Browse > Article
http://dx.doi.org/10.3745/KTCCS.2017.6.5.247

A Method of Detecting Real-Time Elevation of Privilege Security Module Using User Credentials  

Sim, Chul Jun (건국대학교 컴퓨터.정보통신공학과)
Kim, Won Il (마크애니 DRM 사업부)
Kim, Hyun Jung (건국대학교 상허교양대학)
Lee, Chang Hoon (건국대학교 컴퓨터.정보통신공학과)
Publication Information
KIPS Transactions on Computer and Communication Systems / v.6, no.5, 2017 , pp. 247-254 More about this Journal
Abstract
In a Linux system, a user with malicious intent can acquire administrator privileges through attack types that execute shells, and can leak important user information and install backdoor program. In order to solve this problem, the existing method is to analyze the causes of the elevation of privilege, fix the problems, and then patch the system. Recently, a method of detecting an illegal elevated tasks in which information inconsistency occurs through user credentials in real time has been studied. However, since this credential method uses uid and gid, illegal elevated tasks having the root credentials may not be detected. In this paper, we propose a security module that stores shell commands and paths executed with regular privileges in a table and compares them with every file accesses (open, close, read, write) that are executed to solve the case which cannot detect illegal elevated tasks have same credential.
Keywords
System Security; Elevation of Privilege Attack; Credentials;
Citations & Related Records
Times Cited By KSCI : 1  (Citation Analysis)
연도 인용수 순위
1 Kim Won-il, Yoo Sang-Hyun, Kwak Ju-Hyun, and Lee Chang_hoon, "A Study for Task Decetion Acquiring Abnormal Permission in Linux," KIPS, Vol.3, No.11, pp.427-432, 2014.
2 A. Johri and G. L. Luckenbaugh, "Trusted path mechanism for an operating system," U.S. Patent, No.4,918,653, 1990.
3 M. Tran et al., "On the expressiveness of return-into-libc attacks," in International Workshop on Recent Advances in Intrusion Detection, Springer Berlin Heidelberg, pp.121-141, 2011.
4 C. Cowan et al., "StackGuard : Automatic adaptive detection and prevention of buffer-overflow attacks," Proceedings of the 7th USENIX Security Symposium, Vol.81, 1998.
5 One Aleph, "Smashing the stack for fun and profit," Phrack Magazine, Vol.7, No.49, pp.14-16, 1996.
6 Jeong Min Lee, Hyun Wook Kim, and Woo Hyun Ahn, "BinaryReviser: A Study of Detecting Buffer Overflow Vulnerabilities Using Binary Code Patching," Korea computer congress, Vol.38, No.1, pp.122-125, 2011.
7 Ruwase Olatunji and Monica S. Lam, "A Practical Dynamic Buffer Overflow Detector," NDDS, 2004.
8 Kim Ju-Hyuk and Oh Soo-Hyun, "Detection in Stack region," Journal of the Korea Academia-Industrial Cooperation Society, Vol.15, No.5, pp.3132-3131, 2014.   DOI
9 Pax Team, "address space layout randomization(ASLR)" [Internet], htte://pax.grsecurity.net/docs/aslr.txt.
10 Hilmi Ozdoganoglu, et al., "SmashGuard: A hardware solution to prevent security attacks on the function return address," IEEE Transactions on Computers, Vol.55, No.10, pp.1271-1285, 2006.   DOI
11 Mark G. Graff and Kenneth R. van Wyk, "Secure coding: principles and practices," O'Reilly Media. Inc., 2003.
12 Common Weakness Enumeration [Internet], http://cwe.mitre.org/ (2014. 10. 29.).
13 Vendicator. Stack Shield, "A stack smashing technique protection tool for Linux," [Internet], http://www.angelfire.com/sk/stackshield/info.html (2000).
14 The su Command [Internet], http://www.linfo.org/su.html.
15 Etoh. Hiroaki, "GCC extension for protecting applications from stack-smashing attacks (propolice)" [Internet], http://www.trl.ibm.com/projects/security/ssp (2003).
16 Common Vulnerabilities and Exposures [Internet], http://cve.mitre.org/ (2014. 10. 29).
17 CREDENTIALS IN LINUX [Internet], http://www.kernel.org/doc/Documentation/security/credentials.txt.
18 The Linux Information Project, "User ID Definition" [Internet], http://www.linfo.org/uid.html (2014. 10. 1).