The complexity and sophistication of modern malware are evolving rapidly. Malwares today are able to exploit both hardware and software to infiltrate systems and tamper with data used for management. The revelation of several attacks on host machines, highlights that anything with shared resources can be attacked.
In cloud environment, data management is done by a centralised server that maintains the state of each platform. However, this is not an easy task when a machine is compromised. When the data acquisition software runs in the same domain as the malware, there is no guarantee that this data will not be tampered with. In particular, malware behaves different to when an observer-effect is detected. There is a visibility problem of how to securely acquire reliable data and infer the state of the system without leaving an observer effect? There is a need to rethink how to decentralise trust in complex platforms such as the cloud and use trusted method to prevent tampering with the data acquired for management. We solve the trust and visibility problem by acquiring physical memory out-of-band using a device from a new category of commercial-hardware (SmartNICs). Using this separate trust domain, we protect from tampering with the data being acquired.
To that end we have developed an abstraction software that facilitates acquisition of segments from the physical memory. More importantly without the knowledge of host software (e.g. malware) of when segments of the physical memory are being acquired. An added benefit of our approach is the fact that SmartNICs are on the edge of the network, which makes this technology capable of doing more than just detection but also prevention. For instance, blocking the network when signs of compromise are detected.
Key takeaways:
