January 04, 2014

3.2.14 Privilege Escalation

Privilege escalation

In this context of computer security, privilege escalation is the malicious acquisition or exercise of escalated access to resources that are normally reserved for administrative or other authorized users or applications.

When applied in an unauthorized way, privilege escalation is a security violation and is enabled by a flaw in the configuration, services, installed software or operating system. It results in a regular user being given more access than was intended by the developer or the administrator.

In November 2013, Microsoft issued a security advisory on vulnerability that would allow privilege escalation exploits in computers running Windows XP and Windows Server 2003. The security advisory (2914486) reads in part, “The vulnerability is an elevation of privilege vulnerability. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights.”

Countermeasures against privilege escalation include implementing good system security practices such as:
  • Review and apply up-to-date system and application patches
  • Remove or protect software that will allow a regular user to create executable applications (e.g.  compilers and software installers)
  • Protect system configuration files from access by regular users.
  • Run applications with the lowest privilege required, e.g. if you browse the Internet as root (or administrator), any browser exploits will be run with root or administrator privileges on the system.
  • Conduct periodic security audits of the system
Related terms: horizontal escalation (gaining the privilege of a peer user, with this a regular user can impersonate another regular user) and vertical escalation (gaining the privilege of a higher level user).

The microkernel model computer hardware architecture offers another concept of privilege escalation. In microkernel based operating systems, major system functions such as device drivers, protocol stacks, file systems, etc. are moved out of the kernel, keeping the kernel code to a bare minimum. This reduces the kernel’s attack surface and as such it’s security vulnerability.

Microkernel operating systems are run on hardware that provides multiple protection modes. Here is a model of a 4 privilege level system. The program running in Ring 0 is the most trusted, and has the most access (privileges) to system resources. The program running in Ring 3 is the least trusted and any access to resources must be moderated.

Note: Linux defines two levels of protection:
  • level 0 – includes kernel and device drivers
  • level 3 – includes standard libraries and user programs
Creating multiple protection modes offers fault tolerance and security.

No comments:

Post a Comment