SystemWall: An Isolated Firewall Using Hardware-Based Memory Introspection

Abstract

Memory introspection can be a powerful tool for analyzing contents of a system’s memory for any malicious code. Current approaches based on memory introspection have focused on Virtual Machines and using a privileged software entity, such as a hypervisor, to perform the introspection. Such software-based introspection, however, is susceptible to variety of attacks that may compromise the hypervisor and the introspection code. Furthermore, a hypervisor setup is not always wanted. In this work, we present a hardware-based approach to memory introspection. Dedicated hardware is introduced to read and analyze memory of the target system, independent of any hypervisor or OSes running on the system. We apply the new hardware approach to memory introspection to built-up an architecture that uses DMA and fine-grained memory introspection techniques in order to match network connections to the application-layer while being isolated and undetected from the operating system or the hypervisor. We call the proposed architecture SystemWall since it can be a standalone physical device which can be added as an expansion card to the mother board or a dedicated external box. The architecture is transparent and cannot be manipulated or deactivated by potential malware on the target system. We use the SystemWall in the evaluation to analyze the target system for malicious code and prevent unknown (malicious) applications from establishing network connections which can be used to spread viruses, spam or malware and to leak sensitive information.