SMMDecoy: Detecting GPU Keyloggers using Security by Deception Techniques

Loutfi, Ijlal

doi:10.5220/0007578505800587

Cited by 2 publications

(2 citation statements)

References 0 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Schiffman, et al demonstrated an SMM-based keylogger that intercepted USB events before they were delivered to the OS kernel [26]. SMMDecoy provides an example of an SMM-based USB or PS/2 keyboard injection attack [19].…”

Section: Known Vulnerabilities Testedmentioning

confidence: 99%

See 1 more Smart Citation

Applying the Principle of Least Privilege to System Management Interrupt Handlers with the Intel SMI Transfer Monitor

Delgado

Vibhute

Karavanic

2020

Hardware and Architectural Support for Security and Privacy

View full text Add to dashboard Cite

Recent years have seen a growing concern over System Management Mode (SMM) and its broad access to platform resources. The SMI Transfer Monitor (STM) is Intel's most powerful executing CPU context. The STM is a firmware-based hypervisor that applies the principle of least privilege to powerful System Management Interrupt (SMI) handlers that control runtime firmware. These handlers have traditionally had full access to memory as well as the register state of applications and kernel code even when their functionality did not require it. The STM has been been enabled for UEFI and, most recently, coreboot firmware, adding protection against runtime SMM-based attacks as well as establishing a firmware-based Trusted Execution Environment (TEE) capability. We provide a detailed overview of the STM architecture, evaluate its protections, and quantify its performance. Our results show the STM can protect against published SMM vulnerabilities with tolerable performance overheads.

show abstract

Section: Known Vulnerabilities Testedmentioning

confidence: 99%

“…SMMDecoy provides an example of an SMM-based USB or PS/2 keyboard injection attack that generates fake user authentication credentials [19]. If these credentials are later used, the inference is that the credentials were gathered by a keylogger on the system.…”

Section: Ps/2 Keyloggersmentioning

confidence: 99%