Paper Info
Title
Additional Kernel Observer to Prevent Privilege Escalation Attacks by Focusing on System Call Privilege Changes
Abstract
In recent years, there has been an increase in attacks that exploit operating system vulnerabilities. In particular, if an administrator's privilege is acquired by an attacker through a privilege escalation attack, the attacker can operate the entire system and the system can suffer serious damage. In this paper, an additional kernel observer (AKO) method is proposed. It prevents privilege escalation attacks that exploit operating system vulnerabilities. We focus on the fact that a process privilege can be changed only by specific system calls. AKO monitors privilege information changes during system call processing. If AKO detects a privilege change after system call processing, whereby the invoked system call does not originally change the process privilege, AKO regards the change as a privilege escalation attack and applies countermeasures against it. In this paper, we describe the design and implementation of AKO for Linux x86, 64 bit. Moreover, AKO can be expanded to prevent the falsification of various data in the kernel space. We present an expansion example that prevents the invalidation of Security-Enhanced Linux. Evaluation results show that AKO is effective against privilege escalation attacks, while maintaining low overhead.
Year
DOI
Venue
2018
10.1109/DESEC.2018.8625137
2018 IEEE Conference on Dependable and Secure Computing (DSC)
Keywords
Field
DocType
privilege escalation attack-prevention,OS,system security
Kernel (linear algebra),Countermeasure,x86,Computer security,Privilege escalation,Computer science,Exploit,System call,Observer (quantum physics),Vulnerability
Conference
ISBN
Citations 
PageRank 
978-1-5386-5791-1
0
0.34
References 
Authors
8
5
Name
Order
Citations
PageRank
Toshihiro Yamauchi1179.39
Yohei Akao210.71
Ryota Yoshitani300.34
Yuichi Nakamura461.50
Masaki Hashimoto500.34