TY - JOUR
T1 - Additional kernel observer
T2 - privilege escalation attack prevention mechanism focusing on system call privilege changes
AU - Yamauchi, Toshihiro
AU - Akao, Yohei
AU - Yoshitani, Ryota
AU - Nakamura, Yuichi
AU - Hashimoto, Masaki
N1 - Funding Information:
This work was partially supported by JSPS KAKENHI Grant Number JP19H04109.
Publisher Copyright:
© 2020, The Author(s).
PY - 2021/8
Y1 - 2021/8
N2 - Cyberattacks, especially attacks that exploit operating system vulnerabilities, have been increasing in recent years. In particular, if administrator privileges are acquired by an attacker through a privilege escalation attack, the attacker can operate the entire system and cause serious damage. In this paper, we propose an additional kernel observer (AKO) that prevents privilege escalation attacks that exploit operating system vulnerabilities. We focus on the fact that a process privilege can be changed only by specific system calls. AKO monitors privilege information changes during system call processing. If AKO detects a privilege change after system call processing, whereby the invoked system call does not originally change the process privilege, AKO regards the change as a privilege escalation attack and applies countermeasures against it. AKO can therefore prevent privilege escalation attacks. Introducing the proposed method in advance can prevent this type of attack by changing any process privilege that was not originally changed in a system call, regardless of the vulnerability type. In this paper, we describe the design and implementation of AKO for Linux x86 64-bit. Moreover, we show that AKO can be expanded to prevent the falsification of various data in the kernel space. Then, we present an expansion example that prevents the invalidation of Security-Enhanced Linux. Finally, our evaluation results show that AKO is effective against privilege escalation attacks, while maintaining low overhead.
AB - Cyberattacks, especially attacks that exploit operating system vulnerabilities, have been increasing in recent years. In particular, if administrator privileges are acquired by an attacker through a privilege escalation attack, the attacker can operate the entire system and cause serious damage. In this paper, we propose an additional kernel observer (AKO) that prevents privilege escalation attacks that exploit operating system vulnerabilities. We focus on the fact that a process privilege can be changed only by specific system calls. AKO monitors privilege information changes during system call processing. If AKO detects a privilege change after system call processing, whereby the invoked system call does not originally change the process privilege, AKO regards the change as a privilege escalation attack and applies countermeasures against it. AKO can therefore prevent privilege escalation attacks. Introducing the proposed method in advance can prevent this type of attack by changing any process privilege that was not originally changed in a system call, regardless of the vulnerability type. In this paper, we describe the design and implementation of AKO for Linux x86 64-bit. Moreover, we show that AKO can be expanded to prevent the falsification of various data in the kernel space. Then, we present an expansion example that prevents the invalidation of Security-Enhanced Linux. Finally, our evaluation results show that AKO is effective against privilege escalation attacks, while maintaining low overhead.
KW - Linux kernel vulnerabilities
KW - Non-control-data attack
KW - Operating system
KW - Privilege escalation attack prevention
KW - System security
UR - http://www.scopus.com/inward/record.url?scp=85087071747&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85087071747&partnerID=8YFLogxK
U2 - 10.1007/s10207-020-00514-7
DO - 10.1007/s10207-020-00514-7
M3 - Article
AN - SCOPUS:85087071747
VL - 20
SP - 461
EP - 473
JO - International Journal of Information Security
JF - International Journal of Information Security
SN - 1615-5262
IS - 4
ER -