Study And Implementation Of Protective Methods Against Privilege Escalation Attacks For Linux Kernel

Linux is one of the most important operating systems,while various vulnerabilities about the Linux kernel are frequently revealed and related malicious attacks are launched based on such bugs.Among them,the amount of permissions and access control vulnerabilities is the largest and kernel privilege escalation attacking particularly result in extremely harmful consequence to the system.However,the existing intrusion detection for system attack usually adopts a means of tracing afterwards,and the related system protection methods also have problems such as a large overhead and needing to recompile the kernel.Therefore,it is of great practical significance and application value to carry out the research on the protective methods against privilege escalation attacks for Linux kernel.Considering the fact that methods of privilege escalation attacks for Linux kernel is conducted by using illegal access,modifying sensitive data in high privilege files and modifying attributes of such files in many cases,this paper attempts to propose a lightweight protective methods against privilege escalation attacks based on monitoring for file operations.Taking the vulnerability of Dirty Cow and incorrect permission checks in overlayfs as examples,this paper studies the process of priviledge attack on Linux kernel and analyzes the implementation mechanism of two types of kernel privilege escalation attacks based on root file content and attribute modification.On this basis,combining with the Linux kernel source code,we analyze the key kernel functions involved in the relevant attacks,and corresponding Linux kernel protective methods against priviledge escalation attacks based on file operation and kernel function monitoring are formed and constructed.Meanwhile,the real-time monitoring module of the file-operation kernel function is generated automatically by analyzing and designing the monitoring function template of system kernel function and the kernel loadable module and writing by a shell program.The entire privilege escalation protection process integrates and utilizes the alarm response mechanism of Zabbix to guarantee timely warning effect.The paper comprehensively analyzes the Linux kernel virtual file system object and its related data structure,studies the key steps and involved function in the file content modification operation and file attribute modification operation.Moreover,this paper also extracts the corresponding kernel function parameters,return values and process information and further uses this information to provide abnormal modification operation identification and processing solution.Based on this work,we design and implement a prototype system base on Kprobes to against Linux kernel privilege attack.The test result shows that the prototype system can timely monitor priviledge escalation attacks including Dirty Cow and incorrect permission checks in overlayfs,then the system notify administrators by WeChat.At the same time,the prototype system does not need to recompile the kernel,and the performance overhead is minimal.Therefore,the kernel protection method proposed in this paper is feasible and effective.