Dissertation/Thesis Abstract

Privilege Leakage in Practical Systems
by Grace, Michael C., Ph.D., North Carolina State University, 2017, 114; 10969800
Abstract (Summary)

The modern world places great reliance on computer systems. As the cost of processing power drops, many aspects of our daily life are now becoming “smart.” Computers used to take up a room, then an expensive piece of hardware upon a desk, and now are carried in the pockets of most people. This evolution obviously owes much to advances in hardware, but software has also played an important role: as additional layers of abstraction have been built up, it is easier than ever to develop software to do sophisticated tasks. Since computer systems today are networked, always-on, and contain valuable data, attackers are eager to use any gaps in their architecture to gain access to them. In this dissertation, we examine the ways in which privilege can be leaked through such architectural gaps in practical systems.

First, we deal with a class of memory safety issues within the Linux kernel. Most modern processor architectures use the concept of memory pages to manage memory, both to support virtual addressing and to enable page-level protection bits to describe the context in which each page should be used. Due to improper memory layouts within commodity kernels, a single page sometimes contains both executable code and writable data. An attacker can therefore use a memory write to inject their own code directly into kernel space, gaining its privilege. To address this problem, we propose using a security hypervisor to manage the kernel’s memory and enforce the W⊕X property, which states that a given memory page can be either executable or writable, but not both at the same time. By efficiently emulating the older Harvard architecture, we can enforce a strict separation between code and data accesses even when pages contain both.

We then turn our focus to Android, a relatively new operating system that relies heavily on inter-process communication and a rich framework, where privilege is represented by a permission model. Unfortunately, such permission models can be subverted by classical “confused deputy” attacks. Such attacks can occur when a trusted party, such as an app that has a sensitive permission, performs operations on behalf of an untrusted entity. We call such vulnerabilities capability leaks, and further classify them into two broad categories. External capability leaks cross app boundaries, allowing malicious apps to either collude with or dupe trusted apps to expand their privilege; conversely, internal capability leaks leak privilege within a single app that contains components written by multiple parties. We identify two major sources of such vulnerabilities in the platform as it stands today: firmware customizations and embedded advertisement libraries. By conducting systematic surveys of these subjects, we discover several new problems and measure their prevalence, providing a solid foundation upon which to build defensive solutions or motivate architectural changes.

Indexing (document details)
Advisor: Jiang, Xuxian, Enck, William
Commitee: Enck, William, Jiang, Xuxian
School: North Carolina State University
Department: Computer Science
School Location: United States -- North Carolina
Source: DAI-B 79/12(E), Dissertation Abstracts International
Source Type: DISSERTATION
Subjects: Computer science
Keywords: Android, Capability Leak, Confused Deputy, Harvard Architecture, Memory Safety, Virtualization
Publication Number: 10969800
ISBN: 9780438283152
Copyright © 2019 ProQuest LLC. All rights reserved. Terms and Conditions Privacy Policy Cookie Policy
ProQuest