During the past decade, virtualization-based (e.g., virtual machine introspection) and hardware-assisted approaches (e.g., x86 SMM and ARM TrustZone) have been used to defend against low-level malware such as rootkits. However, these approaches either require a large Trusted Computing Base (TCB) or they must share CPU time with the operating system, disrupting normal execution. In this article, we propose an introspection framework called Nighthawk that transparently checks system integrity and monitor the runtime state of target system. Nighthawk leverages the Intel Management Engine (IME), a co-processor that runs in isolation from the main CPU. By using the IME, our approach has a minimal TCB and incurs negligible overhead on the host system on a suite of indicative benchmarks. We use Nighthawk to introspect the system software and firmware of a host system at runtime. The experimental results show that Nighthawk can detect real-world attacks against the OS, hypervisors, and System Management Mode while mitigating several classes of evasive attacks. Additionally, Nighthawk can monitor the runtime state of host system against the suspicious applications running in target machine.

中文翻译：

---

通过英特尔管理引擎的基于协处理器的自省框架

在过去十年中，基于虚拟化（例如，虚拟机自省）和硬件辅助方法（例如，x86 SMM 和 ARM TrustZone）已被用于防御低级别恶意软件，例如 rootkit。但是，这些方法要么需要大型可信计算库 (TCB)，要么必须与操作系统共享 CPU 时间，从而中断正常执行。在本文中，我们提出了一个名为的内省框架夜鹰 透明地检查系统完整性并监视目标系统的运行时状态。 夜鹰利用英特尔管理引擎 (IME)，这是一种独立于主 CPU 运行的协处理器。通过使用 IME，我们的方法具有最小的 TCB，并且在一组指示性基准测试中对主机系统的开销可以忽略不计。我们用夜鹰在运行时检查主机系统的系统软件和固件。实验结果表明夜鹰可以检测针对操作系统、管理程序和系统管理模式的真实攻击，同时减轻几类规避攻击。此外，夜鹰 可以针对目标机器上运行的可疑应用程序监控主机系统的运行时状态。