A hardware-assisted integrity monitor may include one or more target machines and/or monitor machines. A target machine may include one or more processors, which may include one or more system management modes (SMM). A SMM may include one or more register checking modules, which may be configured to determine one or more current CPU register states. A SMM may include one or more acquiring modules, which may be configured to determine one or more current memory states. A SMM may include one or more network modules, which may be configured to direct one or more communications, for example of one or more current CPU register states and/or current memory states, to a monitor machine. A monitor machine may include one or more network modules and/or analysis modules. An analysis module may be configured to determine memory state differences and/or determine CPU register states differences.
Legal claims defining the scope of protection, as filed with the USPTO.
1. An apparatus, comprising: a hardware processor of a target machine, the hardware processor configured to implement a Basic Input/Output System (BIOS) level management operating mode, the hardware processor including (1) an acquiring module configured to execute within the BIOS level management operating mode and (2) a network module configured to execute within the BIOS level management operating mode, the acquiring module configured to acquire an indication of a memory state of a memory of the target machine in response to the hardware processor entering the BIOS level management operating mode, the network module configured to send the indication of the memory state to an analysis module in response to (1) the hardware processor entering the BIOS level management operating mode and (2) the acquiring module acquiring the indication of the memory state, the hardware processor configured to remain in the BIOS level management operating mode until the network module has completed sending the indication of the current memory state to the analysis module.
2. The apparatus of claim 1 , wherein the network module is configured to send the indication of the memory state such that the analysis module initiates a response based on the indication of the memory state, the response including at least one of causing the target machine to shut down, disabling a network module of the target machine, or blocking network traffic of the target machine.
3. The apparatus of claim 1 , wherein the network module is configured to send the indication of the memory state such that the analysis module monitors the target machine based on the indication of the memory state.
4. The apparatus of claim 1 , wherein the BIOS level management operating mode is a system management mode (SMM).
5. The apparatus of claim 1 , wherein the hardware processor includes a register checking module configured to execute within the BIOS level management operating mode, the register checking module configured to acquire an indication of a register state of a register of the target machine in response to the hardware processor entering the BIOS level management operating mode, the network module configured to send the indication of the register state to the analysis module in response to (1) the hardware processor executing within the BIOS level management operating mode and (2) the register checking module acquiring the indication of the register state.
6. The apparatus of claim 1 , wherein the network module is configured to send the indication of the memory state to the analysis module at a monitor machine different from the target machine.
7. The apparatus of claim 1 , wherein the hardware processor includes the analysis module.
8. An apparatus, comprising: an analysis module implemented in at least one of a memory or a processor of a monitor machine, the analysis module configured to receive an indication of a first memory state of a memory associated with a target machine in response to (1) an acquiring module of the target machine acquiring the indication of the first memory state while the target machine is in a Basic Input/Output System (BIOS) level management operating mode and (2) a network module of the target machine completing sending the indication of the first memory state to the analysis module while the target machine remains in the BIOS level management operating mode, the analysis module configured to identify a memory state difference between the first memory state and a second memory state of the target machine acquired prior to the first memory state, in response to the memory state difference, the analysis module configured to at least one of cause the target machine to shut down, disable the network module of the target machine, or block network traffic of the target machine.
9. The apparatus of claim 8 , wherein the BIOS level management operating mode is a system management mode (SMM).
10. The apparatus of claim 8 , wherein the analysis module is configured to receive an indication of a register state of a register associated with the target machine in response to (1) a register checking module of the target machine acquiring the indication of the register state while in the BIOS level management operating mode and (2) the network module sending the indication of the register state to the analysis module while in the BIOS level management operating mode.
11. The apparatus of claim 8 , wherein the analysis module is configured to identify the memory state difference to identify an attack on the target machine.
12. An apparatus, comprising: a hardware processor of a target machine, the hardware processor configured to implement a Basic Input/Output System (BIOS) level management operating mode, the hardware processor including (1) a register checking module configured to execute within the BIOS level management operating mode and (2) a network module configured to execute within the BIOS level management operating mode, the register checking module configured to acquire an indication of a register state of a register of the target machine in response to the hardware processor executing within the BIOS level management operating mode, the network module configured to send the indication of the register state to an analysis module in response to (1) the hardware processor executing within the BIOS level management operating mode and (2) the register checking module acquiring the indication of the register state, the hardware processor configured to remain in the BIOS level management operating mode until the network module has completed sending the indication of the register state to the analysis module.
13. The apparatus of claim 12 , wherein the BIOS level management operating mode is a system management mode (SMM).
14. The apparatus of claim 12 , wherein the hardware processor includes an acquiring module configured to execute within the BIOS level management operating mode, the acquiring module configured to acquire an indication of a memory state of a memory of the target machine in response to the hardware processor executing within the BIOS level management operating mode, the network module configured to send the indication of the memory state to the analysis module in response to (1) the hardware processor executing within the BIOS level management operating mode and (2) the acquiring module acquiring the indication of the memory state.
15. The apparatus of claim 12 , wherein the network module is configured to send the indication of the register state such that the analysis module initiates a response based on the indication of the register state, the response including at least one of causing the target machine to shut down, disabling a network module of the target machine, or blocking network traffic of the target machine.
16. The apparatus of claim 12 , wherein the network module is configured to send the indication of the register state such that the analysis module monitors the target machine based on the indication of the register state.
17. The apparatus of claim 12 , wherein the network module is configured to send the indication of the register state to the analysis module at a monitor machine different from the target machine.
18. The apparatus of claim 12 , wherein the hardware processor includes the analysis module.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
August 22, 2014
February 23, 2016
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.