Authors - Balasubramanian M, Arasu Prabhu V S, Nalini Subramanian Abstract - Privilege Escalation is a major issue for securing Linux sys tems. When a user gains unauthorized root access he has the ability to access all system resources and manipulate them at will. In the past, Linux has used Static Access Control Policies and User Space Monitoring Tools to secure system access. However, these methods provide little in sight into how the kernel is modifying users credentials when permissions are changed. In this paper we propose a Kernel-Level solution to detect and prevent unauthorized privilege escalations. This detection/ preven tion occurs in real time via a Credential Transition Monitoring Mecha nism within the kernel layer, which prevents the elevation of privileges by illegal means. To create the functionality necessary for the above, a Linux Kernel Module (LKM) was created which utilizes kprobes to in tercept calls to the commit creds() function, which is used to update a processes credentials in the kernel. To evaluate if the privilege escalation being requested is legitimate or malicious, the LKM contains a Policy Based Evaluation Mechanism which evaluates each request to modify a process’s credentials. We tested our proposed solution using a con trolled test environment composed of a Virtual Machine (VM) running the Ubuntu Operating System. We ran two types of tests, first were Le gitimate Administrative Operations utilizing the ”sudo” utility, second were Simulated Privilege Escalation Attacks based upon SetUID Vul nerabilities. Our results show that the system effectively detected and blocked malicious privilege escalations, while providing minimal over head to normal system operation.
Open Zoom