Physical Sciences and Mathematics Commons^™

Scaling Epa-Rimm With Multicore System Management Interrupt Handlers, Alexander K. Freed

Dissertations and Theses

Continuous runtime integrity measurement mechanisms (RIMMs) can be used for timely detection of kernel and hypervisor rootkits. Researchers have proposed running RIMMs in privileged execution environments, such as the x86 architecture’s System Management Mode (SMM), to detect interference from rootkits that have gained control of the host operating system. However, the extended amount of time in SMM required to perform inspections can cause severe disruption to the host. A previously proposed RIMM design called EPA-RIMM addresses this by decomposing long inspections across multiple System Management Interrupts (SMI), the interrupt used to invoke SMM.

EPA-RIMM is intended for deployment on server-class …