Additional Kernel Observer to Prevent Privilege Escalation Attacks by Focusing on System Call Privilege Changes

In recent years, there has been an increase in attacks that exploit operating system vulnerabilities. In particular, if an administrator's privilege is acquired by an attacker through a privilege escalation attack, the attacker can operate the entire system and the system can suffer serious damage. In this paper, an additional kernel observer (AKO) method is proposed. It prevents privilege escalation attacks that exploit operating system vulnerabilities. We focus on the fact that a process privilege can be changed only by specific system calls. AKO monitors privilege information changes during system call processing. If AKO detects a privilege change after system call processing, whereby the invoked system call does not originally change the process privilege, AKO regards the change as a privilege escalation attack and applies countermeasures against it. In this paper, we describe the design and implementation of AKO for Linux x86, 64 bit. Moreover, AKO can be expanded to prevent the falsification of various data in the kernel space. We present an expansion example that prevents the invalidation of Security-Enhanced Linux. Evaluation results show that AKO is effective against privilege escalation attacks, while maintaining low overhead.