Containing a Confused Deputy on x86: A Survey of Privilege Escalation Mitigation Techniques

Brookes, Scott; Taylor, Stephen

doi:10.14569/ijacsa.2016.070463

Cited by 6 publications

(4 citation statements)

References 31 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Overhead PA KE CF DM NS NM NK PV DA SA Main Techniques CFI [3,[39][40][41][42] 1∼15% ✗ ✓/✗ ✓ ✗ ✓/✗ ✗ ✓/✗ ✓ ✓ ✓ Analyze and enforce control flow integrity DFI [4,10,52] 7∼103% ✗ ✓/✗ ✓/✗ ✓ ✓/✗ ✗ ✓/✗ ✓ ✓/✗ ✓ Analyze and enforce data flow integrity : No evaluation on performance, 3 : only interfaces are presented for semantic correction, 4 : These approaches do not detect attacks, 5 : Removes setuid related attacks with the cost of redesign of interfaces and software, 6 : Higher accuracy if source code is available. 7 : Linux capabilities can be used as OS policy configuration without modifying or involving software logic.…”

Section: Approachesmentioning

confidence: 99%

“…However, since privilege sensitive code is shared by the parent and its child process, the same code can be exploited by the parent process. More specifically, if the attacker can manipulate the control flow of the parent process, such privilege sensitive code can be abused to launch privilege escalation attacks [7,46]. Hence, many legacy programs using setuid calls have been an active target by many shell code [16], ROP attacks [34,47], and non-control data attacks [24,27].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

PoLPer

Jeon

Rhee

Kim

et al. 2019

Proceedings of the Ninth ACM Conference on Data and Application Security and Privacy

View full text Add to dashboard Cite

setuid system calls enable critical functions such as user authentications and modular privileged components. Such operations must only be executed after careful validation. However, current systems do not perform rigorous checks, allowing exploitation of privileges through memory corruption vulnerabilities in privileged programs. As a solution, understanding which setuid system calls can be invoked in what context of a process allows precise enforcement of least privileges. We propose a novel comprehensive method to systematically extract and enforce least privilege of setuid system calls to prevent misuse. Our approach learns the required process contexts of setuid system calls along multiple dimensions: process hierarchy, call stack, and parameter in a process-aware way. Every setuid system call is then restricted to the per-process context by our kernel-level context enforcer. Previous approaches without process-awareness are too coarse-grained to control setuid system calls, resulting in over-privilege. Our method reduces available privileges even for identical code depending on whether it is run by a parent or a child process. We present our prototype called PoLPer which systematically discovers only required setuid system calls and effectively prevents real-world exploits targeting vulnerabilities of the setuid family of system calls in popular desktop and server software at near zero overhead. CCS CONCEPTS • Security and privacy → Systems security; Software and application security;

show abstract

Section: Approachesmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

PoLPer

Jeon

Rhee

Kim

et al. 2019

Proceedings of the Ninth ACM Conference on Data and Application Security and Privacy

View full text Add to dashboard Cite

show abstract

“…The adversaries who run these attacks are usually highly organized and well-resourced. These attacks are usually stealthy, multi-step 1 and of heterogeneous nature for different purposes, from spearphishing 2 for initial access purpose, to vulnerabilities exploit for execution purpose 3 , to Hijack or Token manipulation for persistence and privilege escalation purpose 4 , to covert channel for exfiltration purpose 5 . These multi-stage attacks are usually described as cyber kill chain.…”

Section: Introductionmentioning

confidence: 99%

Game-theoretical cyber deception strategy generation based on honeynet and intrusion prediction

Zhang

Yang

2023

International Conference on Computer Application and Information Security (ICCAIS 2022)

View full text Add to dashboard Cite

Cyber deception is a critical component of proactive cyber defense. It releases false information about devices, applications and networks to attackers to mislead attackers, sabotage attack actions and mitigate impact of intrusion based on cyber deception strategy. There have been many researches about cyber deception strategy. Most of them consider the process of cyber attack and defense as non-cooperative game theory model and design algorithms to find optimal solutions. However, most existing researches abstract attackers and defenders into simple characters, having limitations in applicability. To supplement this part of research, we introduce intrusion prediction and honeynet to game-theoretical cyber deception and propose a novel cyber deception strategy model. We run some simulations to verify the effectiveness of our proposed model. Based on the simulation results, the rules of multi-stage cyber deception and model application are summarized, which can provide a novel and effective guidance of cyber deception.

show abstract

“…ey work in groups, using stealthy and multi-step attack techniques to achieve their goal [1]. ese technologies are of heterogeneous nature for different tactic purposes, from spearphishing attachment [2] or supply chain compromise [3] for initial access to vulnerabilities exploit for execution [4], to Hijack or Token manipulation for persistence and privilege escalation [5], to covert channel for exfiltration [6]. Different intrusion detection systems (IDS) have been invented to detect and mitigate these attacks, such as malware detection [7], spearphishing detection, and covert channel detection.…”

Section: Introductionmentioning

confidence: 99%

Network Penetration Intrusion Prediction Based on Attention Seq2seq Model

Xin

Zhu

et al. 2022

Security and Communication Networks

View full text Add to dashboard Cite

Intrusion detection is a critical component of network security. However, intrusion detection cannot play a very good role in the face of APT and 0 day. It needs to combine intrusion prevention, deception defense, and other technologies to ensure network security. Intrusion prediction is an important part of intrusion prevention and deception defense. Only by predicting the next possible attack can we prevent the corresponding intrusion or cheat adversary more efficiently. However, the current research on intrusion prediction has not received much attention. Most of the existing intrusion prediction research focuses on the prediction of security situation, specific security events, system calls, etc., having limitation in applicability and sequence dependency. In order to supplement this part of research, this paper reports the prediction of network penetration intrusion sequence for the first time. By introducing the ATT&CK framework, this paper builds a dictionary for the penetration intrusion types and builds three different seq2seq models. The experiment runs on the public and generated sequence data based on real APT events and adversary groups resulting that the model can predict future penetration intrusion sequence with an accuracy of up to 0.90.

show abstract

Containing a Confused Deputy on x86: A Survey of Privilege Escalation Mitigation Techniques

Cited by 6 publications

References 31 publications

PoLPer

PoLPer

Game-theoretical cyber deception strategy generation based on honeynet and intrusion prediction

Network Penetration Intrusion Prediction Based on Attention Seq2seq Model

Contact Info

Product

Resources

About