Root Privilege Research Articles

PtmxGuard: An Improved Method for Android Kernel to Prevent Privilege Escalation Attack

Vulnerabilities in Android kernel give opportunity for attacker to damage the system. Privilege escalation is one of the most dangerous attacks, as it helps attacker to gain root privilege by exploiting kernel vulnerabilities. Mitigation technologies, static detection methods and dynamic defense methods have been suggested to prevent privilege escalation attack, but they still have some disadvantages. In this paper, we propose an improved method named PtmxGuard to enhance Android kernel and defeat privilege escalation attack. We focus on a typical attack pattern that attacker hijacks the control flow of Android kernel to modify process credentials by corrupting critical global function pointers. PtmxGuard enforces Code Pointer Integrity to Android kernel, checks the accuracy and reliability of those pointers when they’re triggered by related system calls, and intercepts the system calls when attack activities are detected. Experiment result demonstrates that PtmxGuard can defense privilege escalation attack effectively.

An Android Malware Detection Framework-based on Permissions and Intents

With an exponential growth in smartphone applications targeting useful services such as banks, healthcare, m-commerce, security has become a primary concern. The applications downloaded from unofficial sources pose a security threat as they lack mechanisms for validation of the applications. The malware infected applications may lead to several threats such as leaking user’s private information, enforcing malicious deductions for sending premium SMS, getting root privilege of the android system and so on. Existing anti-viruses depend on signature databases that need to be updated from time to time and are unable to detect zero-day malware. The Android Operating system allows inter-application communication through the use of component reuse by using intents. Unfortunately, message passing is also an application attack surface. A hybrid method for android malware detection by analysing the permissions and intent-filters of the manifest files of the applications is presented. A malware detection framework is developed based on machine learning algorithms and on the basis of the decision tree obtained from ID3 and J48 classifiers available in WEKA. Both algorithms gave same results with an error percentage of 6 per cent. The system improves detection of zero day malware.

Towards fast repackaging and dynamic authority management on Android

In order to enhance the security of Android applications, we propose a repackaging and dynamic authority management scheme based on Android application reinforcement methods. Instead of using root privileges and system modification, we introduce a user-level sandbox, which utilizes the native C-level interception mechanism, to further reinforce the risk applications and improve the entire security of Android system. Additionally, by importing and improving the repackaging features, this proposed scheme reduces the potential risks of applications and achieves the goal of the dynamic monitoring of permissions. Finally, a comprehensive evaluation, including efficiency analysis and detection evaluation with 1 000 malwares, whose overall average success rate is about 96%, shows the feasibility and universality of the proposed scheme.

A Secure Storage System for Sensitive Data Protection Based on Mobile Virtualization

Recently, the development of smart phones has been reported the number of security vulnerabilities. Although these smart phones have a concept of Sandbox for the security, sensitive personal information has been still exposed by internal data exchange or root privilege acquisition. In this paper, we propose a system framework for secure storage of sensitive data in smartphone. The system is divided into general domain (GD) and secure domain (SD) in mobile device utilizing domain separation technique of virtualization, and SD provides a secure execution environment to protect sensitive data and secure services. In addition, our system introduces the secure functions such as authentication/access control, and encryption/key management and secures filesystem to be run in SD and addresses a detailed secure filesystem as a key function for secure storage. Lastly, the experiments are conducted to measure the performance overhead imposed by security features in SD and by overall system with interdomain communication from GD to SD. These experiment results show suitability of our system and suggest applicability of various secure functions which can be applied in our secure storage system.

SW 분할 실행을 이용한 데스크탑 가상화 환경에서 데이터 보안 기술

This paper proposes the data security technology for the desktop virtualization environment using the separated software execution method. In the virtual environment where allocates separate VMs to the users, there is a benefit that the programs in one guest machine are isolated from the programs running in another guest machine, whereas in the separated execution environment that supports application virtualization, the isolation is not offered and it causes the data security problem because the applications are executed by the one root privilege in the server. To solve this problem, we provides the data security method using the server storage filter, the viewer filter, and the file mapping table in this paper.

RootGuard: Protecting Rooted Android Phones

Though popular for achieving full operation functionality, rooting Android phones opens these devices to significant security threats. RootGuard offers protection from malware with root privileges while providing user flexibility and control. The Web extra at http://youtu.be/-KMMfxOoCjg is a video demonstration of how RootGuard manages root privileges of Android apps in a flexible and robust manner. First, we use the popular root-required app Root Explorer to show the configuration and effectiveness of RootGuard policies. Then, we use DKFBootkit, a real-world malicious app that leverages root access to do evil, to show how malware attacks performed with root privileges are mitigated by RootGuard.

Secure-Turtles: Building a Secure Execution Environment for Guest VMs on Turtles System

We propose Secure-Turtle, a secure nested virtual system based on Turtles system, which provides a secure execution environment for the L2 guest VM. In particular, Secure-Turtles system builds a trust chain from L0 host hypervisor, L1 guest hypervisor, qemu-kvm daemon to L2 guest VM. Through this security chain, Secure-Turtles can protect L2 guest VM against attacks form the L1 user mode, even when the attacker has the root privilege of the L1 guest hypervisor.Our goal is to make Secure-Turtles possible to rule out known class of vulnerabilities from the L1 user. We proposed four general requirements for Secure-Turtles to satisfy to achieve our goal and list sixteen basic properties for the Secure-Turtles system to achieve. With these properties, the proposed four requirements can be guaranteed. We rely on the memory virtualization to build Secure-Turtles and implement a prototype based on Turtles. We evaluate its prototype using two metrics: security and performance. The security evaluation result shows that Secure-Turtles can protect L2 guest VM from attacks from the L1 user mode. The performance result shows that Secure-Turtles introduces little performance overhead to the L2 guest VM compared with the Turtles system.

ARITO: Cyber-attack response system using accurate risk impact tolerance

We propose a novel approach for automated intrusion response systems to assess the value of the loss that could be suffered by a compromised resource. A risk assessment component of the approach measures the risk impact and is tightly integrated with our response system component. When the total risk impact exceeds a certain threshold, the response selection mechanism applies one or more responses. A multi-level response selection mechanism is proposed to gauge the intrusion damage (attack progress) relative to the response impact. This model proposes a feedback mechanism, which measures the response goodness and helps indicate the new risk level following application of the response(s). Not only does our proposed model constitutes a novel online mechanism for response activation and deactivation based on the online risk impact, it also addresses the factors inherent in assessing risk and calculating response effectiveness that are more complex in terms of detail. We have designed a sophisticated multi-step attack to penetrate Web servers, as well as to acquire root privilege. Our simulation results illustrate the efficiency of the proposed model and confirm the feasibility of the approach in real time. At the end of paper, we discuss the various ways in which an attacker might succeed in completely bypassing our response system.

Runtime-Based Behavior Dynamic Analysis System for Android Malware Detection

The most serious threats for Android users is come from application, However, the market lack a mechanism to validate whether these applications are malware or not. So, malware maybe leak users private information, malicious deductions for send premium SMS, get root privilege of the Android system and so on. In the traditional method of malware detection, signature is the only basis. It is far enough. In this paper, we propose a runtime-based behavior dynamic analysis for Android malware detection. The new scheme can be implemented as a system. We analyze 350 applications come from third-party Android market, the result show that our system can effectively detect unknown malware and the malicious behavior of malware.

Unified security enhancement framework for the Android operating system

In these days there are many malicious applications that collect sensitive information owned by third-party applications by escalating their privileges to the higher level on the Android operating system. An attack of obtaining the root-level privilege in the Android operating system can be a serious threat to users because it can break down the whole system security. This paper proposes a new Android security framework that can meet the following three goals: (1) preventing privilege escalation attacks, (2) maintaining system integrity, and (3) protecting users' personal information. To achieve these goals, our proposed framework introduces three mechanisms: Root Privilege Protection (RPP), Resource Misuse Protection (RMP), and Private Data Protection (PDP). RPP keeps track of a list of trusted programs with root-level privileges and can detect and respond to malware that illegally tries to acquire root-level privileges by exploiting system-level vulnerabilities. RMP keeps track of a list of critical system resources and can protect system resources from illegal manipulation by malicious applications. PDP keeps personal information safe by enforcing strict access controls so that even privileged applications cannot access users' private data if the applications violate the least privilege rule. The framework is verified using experiments on the Android operating system, which shows that our framework achieved the goals with processing overheads of 25.33 % on average.

Android forensics: Automated data collection and reporting from a mobile device

In this research, a prototype enterprise monitoring system for Android smartphones was developed to continuously collect many data sets of interest to incident responders, security auditors, proactive security monitors, and forensic investigators. Many of the data sets covered were not found in other available enterprise monitoring tools. The prototype system neither requires root privileges nor the exploiting of the Android architecture for proper operation, thereby increasing interoperability among Android devices and avoiding a spyware classification for the system. An anti-forensics analysis on the system was performed to identify and further strengthen areas vulnerable to tampering. The contributions of this research include the release of the first open-source Android enterprise monitoring solution of its kind, a comprehensive guide of data sets available for collection without elevated privileges, and the introduction of a novel design strategy implementing various Android application components useful for monitoring on the Android platform.

Buffer Overflow Attack

Exploits, vulnerabilities, and buffer-overflow techniques have been used by malicious hackers and virus writers for a long time. In order to attack and get the remote root privilege, using buffer overflow and suidprogram has become the commonly used method for hackers. This paper include vast idea and information regarding the buffer overflow as history of Vulnerabilities, buffers, stack, registers, Buffer Overflow Vulnerabilities and Attacks, current buffer over flow, Shell code, Buffer Overflow Issues, the Source of the Problem, prevention/detection of Buffer Overflow attacks and Finally how to react towards Buffer Overflows. The objective of this study is to take one inside the buffer overflow attack and bridge the gap between the descriptive account and the technically intensive account

Self Alteration Detectable Image Log File for Web Forensics

ABSTRACT Nowadays log file plays vital role in web forensic as digital evidence. Hence security of log file is a major topic of apprehension. In this paper a model of image logging server having alteration detectable capability, is proposed. According to this approach we first convert a text log file into image log file with the help of bit encoding technique and tamper detection capability is achieved by self embedding fragile watermark scheme. If any alteration is done on image log file then due to nature of fragile watermark, one can easily locate that tampered region. Proposed model is also able to ensure all security requirements like Authenticity, Integrity and confidentiality. General Terms Digital Forensics Keywords Web forensic, Cyber forensic, fragile watermark, self embedding, Log file, Image logging server. 1. INTRODUCTION We Today people absolutely rely on digital media. Since technology is advancing with burgeoning rate hence a new opportunity is opened for Business Company and legal agencies to deploy those technologies. It is very beneficial for worldwide users, but on the other hand, due to some loop holes of those technologies, malicious use for committing crime has also been increased. That‟s why it is very essential to prevent the criminals and their succession of committing crime to smooth the progress of the secure utilization of new technological services. Thus, for the analysis of law enforcement and database table storage, the transaction log, indexes, and other cyber crime, Cyber Forensic [1][2][3][4] came into picture. The primary ambition of cyber forensic examination is to recognize digital evidence for an investigation. Cyber forensic evidence must fulfill some security requirements [3] like Accuracy, Integrity, Authenticity and confidentiality. Digital evidence must be unquestionable, accurate, absolute and acceptable by juries as well as Permissible with common law and legislative rules. Cyber forensic can be widely categorized into four classes [1] viz. computer forensic, network forensic, web forensic and mobile forensic as shown in figure 1. The concept of web forensic deals with the process of monitoring access logs, detection of any alteration in log files as well as recovery of those alterations. The significance of web forensic is to investigate web attacks and prevent those in future, using analysis of log files. In order to carry out a systematic analysis of the hacking Attempt[5], it is advised that the Investigator must investigate all four type of logs namely web server logs, Any 3rd. party installed software logs, Operating system logs and client side logs[6][7]. Now we can assume the importance of log files in web forensic. There are many web attacks which are used to alter the integrity of log files like user to root (U2R) attack, in which The intruder exploits some vulnerability associated with the operating system and web server environment of the server machine under attack to perform the conversion from user to root level [8]. After getting the root privileges, the intruder has full control and access on the server machine to get backdoor entries for future misuse and change system logs[9]. Jianhui

Software transformations to improve malware detection

Malware is code designed for a malicious purpose, such as obtaining root privilege on a host. A malware detector identifies malware and thus prevents it from adversely affecting a host. In order to evade detection, malware writers use various obfuscation techniques to transform their malware. There is strong evidence that commercial malware detectors are susceptible to these evasion tactics. In this paper, we describe the design and implementation of a malware transformer that reverses the obfuscations performed by a malware writer. Our experimental evaluation demonstrates that this malware transformer can drastically improve the detection rates of commercial malware detectors.

관리자 인증 강화를 위한 추가적인 패스워드를 가지는 보안 커널모듈 설계 및 구현

공격자는 시스템에 침입하기 위해 시스템 취약점을 수집한 후, 여러 공격 방법을 통해 루트권한을 획득하여 시스템 정보를 유출 및 변조하며 더 나아가선느 시스템을 파괴한다. 이러한 공격에 대응하기 위해 침입 탐지 및 차단을 위한 보안 시스템들이 많이 개발디어 왔지만, 최근 공격자들은 보안 시스템들을 우회하여 시스템에 침입하기 때문에 많은 문제가 되고 있다. 본 논문에서는 루트권한을 획득한 공격자의 불법행위를 막기 위한 보안커널모듈을 제안한다. 보안커널모듈은 추가적인 패스워드를 통해 시스템의 관리자 인증을 강화하여, 공격자가 중요 파일을 변조하고 루트킷을 설치하는 행위를 막는다. 또한 공격자의 불법 행위에 대한 경고메일을 관리자에게 실시간으로 보내서, 관리자가 메일에 포함된 정보를 통해 새로운 보안 정책을 수립하도록 한다. Attackers collect vulnerabilities of a target computer system to intrude into it. And using several attack methods, they acquire root privilege. They steal and alter information in the computer system, or destroy the computer sysem. So far many intrusion detection systems and firewallshave been developed, but recently attackers go round these systems and intrude into a computer system . In this paper, we propose security kernel module to prevent attackers having acquired root privilege from doing illegal behaviors. It enhances administrator authentication with additional password, so prevents attackers from doing illegal behaviors such as modification of important files and installation of rootkits. It sends warning mail about sttacker's illegal behaviors to administrators by real time. So using information in the mail, they can estabilish new security policies.

리눅스 운영체제 기반의 보안 커널 구현

네트워크 수준에서 정보보호를 위한 침입차단 시스템과 침입탐지 시스템은 조직 내의 컴퓨터 서버 보안 대책으로는 그 한계를 갖고 있다. 이에 따라 보안 운영체제(Secure OS)에 관한 필요성이 점차 사회적으로 공감대를 형성하고 있다. 본 논문에서는 보안 운영체제의 요구사항과 최근 보급되고 있는 리눅스 운영체제의 커널 수준에서의 보안 연구동향을 살펴보고, 본 연구팀에서 구현한 다중등급 보안 리눅스 커널을 주요 기능 중심으로 기술하고 시험 평가로서 접근제어, 성능 및 해킹 시험을 실시하여 안전성을 입증하였다. 이 보안 커널 기반의 리눅스 운영체제는 TCSEC Bl급에서 요구하는 기준 기능 외에 해킹 차단, 실시간 감사 추적, root의 권한 제한, 통합보안관리 등의 추가적 기능을 제공한다. Current security efforts provided in such as firewall or IDS (intrusion detection system) of the network level suffer from many vulnerabilities in internal computing servers. Thus the necessity of secure OS is especially crucial in today's computing environment. This paper identifies secure OS requirements, analyzes tile research trends for secure Linux in terms of security kernel, and provides the descriptions of the multi-level security(MLS) Linux kernel which we have implemented. This security kernel-based Linux meets the minimum requirements for TCSEC Bl class as well providing anti-hacking, real-time audit trailing, restricting of root privileges, and enterprise suity management functions.

Determining the operational limits of an anomaly-based intrusion detector

Anomaly-detection techniques have considerable promise for two difficult and critical problems in information security and intrusion detection: detecting novel attacks, and detecting masqueraders. One of the best-known anomaly detectors used in intrusion detection is stide. (Rather than STIDE or Stide or s-tide, we have chosen in keeping with the way the detector was referred to in the paper by Warrender et al., 1999.) Developed at the University of New Mexico, stide aims to detect attacks that exploit processes that run with root privileges. The original work on stide presented empirical results indicating that data sequences of length and above were required for effective intrusion detection. This observation has given rise to the long-standing question, why six? accompanied by related questions regarding the conditions under which may (not) be appropriate. This paper addresses the why six issue by presenting an evaluation framework for mapping out stide's effective operating space and by identifying conditions that contribute to detection capability, particularly detection blindness. A theoretical justification explains the effectiveness of sequence lengths of and above, as well as the consequences of using other values. In addition, results of an investigation are presented, comparing stide's anomaly-detection capabilities with those of a competing detector.

Unix Filesystem Security

As the storage capacity of smartphones increases, more user data such as call logs, SMS records, media data, and instant messages are stored in smartphones. Therefore, it is important in digital investigation to acquire smartphones containing the personal information of users. However, even when a prime suspect's smartphone is acquired, it is difficult to extract user data without obtaining root privilege. In this situation, smartphone backup data may be a valuable alternative to the extraction of user data. Using a smartphone backup, an investigator can extract most of the data stored in a smartphone including user data, with straightforward methods, and transfer them to a storage device such as an SD card, a USB, or a PC. Despite its convenience, backup data are hard to use as evidence, because backup data are encrypted using different methods depending on smartphone manufacturers, in order to protect user privacy.In this paper, we propose methods for decrypting encrypted backup data of Sony smartphones. In our analysis, we reverse-engineered the backup processes of the local backup and the PC backup provided by Sony smartphones, and analyzed the encryption methods applied to each set of backup data. In particular, we developed an algorithm for decrypting encrypted backup data on Sony smartphones, which we experimentally verified. As far as we know, this is the first research that has addressed the decryption of backup data on Sony smartphones.

Responsible computing at the University of Delaware

Just over four years ago, our department director called two of us into her office. It looked like one of our student consultants had broken into a computer at another university, securing root privileges for himself, using his work account and an account in the Computer Science lab. The FBI was interested because our student's crime had crossed state lines, or so the other university told us.