TY - GEN
T1 - Additional Kernel Observer to Prevent Privilege Escalation Attacks by Focusing on System Call Privilege Changes
AU - Yamauchi, Toshihiro
AU - Akao, Yohei
AU - Yoshitani, Ryota
AU - Nakamura, Yuichi
AU - Hashimoto, Masaki
N1 - Publisher Copyright:
© 2018 IEEE.
PY - 2019/1/23
Y1 - 2019/1/23
N2 - In recent years, there has been an increase in attacks that exploit operating system vulnerabilities. In particular, if an administrator's privilege is acquired by an attacker through a privilege escalation attack, the attacker can operate the entire system and the system can suffer serious damage. In this paper, an additional kernel observer (AKO) method is proposed. It prevents privilege escalation attacks that exploit operating system vulnerabilities. We focus on the fact that a process privilege can be changed only by specific system calls. AKO monitors privilege information changes during system call processing. If AKO detects a privilege change after system call processing, whereby the invoked system call does not originally change the process privilege, AKO regards the change as a privilege escalation attack and applies countermeasures against it. In this paper, we describe the design and implementation of AKO for Linux x86, 64 bit. Moreover, AKO can be expanded to prevent the falsification of various data in the kernel space. We present an expansion example that prevents the invalidation of Security-Enhanced Linux. Evaluation results show that AKO is effective against privilege escalation attacks, while maintaining low overhead.
AB - In recent years, there has been an increase in attacks that exploit operating system vulnerabilities. In particular, if an administrator's privilege is acquired by an attacker through a privilege escalation attack, the attacker can operate the entire system and the system can suffer serious damage. In this paper, an additional kernel observer (AKO) method is proposed. It prevents privilege escalation attacks that exploit operating system vulnerabilities. We focus on the fact that a process privilege can be changed only by specific system calls. AKO monitors privilege information changes during system call processing. If AKO detects a privilege change after system call processing, whereby the invoked system call does not originally change the process privilege, AKO regards the change as a privilege escalation attack and applies countermeasures against it. In this paper, we describe the design and implementation of AKO for Linux x86, 64 bit. Moreover, AKO can be expanded to prevent the falsification of various data in the kernel space. We present an expansion example that prevents the invalidation of Security-Enhanced Linux. Evaluation results show that AKO is effective against privilege escalation attacks, while maintaining low overhead.
KW - OS
KW - privilege escalation attack-prevention
KW - system security
UR - http://www.scopus.com/inward/record.url?scp=85062530848&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85062530848&partnerID=8YFLogxK
U2 - 10.1109/DESEC.2018.8625137
DO - 10.1109/DESEC.2018.8625137
M3 - Conference contribution
AN - SCOPUS:85062530848
T3 - DSC 2018 - 2018 IEEE Conference on Dependable and Secure Computing
BT - DSC 2018 - 2018 IEEE Conference on Dependable and Secure Computing
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 2018 IEEE Conference on Dependable and Secure Computing, DSC 2018
Y2 - 10 December 2018 through 13 December 2018
ER -