ings ofthe 13th usenix security, San Diego, CA, USA; Aug. 9, 2004, 16 pages.
Embleton, S. et al., “SMM rootkits” Proceedings of the 4th Interna tional Conference on Security and Privacy in Communication Netowrks, Securecomm ’08, Jan. 1, 2008, 12 pages.
Gebhardt, C et al., “Preventing hypervisor-based rootkits With trusted execution technology”,Network Security, Elsevier Advanced Tech nology, vol. No. 11, Nov. 2000, pp. 7-12. Extended Search Report received for European application No. 120013446, mailed on May 7,2012, 11 pages.
Of?ce Action received for Japanese Application 2009-292870, mailed on Jun. 26, 2012, 8 Pages ofOf?ce action including 4 pages of
English translation. Final Of?ce Action Received for the Korean Patent Application No. 10-2009-130980, mailed on Mar. 29, 2012, 5 pages of Of?ce Action
including 2 pages of English translation. Of?ce Action received for Chinese Patent Application 200910217300.4, mailed on Nov. 5, 2012, 26 pages ofOf?ce Action including 16 pages of English translation. Of?ce Action received for Korean Patent Application No. 10-2009 130980, mailed on Jul. 29,2013, 10 Pages ofOf?ce Action including 5 pages of English Translation.
* cited by examiner
US. Patent
Sep. 9, 2014
Sheet 1 0f7
US 8,832,454 B2
10"!
f’ 11
(' 12
PROCESSOR
MEMORY
13
CODE BLOCK
14
k
NETWORK COMPONENT
Hg. 1 20’\
f 21
F 22
CPU
SYSTEM MANAGEMENT MEMORY
r 25 r CH'PSET
24
__EE_£___E_2 F
l
I E
r
26
ME
MEMORY _
_
_
_
r
27
I
,
PROCESSOR _
_
_
Hg.2
_
_
I
____J
NETWORK COMPONENT
US. Patent
Sep. 9, 2014
Sheet 2 0f7
US 8,832,454 B2
K-SO GENERATING INTEGRITY INFORMATION FOR A CODE BLOCK UPON RESTART OF THE PROCESSOR-BASED SYSTEM
I
31
SECURELY STORING THE I
INTEGRITY INFORMATION
5 r32
VALIDATING THE INTEGRITY OF THE CODE BLOCK DURING RUNTIME USING THE SECURELY STORED INTEGRITY iNFORMATION
I
r33
THE CODE BLOCK CORRESPONDS TO ONE OF A FIRMWARE ELEMENT, A BASIC INPUT OUTPUT
SYSTEM (BIOS) ELEMENT, AND A SYSTEM MANAGEMENT MODE (SMM) ELEMENT PERIODICALLY RE-VALIDATING THE INTEGRITY OF THE CODE BLOCK DURING RUNTIME USING THE SECURELY STORED INTEGRITY INFORMATION
I
r35 SECURELY STORING A LIST OF INTEGRITY INFORMATION CORRESPONDING TO A PLURALITY OF CODE BLOCKS
v
[- 36
SCANNING THE AT LEAST ONE MEMORY COUPLED TO THE AT LEAST ONE PROCESSOR FOR THE PLURALITY OF CODE BLOCKS AND VALIDATING THE INTEGRITY OF THE SCANNED CODE BLOCKS DURING RUNTIME USING THE SECURELY STORED LIST OF INTEGRITY INFORMATION
I
37
SENDING A REMOTE ALERT IF THE VALIDATION FAILS
Fig. 3
f
US. Patent
Sep. 9, 2014
Sheet 3 0f7
US 8,832,454 B2
GENERATING INTEGRITY INFORMATION FOR A CONTENTS OF A SYSTEM MANAGEMENT MEMORY UPON A RESTART OF THE PROCESSOR-BASED SYSTEM
40
41 v F TRANSFERRING THE INTEGRITY INFORMATION TO A MANAGEABILITY ENGINE CHIPSET OF THE PROCESSOR—BASED SYSTEM
y
m
m m
F
42
SECURELY STORING THE INTEGRITY INFORMATION IN A LOCATION ACCESSIBLE BY THE MANAGEABILITY ENGINE 43 v F VALIDATING A CONTENTS OF THE SYSTEM MANAGEMENT MEMORY WITH THE MANAGEABILITY ENGINE DURING A RUNTIME OF THE PROCESSOR-BASED SYSTEM USING THE SECURELY STORED INTEGRITY INFORMATION
v
f
44
PERIODICALLY RE-VALIDATING THE CONTENTS OF THE SYSTEM MANAGEMENT MEMORY WITH THE MANAGEABILITY ENGINE DURING THE RUNTIME OF THE PROCESSOR-BASED SYSTEM USING THE SECURELY STORED INTEGRITY INFORMATION
m
45 v F SCANNING THE SYSTEM MANAGEMENT MEMORY AND VALIDATING THE INTEGRITY OF THE SCANNED MEMORY USING THE SECURELY STORED INTEGRITY INFORMATION
‘
r46
SENDING A REMOTE ALERT FROM MANAGEABILITY ENGINE D IF THE VALIDATION FAILS
Fig. 4
US. Patent
Sep. 9, 2014
Sheet 4 0f7
US 8,832,454 B2
ME receives SMM whitelist from BIOS over
HECI during system boot
50
J
ME uses PECOFF ?les to generate manifests and store
them securely in ?ash
51
J
When runtime integrity check jz timer expires
K.
+ ——>
53
ME scans host memory / SMRAM for SMM handlers & UEFI runtime tables
ME sends alert to remote lT/ AV server / service
ME validates integrity of 54 SMM/ BIOS code using J stored manifests
ME validates the pointers in
57
55
SMM handler dispatch table J point to valid code regions
lf integrity check fails
ME sets timer andNOwaits for next
timer interrupt
Fig. 5
Yes
US. Patent
70W
Sep. 9, 2014
Sheet 6 0f7
US 8,832,454 B2
F71 CPU
SMRAM T - SEG
Runtime verification HPA
[— 75
r 76
1%???” 85
ME
BIOS SPI
ME/Other
Fig. 7
EFI System Partition
US. Patent
Sep. 9, 2014
Sheet 7 0f7
US 8,832,454 B2
+ ----------------- --+
I DOS-stub
I
+ ————————————————— ——+
I File—Header
|
+ ————————————————— ——+
I optional header I -
-
-
-
-
-
-
-
I ~
-I
I
I -------------- --+
I data directories I
I I
| I
I(RVAs to direc—
I ——————————— ——+
I
Itories in sections)I
I
I
I
I ------- --+
I
I
I
I
EFI Image in memon
I
I
I
+ _________________ __+
I
I
I
EFI Image is a PE/COFF
I I section headers I IRVAS to section
I __.___+ I I I -_+ I
| I I
| I I
| l I
executable
I
I
bordersI
ME keeps a white-list
I
I
I
I
I
Of these for runtime
+ ————————————————— ——+FilePath, Args—>Schuffer, Args—>SrcSize, Address, &Index, Args—>ImageHandle, NULL,
40
a series of PECOFF executable images for the UEFI Pi SMM
); iquFrLERROR (Status) n Status ==
retum EFILINVALIDLPARAMETER;
45
} // Register the Image w/ the ME
CheckAndFixHeciForAccess ( ); if (lEFIiERROR (Status) H Status ==
EFIiBUFFERiTOOiSMALL) { return EFIiINVALIDiPARAMETER;
50
HeciIntegrityPacket—>ImageBase = Args—>Schuffer; HeciIntegrityPacket->ImageSize = Args—>SrcSize;
executables, or executable content beyond the authorized list in SMRAM, may constitute an attack. Advantageously, in addition to white-listing SMM at runt ime, some embodiments of the invention may monitor other entities at runtime. For example, some embodiments of the invention may monitor UEFI_SYSTEM_TABLE_RUNT
IME_SERVICES data objects and the associated function pointers and routines. For example, these entities may be passed from platform ?rmware into the OS kernel runtime in order to facilitate OS kernel runtime ?rmware interactions/
calls, such as GetTime( ), Get/Set( ) of UEFI variables, Cap
Status = HeciPacketS end(HeciIntegrityPacket);
suleUpdate( ). For example, some of these entities may be
if (lEFIiERROR (Status) H Status ==
EFIiBUFFERiTOOiSMALL) {
tion by the ME. For example, the T-SEG may be populated by infrastructure. Any attempt to hijack or modify these
EFILLOADiPEiIMAGEiATTRIBUTEiNONE
EFIiBUFFERiTOOiSMALL) {
monitored at runtime by the Manageability Engine (ME) in the chipset 76.
55
return EFIiINVALIDiPARAMETER;
co-located with the OS kernel at runtime and OS kernel protections may be utilized for these objects as Advanta
geously, providing runtime integrity veri?cation by the ME to protect these code and data objects may allow for a more
robust UEFI implementation.
In contrast with the above ?ow, an SMM rootkit may
attempt to add code into System Management RAM (SM
60
Although many of the embodiments described herein uti lize terminology associated with a particular execution envi ronment, those skilled in the art will appreciate that the inven tion is not limited to these speci?c embodiments and that equivalent routines and/ or structures may be implemented in
65
SMM-Rootkits-Securecom08.pd? or via a hardware attack,
other processor-based environments where security features are desired. Likewise, the various code modules, registers,
such as a cache-attack wherein T-SEG is aliased to main
and tables referred to herein may be described by other ter
RAM) sometime after the above load sequence. The rootkit could install itself via a BIOS bug, such as not setting the D_LCK bit in the chip set which makes SMRAM inaccessible (which BIOS normally sets prior to running option ROM’ s or
booting the OS) http://www.cs.ucf.edu/~czou/research/
US 8,832,454 B2 8
7 minology in other platforms while providing equivalent
generate integrity information for the contents of the
structures and/or performing equivalent functions. Those skilled in the art will appreciate that, given the
system management memory upon a restart of the
processor-based system;
bene?t of the present description, a numerous variety of other circuits and combinations of hardware and/or software may
transfer the integrity information to the manageability
be con?gured to implement various methods, circuits, and
securely store the integrity information in a location
engine of the chipset;
systems in accordance with the embodiments described herein and other embodiments of the invention. The examples of FIGS. 1 through 8 are non-limiting examples of suitable embodiments. The foregoing and other aspects of the invention are achieved individually and in combination. The invention
accessible by the manageability engine, wherein the integrity information corresponds to one or more code
blocks; periodically re-validate the contents of the system man agement memory during the runtime of the proces sor
based system using the securely stored integrity infor mation; and
should not be construed as requiring two or more of such
aspects unless expressly required by a particular claim. More
scan the system management memory and validate the
over, while the invention has been described in connection
integrity of the scanned memory using the securely stored integrity information. 6. The system of claim 5, further comprising:
with what is presently considered to be the preferred examples, it is to be understood that the invention is not limited to the disclosed examples, but on the contrary, is intended to cover various modi?cations and equivalent
arrangements included within the spirit and the scope of the invention. What is claimed is:
20
a network component and code to cause the manageability engine to send a remote alert if the validation fails.
7. The system of claim 5, wherein the location accessible
by the manageability engine comprises a memory subsystem of the manageability engine. 8. The system of claim 5, wherein the manageability engine
1. A processor-based system, comprising: at least one processor;
a code block; and
includes a separate processor and wherein at least a portion of the code is executable by the separate processor of the man
code which is executable by the processor-based system to
ageability engine.
at least one memory coupled to the at least one processor;
25
9. A method of performing runtime integrity veri?cation for a processor-based system, comprising:
cause the processor-based system to: generate integrity information for the code block upon a
restart of the processor-based system; securely store the integrity information, wherein the
30
securely storing the integrity information, wherein the
integrity information corresponds to one or more code
blocks;
integrity information corresponds to one or more code
validate an integrity of the code block during a runtime
of the processor-based system using the securely stored integrity information;
generating integrity information for a code block upon restart of the processor-based system;
blocks; 35
validating an integrity of the code block during runtime
using the securely stored integrity information;
securely store a list of integrity information correspond ing to a plurality of code blocks; and
securely storing a list of integrity information correspond
scan the at least one memory coupled to the at least one
scanning the at least one memory coupled to the at least one
processor for the plurality of code blocks and validate the integrity of the scanned code blocks during runt ime using the securely stored list of integrity informa tion. 2. The system of claim 1, wherein the code block corre sponds to one of a ?rmware element, a basic input output
ing to a plurality of code blocks: and 40
10. The method of claim 9, wherein the code block corre sponds to one of a ?rmware element, a basic input output 45
11. The method of claim 9, further comprising:
(SMM) element.
periodically re-validating the integrity of the code block during runtime using the securely stored integrity infor
3. The system of claim 1, further comprising code to cause 50
ing runtime using the securely stored integrity informa tion.
13. A method of performing runtime integrity veri?cation for a processor-based system, comprising: 55
5. A processor-based system, comprising:
sor-based system; transferring the integrity information to a manageability
a system management memory coupled to the at least one processor;
engine chipset of the processor-based system; 60
securely storing the integrity information in a location
accessible by the manageability engine, wherein the
at least one processor and the system management memory; and
integrity information corresponds to one or more code
code which is executable by the processor-based system to cause the manageability engine of the chipset to validate a contents of the system management memory during a runtime of the processor-based system, and further com prising code to cause the processor-based system to:
generating integrity information for the contents of a sys tem management memory upon a restart of the proces
at least one processor;
a chipset including a manageability engine coupled to the
mation. 12. The method of claim 9, further comprising: sending a remote alert if the validation fails.
4. The system of claim 1, further comprising: a network component and code to cause the processor based system to send a remote alert if the validation fails.
system (BIOS) element, and a system management mode
(SMM) element.
system (BIOS) element, and a system management mode the processor-based system to: periodically re-validate the integrity of the code block dur
processor for the plurality of code blocks and validating the integrity of the scanned code blocks during runtime using the securely stored list of integrity information.
blocks; validating a contents of the system management memory 65
with the manageability engine during a runtime of the
processor-based system using the securely stored integ
rity information;
US 8,832,454 B2 10 periodically re-validating the contents of the system man
agement memory With the manageability engine during the runtime of the processor-based system using the
securely stored integrity information; and scanning the system management memory and validating the integrity of the scanned memory using the securely stored integrity information. 14. The method of claim 13, further comprising: sending a remote alert from manageability engine if the validation fails. *
*
*
*
*
10