Advancing Life & Work

Quis custodiet ipsos custodes? HPE next-generation intrusion detection system, that’s who

ilo (Custom).jpg

By Curt Hopkins, Managing Editor, Hewlett Packard Labs

One of the most devastating ways to take over a computer is by using a rootkit to hijack the operating system’s kernel. The reason such a hack is so damaging is that it allows the bad actor to keep that hijacking secret, therefore establishing a long-term pervasive access to the data on that device and on that device’s network.

It takes organizations about three months on average to discover they had been breached, and some have taken more than a year to detect. So if breaches are so damaging, so widespread, and so difficult to detect what can be done about it?

That was the question Labs technologist Geoffrey Ndu asked, in concert with Nigel Edwards and his colleagues. The answer was Distributed Intrusion Monitoring Engine (DIME), a next generation intrusion detection system, which they outlined in the white paper “HPE next-generation intrusion detection system.”

“A well-crafted rootkit,” says Ndu, the lead developer of DIME, “is able to hide all attacker activity from users of the server, even system administrators or root users.” In essence, such an attack blinds the administrator by taking over the functions that are supposed to regulate operating system use and monitoring.

It was to provide a proof against this species of intrusion that Hewlett Packard Labs initiated the development of this system. The white paper explores how, because the DIME monitoring engine does not share the same processor with the monitored OS, it can detect when that OS has been compromised by comparing its current state to its last known good state.

The DIME sits outside of, and independent of, the compromised operating system, running instead on HPE Integrated Lights Out (iLO).  HPE iLO serves as the baseboard management controller (BMC), separate from and independent of, the main processor, which is running the operating system and applications. It provides management services for the server, including remote console, power off/on, boot and image management, and system restore, including firmware restore.

With DIME we are no longer relying on the operating system to detect its own compromise," says Ndu. "DIME does not rely on signatures. Instead DIME detects malicious changes to kernel code and data, which rootkits often modify to hide the presence of malware.

DIME extends the HPE iLO 5 capabilities by continually monitoring OS kernels for nefarious changes to the kernel during system operation. The white paper gives much greater detail on how the DIME and ILO work to secure systems in a threat-rich era. But in short, it has three steps.

First, the DIME agent runs early in the secure boot process, measuring the critical components of the kernel and reporting their cryptographic hashes to the DIME Monitoring Engine, running in HPE iLO.

Second, the HPE iLO system then measures and verifies all major firmware components, including those loaded into the main processor, before allowing the main processor to start its boot-sequence. The main processor executes a secure boot.

During the final steps of secure boot, the DIME driver is executed inside the kernel. This measures critical kernel memory, including all executable code, read-only data, modules or drivers, and critical data structures.

The DIME agent reports these measurements, along with their corresponding physical memory addresses to the DIME monitoring engine, which is running in HPE iLO. Thereafter, the DIME monitoring engine continuously monitors these memory addresses.

The system objective is to detect the insertion of new code into the kernel and to detect tampering with existing kernel code and critical data structures. Using HPE’s next generation intrusion detection, users and admins can feel the security that they are not having the wool pulled over their eyes. At least not from the inside.

Curt Hopkins
Hewlett Packard Enterprise

Photo by Rebecca Lewington


0 Kudos
About the Author


Managing Editor, Hewlett Packard Labs