Abstract
The Android system has become the first operating system of the intelligent terminal market share as well as an important target of network attack. The root privilege of the Android system gives the user absolute control over the device, but root also lowers the security of the device and opens privileged access channels for the attacker. Temporary root has become an attacker’s favored attack technology based on the command issued by the attacker to complete root, and then to clear the root feature. Such a subtle attack on the detection of research work poses a great challenge. This paper presents a new monitoring method KRPM, which breaks the traditional defense idea, adopts active monitoring and alarming method, obtains all the current process information directly from the kernel, builds state graphs for access permission of the progress, and recognizes the process of root privilege escalation and process hiding. Through various experimental KRPM, the detection effect is good and the universality is strong, which can effectively monitor root power attack and exploit hidden rootkit.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Zhang, H., She, D., Qian, Z.: Android root and its providers: a double-edged sword. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, USA, pp. 1093–1104, 12–16 October 2015
http://www.cvedetails.com/cve-details.php?t=1&cve_id=CVE-2014-3153
http://www.cvedetails.com/cve-details.php?t=1&cve_id=CVE-2015-3636
http://www.cvedetails.com/cve-details.php?t=1&cve_id=CVE-2016-5195
Chen, H., Mao, Y., Wang, X., Zhou, D., Zeldovich, N., Kaashoek, M.F.: Linux kernel vulnerabilities: state-of-the-art defenses and open problems. In: Proceedings of the Second Asia-Pacific Workshop on Systems, Shanghai, China, 11–12 July 2011
https://www.androidcentral.com/android-security-bulletin-may-2016-live-here-what-you-need-know
Grace, M., Zhou, Y., Zhang, Q., Zou, S., Jiang, X.: Riskranker: scalable and accurate zero-day android malware detection. In: Proceedings of the 10th International Conference on Mobile Systems, Applications, and Services, Low Wood Bay, Lake District, UK, pp. 281–294, 25–29 June 2012
Team, P.: PaX Address Space Layout Randomization (ASLR). Alphascript Publishing, Rapid City (2010)
Shabtai, A., Fledel, Y., Elovici, Y.: Securing android-powered mobile devices using SELinux. IEEE Secur. Priv. 8(3), 36–44 (2010). https://doi.org/10.1109/MSP.2009.144
Edge, J.: RLIMIT NPROC and setuid(). Linux Weekly News (2011). http://lwn.net/Articles/451985
Chen, Y., Zhang, Y., Wang, Z., Xia, L., Bao, C., Wei, T.: Adaptive android kernel live patching. In: Proceedings of the 26th USENIX Security Symposium, Vancouver, Canada, 16–18 August 2017
Sun, M., Lui, J.C.S., Zhou, Y.: Blender: self-randomizing address space layout for android apps. In: Monrose, F., Dacier, M., Blanc, G., Garcia-Alfaro, J. (eds.) RAID 2016. LNCS, vol. 9854, pp. 457–480. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-45719-2_21
Wei, L., Zuo, Y., Ding, Y., Dong, P., Huang, C., Gao, Y.: Security identifier randomization: a method to prevent kernel privilege-escalation attacks. In: Proceedings of the 30th International Conference on Advanced Information Networking and Applications Workshops, Crans-Montana, Switzerland, pp. 838–842, 23–25 March 2016
Davi, L., Dmitrienko, A., Sadeghi, A.-R., Winandy, M.: Privilege escalation attacks on android. In: Burmester, M., Tsudik, G., Magliveras, S., Ilić, Ivana (eds.) ISC 2010. LNCS, vol. 6531, pp. 346–360. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-18178-8_30
Sun, S.T., Cuadros, A., Beznosov, K.: Android rooting: methods, detection, and evasion. In: Proceedings of the 5th Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices, Denver, Colorado, USA, pp. 3–14, 12 October 2015
Geist, D., Nigmatullin, M., Bierens, R.: Jailbreak/Root Detection Evasion Study on iOS and Android. MSc System and Network Engineering (2016)
Enck, W., et al.: TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Trans. Comput. Syst. 32(2), 5 (2014). https://doi.org/10.1145/2619091
Dietz, M., Shekhar, S., Pisetsky, Y., Shu, A., Wallach, D.S.: QUIRE: lightweight provenance for smart phone operating systems. In: Proceedings of the USENIX Security Symposium, San Francisco, USA, 8–12 August 2011
Park, Y., et al.: RGBDroid: a novel response-based approach to android privilege escalation attacks. In: Proceedings of the 5th USENIX Workshop on Large-Scale Exploits & Emergent Threats, LEET 2012, San Jose, USA, 24 April 2012
Bugiel, S., Davi, L., Dmitrienko, A., Fischer, T., Sadeghi, A.R., Shastry, B.: Towards taming privilege-escalation attacks on Android. In: Proceedings of the 20th Annual Network and Distributed System Security Symposium, San Diego, USA, 24–27 February 2013
Feng, P., Zhang, P., et al.: Design and implementation of a new Linux kernel-level rootkit. J. Inf. Eng. Univ. 17(2), 231–237 (2016)
Keniston, J., Panchamukhi, P.S.: Kernel Probes[EB/OL], 30 August 2015. https://www.kernel.org/doc/Documentation/kprobes.txt
Riley, R.: A framework for prototyping and testing data-only rootkit attacks. Comput. Secur. 37(1), 62–71 (2013)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Hu, X., Xi, Q., Wang, Z. (2018). Monitoring of Root Privilege Escalation in Android Kernel. In: Sun, X., Pan, Z., Bertino, E. (eds) Cloud Computing and Security. ICCCS 2018. Lecture Notes in Computer Science(), vol 11067. Springer, Cham. https://doi.org/10.1007/978-3-030-00018-9_43
Download citation
DOI: https://doi.org/10.1007/978-3-030-00018-9_43
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-00017-2
Online ISBN: 978-3-030-00018-9
eBook Packages: Computer ScienceComputer Science (R0)