Remote Monitoring of Memory Data Structures for Malware Detection in a Talos II Architecture

Author

Robert A. Willburn

Date of Award

3-2021

Document Type

Thesis

Degree Name

Master of Science

Department

Department of Electrical and Computer Engineering

First Advisor

Scott R. Graham, PhD

Abstract

New forms of malware, namely xC;leless malware and rootkits, pose a threat to traditional anti-malware. In particular, Rootkits have the capacity to obscure the present state of memory from the user space of a target machine. If thishappens, anti-malware running in the user space of an axB;ected machine cannot be trusted to operate properly. To combat this threat, this research proposes the remote monitoring of memory from a second, secure processor runningOpenBMC, serving as a baseboard management controller for a POWER9 processor, which is assumed vulnerable to exploitation. The baseboard management controller includes an application called pdbg, used for debugging POWER9 processors. This application allows for both reading and writing to registers and system memory of the POWER9 processor from the baseboard management controller directly via the xC;eld replaceable unit support interface bus. This research developed a program to run on the baseboard management controller which utilizes pdbg to traverse the process tree active in the memory of the POWER9 processor. By traversing this data structure, it can view the entire process tree remotely, verifying whether information in memory is being hidden from user space on the POWER9.

AFIT Designator

AFIT-ENG-MS-21-M-094

DTIC Accession Number

AD1144416

Recommended Citation

Willburn, Robert A., "Remote Monitoring of Memory Data Structures for Malware Detection in a Talos II Architecture" (2021). Theses and Dissertations. 4991.
https://scholar.afit.edu/etd/4991