Additional Kernel Observer to Prevent Privilege Escalation Attacks by Focusing on System Call Privilege Changes

Toshihiro Yamauchi, Yohei Akao, Ryota Yoshitani, Yuichi Nakamura, Masaki Hashimoto

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

In recent years, there has been an increase in attacks that exploit operating system vulnerabilities. In particular, if an administrator's privilege is acquired by an attacker through a privilege escalation attack, the attacker can operate the entire system and the system can suffer serious damage. In this paper, an additional kernel observer (AKO) method is proposed. It prevents privilege escalation attacks that exploit operating system vulnerabilities. We focus on the fact that a process privilege can be changed only by specific system calls. AKO monitors privilege information changes during system call processing. If AKO detects a privilege change after system call processing, whereby the invoked system call does not originally change the process privilege, AKO regards the change as a privilege escalation attack and applies countermeasures against it. In this paper, we describe the design and implementation of AKO for Linux x86, 64 bit. Moreover, AKO can be expanded to prevent the falsification of various data in the kernel space. We present an expansion example that prevents the invalidation of Security-Enhanced Linux. Evaluation results show that AKO is effective against privilege escalation attacks, while maintaining low overhead.

Original languageEnglish
Title of host publicationDSC 2018 - 2018 IEEE Conference on Dependable and Secure Computing
PublisherInstitute of Electrical and Electronics Engineers Inc.
ISBN (Electronic)9781538657904
DOIs
Publication statusPublished - Jan 23 2019
Event2018 IEEE Conference on Dependable and Secure Computing, DSC 2018 - Kaohsiung, Taiwan, Province of China
Duration: Dec 10 2018Dec 13 2018

Publication series

NameDSC 2018 - 2018 IEEE Conference on Dependable and Secure Computing

Conference

Conference2018 IEEE Conference on Dependable and Secure Computing, DSC 2018
CountryTaiwan, Province of China
CityKaohsiung
Period12/10/1812/13/18

Fingerprint

Processing
Linux

Keywords

  • OS
  • privilege escalation attack-prevention
  • system security

ASJC Scopus subject areas

  • Safety, Risk, Reliability and Quality
  • Software
  • Computer Networks and Communications

Cite this

Yamauchi, T., Akao, Y., Yoshitani, R., Nakamura, Y., & Hashimoto, M. (2019). Additional Kernel Observer to Prevent Privilege Escalation Attacks by Focusing on System Call Privilege Changes. In DSC 2018 - 2018 IEEE Conference on Dependable and Secure Computing [8625137] (DSC 2018 - 2018 IEEE Conference on Dependable and Secure Computing). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/DESEC.2018.8625137

Additional Kernel Observer to Prevent Privilege Escalation Attacks by Focusing on System Call Privilege Changes. / Yamauchi, Toshihiro; Akao, Yohei; Yoshitani, Ryota; Nakamura, Yuichi; Hashimoto, Masaki.

DSC 2018 - 2018 IEEE Conference on Dependable and Secure Computing. Institute of Electrical and Electronics Engineers Inc., 2019. 8625137 (DSC 2018 - 2018 IEEE Conference on Dependable and Secure Computing).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Yamauchi, T, Akao, Y, Yoshitani, R, Nakamura, Y & Hashimoto, M 2019, Additional Kernel Observer to Prevent Privilege Escalation Attacks by Focusing on System Call Privilege Changes. in DSC 2018 - 2018 IEEE Conference on Dependable and Secure Computing., 8625137, DSC 2018 - 2018 IEEE Conference on Dependable and Secure Computing, Institute of Electrical and Electronics Engineers Inc., 2018 IEEE Conference on Dependable and Secure Computing, DSC 2018, Kaohsiung, Taiwan, Province of China, 12/10/18. https://doi.org/10.1109/DESEC.2018.8625137
Yamauchi T, Akao Y, Yoshitani R, Nakamura Y, Hashimoto M. Additional Kernel Observer to Prevent Privilege Escalation Attacks by Focusing on System Call Privilege Changes. In DSC 2018 - 2018 IEEE Conference on Dependable and Secure Computing. Institute of Electrical and Electronics Engineers Inc. 2019. 8625137. (DSC 2018 - 2018 IEEE Conference on Dependable and Secure Computing). https://doi.org/10.1109/DESEC.2018.8625137
Yamauchi, Toshihiro ; Akao, Yohei ; Yoshitani, Ryota ; Nakamura, Yuichi ; Hashimoto, Masaki. / Additional Kernel Observer to Prevent Privilege Escalation Attacks by Focusing on System Call Privilege Changes. DSC 2018 - 2018 IEEE Conference on Dependable and Secure Computing. Institute of Electrical and Electronics Engineers Inc., 2019. (DSC 2018 - 2018 IEEE Conference on Dependable and Secure Computing).
@inproceedings{9f57637d487a4d7b9897214936cf4fa6,
title = "Additional Kernel Observer to Prevent Privilege Escalation Attacks by Focusing on System Call Privilege Changes",
abstract = "In recent years, there has been an increase in attacks that exploit operating system vulnerabilities. In particular, if an administrator's privilege is acquired by an attacker through a privilege escalation attack, the attacker can operate the entire system and the system can suffer serious damage. In this paper, an additional kernel observer (AKO) method is proposed. It prevents privilege escalation attacks that exploit operating system vulnerabilities. We focus on the fact that a process privilege can be changed only by specific system calls. AKO monitors privilege information changes during system call processing. If AKO detects a privilege change after system call processing, whereby the invoked system call does not originally change the process privilege, AKO regards the change as a privilege escalation attack and applies countermeasures against it. In this paper, we describe the design and implementation of AKO for Linux x86, 64 bit. Moreover, AKO can be expanded to prevent the falsification of various data in the kernel space. We present an expansion example that prevents the invalidation of Security-Enhanced Linux. Evaluation results show that AKO is effective against privilege escalation attacks, while maintaining low overhead.",
keywords = "OS, privilege escalation attack-prevention, system security",
author = "Toshihiro Yamauchi and Yohei Akao and Ryota Yoshitani and Yuichi Nakamura and Masaki Hashimoto",
year = "2019",
month = "1",
day = "23",
doi = "10.1109/DESEC.2018.8625137",
language = "English",
series = "DSC 2018 - 2018 IEEE Conference on Dependable and Secure Computing",
publisher = "Institute of Electrical and Electronics Engineers Inc.",
booktitle = "DSC 2018 - 2018 IEEE Conference on Dependable and Secure Computing",

}

TY - GEN

T1 - Additional Kernel Observer to Prevent Privilege Escalation Attacks by Focusing on System Call Privilege Changes

AU - Yamauchi, Toshihiro

AU - Akao, Yohei

AU - Yoshitani, Ryota

AU - Nakamura, Yuichi

AU - Hashimoto, Masaki

PY - 2019/1/23

Y1 - 2019/1/23

N2 - In recent years, there has been an increase in attacks that exploit operating system vulnerabilities. In particular, if an administrator's privilege is acquired by an attacker through a privilege escalation attack, the attacker can operate the entire system and the system can suffer serious damage. In this paper, an additional kernel observer (AKO) method is proposed. It prevents privilege escalation attacks that exploit operating system vulnerabilities. We focus on the fact that a process privilege can be changed only by specific system calls. AKO monitors privilege information changes during system call processing. If AKO detects a privilege change after system call processing, whereby the invoked system call does not originally change the process privilege, AKO regards the change as a privilege escalation attack and applies countermeasures against it. In this paper, we describe the design and implementation of AKO for Linux x86, 64 bit. Moreover, AKO can be expanded to prevent the falsification of various data in the kernel space. We present an expansion example that prevents the invalidation of Security-Enhanced Linux. Evaluation results show that AKO is effective against privilege escalation attacks, while maintaining low overhead.

AB - In recent years, there has been an increase in attacks that exploit operating system vulnerabilities. In particular, if an administrator's privilege is acquired by an attacker through a privilege escalation attack, the attacker can operate the entire system and the system can suffer serious damage. In this paper, an additional kernel observer (AKO) method is proposed. It prevents privilege escalation attacks that exploit operating system vulnerabilities. We focus on the fact that a process privilege can be changed only by specific system calls. AKO monitors privilege information changes during system call processing. If AKO detects a privilege change after system call processing, whereby the invoked system call does not originally change the process privilege, AKO regards the change as a privilege escalation attack and applies countermeasures against it. In this paper, we describe the design and implementation of AKO for Linux x86, 64 bit. Moreover, AKO can be expanded to prevent the falsification of various data in the kernel space. We present an expansion example that prevents the invalidation of Security-Enhanced Linux. Evaluation results show that AKO is effective against privilege escalation attacks, while maintaining low overhead.

KW - OS

KW - privilege escalation attack-prevention

KW - system security

UR - http://www.scopus.com/inward/record.url?scp=85062530848&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85062530848&partnerID=8YFLogxK

U2 - 10.1109/DESEC.2018.8625137

DO - 10.1109/DESEC.2018.8625137

M3 - Conference contribution

AN - SCOPUS:85062530848

T3 - DSC 2018 - 2018 IEEE Conference on Dependable and Secure Computing

BT - DSC 2018 - 2018 IEEE Conference on Dependable and Secure Computing

PB - Institute of Electrical and Electronics Engineers Inc.

ER -