Linux内核提权攻击研究

计算机工程与科学

Linux内核提权攻击研究

左玉丹，丁滟，魏立峰

（国防科学技术大学计算机学院，湖南长沙 410073）

收稿日期:2015-09-07 修回日期:2015-11-27 出版日期:2016-11-25 发布日期:2016-11-25
基金资助:
国家自然科学基金（61502510）；信息保障技术重点实验室开放基金（KJ15101）；装备预研重点基金（9140A15070213KG01043）

Kernel privilege escalation attacks on Linux

ZUO Yudan,DING Yan,WEI Lifeng

（College of Computer,National University of Defense Technology,Changsha 410073,China）

Received:2015-09-07 Revised:2015-11-27 Online:2016-11-25 Published:2016-11-25

摘要/Abstract

摘要：

提权攻击是针对Linux系统的一种重要攻击手段。根据提权攻击所利用的漏洞类型，一般可将其分为应用层提权攻击和内核提权攻击。现有的防御技术已经能够防御基本的应用层提权攻击，但是并不能完全防御内核提权攻击，内核提权攻击仍是Linux系统面临的一个重要威胁。内核提权攻击一般通过利用内核提权漏洞进行攻击。针对内核提权攻击，分析研究了基本的内核提权漏洞利用原理以及权限提升方法，并对典型的内核提权攻击防御技术进行了分析。最后通过实验对SELinux针对内核提权攻击的防御效果进行了分析验证，并针对发现的问题指出了下一步具有可行性的研究方向。

关键词: 提权攻击, 内核漏洞, 漏洞利用, 系统安全

Abstract:

Privilege escalation attack is an important attack against the Linux. According to the types of exploited vulnerabilities, privilege escalation attacks can be classified into two categories: applicationlevel privilege escalation attack and kernel privilege escalation attack. Basic applicationlevel privilege escalation attacks can be prevented by the existing defense techniques, however, they cannot prevent kernel privilege escalation attacks fully. Kernel privilege escalation attacks are still one of the serious threats. We analyze the basic principles for exploiting kernel vulnerabilities and privilege escalation methods for kernel privilege escalation attacks, as well as some typical defense techniques. We analyze and verify the defense effects of the SELinux against kernel privilege escalation attacks, and point out future feasible research directions.

Key words: privilege escalation, kernel vulnerability, vulnerability exploitation, system security

左玉丹，丁滟，魏立峰. Linux内核提权攻击研究[J]. 计算机工程与科学.

ZUO Yudan,DING Yan,WEI Lifeng. Kernel privilege escalation attacks on Linux[J]. Computer Engineering & Science.

参考文献

［1］Chen G, Jin H, Zou D, et al. Safestack:Automatically patching stackbased buffer overflow vulnerabilities［J］.IEEE Transactions on Dependable and Secure Computing,2013,10(6):368379.

［2］Varma P D,Radha V.Prevention of buffer overflow attacks using advanced stackguard［C］∥Proc of the 2010 International Conference on Advances in Communication,Network,and Computing, 2010:357359.

［3］Wilander J, Kamkar M. A comparison of publicly available tools for dynamic buffer overflow prevention［C］∥Proc of NDSS,2003:149162.

［4］Gisbert H M,Ripoll I.On the effectiveness of NX,SSP,RenewSSP,and ASLR against stack buffer overflows［C］∥Proc of 2014 IEEE 13th International Symposium on Network Computing and Applications (NCA),2014:145152.

［5］Limbandit K,TengAmnuay Y.Misuse for security hardening assessment in application software deployment［J］.International Journal of Future Computer and Communication,2012,1(2):147150.

［6］Hund R,Willems C,Holz T.Practical timing side channel attacks against kernel space ASLR［C］∥Proc of 2013 IEEE Symposium on Security and Privacy (SP),2013:191205.

［7］Vermeulen S. SELinux Cookbook［M］.Birmingham, UK:Packt Publishing Ltd,2014.

［8］Li Xiaoqi,,Liu Qixu,Zhang Yuqing.Automatically exploiting system of kernel privilege escalation vulnerabilities based on imitating attack［J］.Journal of University of Chinese Academy of Sciences,2015,32(3):384390.(in Chinese)

［9］Ni Tao, Ye Xing. Privilege escalation technology of kernel vulnerabilities in write what where mode［J］.Journel of Information Engineering University,2014,15(2):232236.(in Chinese)

［10］George V, Piazza T, Jiang H. Technology Insight:Intel next generation microarchitecture codename Ivy Bridge［C］∥Intel Developer Forum, 2011:1.

［11］Perla E,Oldani M.A guide to kernel exploitation:Attacking the core［M］.New York:Elsevier,2010.

［12］Kurmus A,Dech S,Tu B.Quantifiable runtime kernel attack surface reduction［C］∥Proc of the 11th International Conference on Detection of Instrusions and Malware, and Vulnerability Assessment,2014:212234.

［13］Xin Zhi, Chen Huiyu, Han Hao, et al. Kernel rootket defense based on automatic data structure randomization［J］.Chinese Journal of Computers,2014,(5):11001110.(in Chinese)

［14］Vulnerability summary for CVE20132094 ［DB/OL］.［20130514］.https:∥web.nvd.nist.gov/view/vuln/detail?vulnId=CVE20132094.

附中文参考文献：

［8］李晓琦,刘奇旭,张玉清.基于模拟攻击的内核提权漏洞自动利用系统［J］.中国科学院大学学报,2015,32(3):384390.

［9］倪涛,叶星.写任意内存模式内核漏洞提权利用技术研究［J］.信息工程大学学报,2014,15(2):232236.

［13］辛知,陈惠宇,韩浩,等.基于结构体随机化的内核Rootkit防御技术［J］.计算机学报,2014,(5):11001110.

[1]	刘雪1,胡军1,2, 黄志球1,马金晶1,程桢1，石娇洁1. 模型驱动的嵌入式系统设计安全性验证方法研究[J]. J4, 2015, 37(08): 1498-1509.
[2]	陈萍，于晗，赵敏. 面向卓越工程师培养的“信息系统安全”课程建设[J]. J4, 2014, 36(A2): 49-51.
[3]	赵卫东. 信息系统生命周期中的安全工程活动研究[J]. J4, 2004, 26(12): 108-109.
[4]	李新明[1] 李艺[1] 姜湘岗[2]. 软件脆弱性描述方法研究[J]. J4, 2004, 26(11): 33-36.
[5]	刘芳戴葵王志英吴丹. 信息系统安全性评估研究综述[J]. J4, 2004, 26(10): 19-22.