| There are various kinds of exploitable vulnerabilities in Linux Operating System. Vulnerabilities can be classified by their results such as denial of service, information leakage or root privilege exploitation, among which root privilege exploitation is the most harmful. Vulnerabilities can also be classified by the source either from user level program or from kernel code. In the real world, attackers only have few non root privileges which can be used to trigger kernel vulnerabilities, to get root privilege, install root-kits, and get kernel privilege. This thesis aims at proposing a light weight protection method to fight against the kernel level privilege escalation attack.The main contributions of this thesis are illustrated as follows:1. Common defense mechanisms in Linux kernel are investigated, including run level isolation、 UID sandbox、capabilities、mandatory access control mechanism、SELinux system、 namespace mechanism and address space layout randomization.2. Common privilege escalation attacks against Linux kernel are investigated. Attackers can utilize kernel vulnerabilities to gain privilege and change its owner from non-root user to root user. A regular pattern from exploit-db is summarized. Attackers utilize the kernel vulnerability to maliciously modify kernel hooks and enforce kernel to execute sensitive functions in order to gain privilege. Some other defense mechanisms raised by researchers are also introduced in this thesis.3. A light weight method to fight against such attacks is proposed. By instrumenting codes around kernel hooks, the address of a hook is saved before it is called. At the entry point of a sensitive function, the saved addresses are checked to validate the operation. Low performance overhead is achieved since the dereferencing of hook is separated from validating operations which costs much time.4. A prototype system, which consists of 4 modules, is implemented:a) Instrumentation module, which is used to add save and delete function call instructions before and after calling the hook.b) Validating module, which is used to check saved hooks at the entry point of a sensitive function, and will block the operation if the check fails.c) Kernel kwatch module, which consists of core functions including shadow stack management and the implementation of interfaces used by instrumentation module and validating module.d) Policy extraction module, which utilizes current instrumentation points and adds extraction mode into current kwatch module. It automatically retrieves the position of hook and its destination. We can switch between protect mode and record mode without halting the system or exporting a configuration file. We can get a configuration file from protect mode which can be used when system boots up next time.5. Lmbench is used to test the performance of our system. Efficiency of protection is tested by a typical privilege escalation attack from exploit-db. Result shows that we can achieve our goal of protection, which prevents attacker from modifying hooks and gaining privilege, at a low cost (about 5%). |
PDF Full Text Request