77 results about "Privilege escalation" patented technology

A system for mitigation of cyberattacks employing an advanced cyber decision platform comprising a time series data store, a directed computational graph module, an action outcome simulation module, and observation and state estimation module, wherein the state of a network is monitored and used to produce a cyber-physical graph representing network resources, simulated network events are produced and monitored, and the network events and their effects are analyzed to produce security recommendations.

A method and system of detecting vulnerabilities in source code. Source code is parsed into an intermediate representation. Models are derived for the code and the models are then analyzed in conjunction with pre-specified rules about the routines to determine if the routine call posses one or more of pre-selected vulnerabilities.

The invention relates to a method for detecting a code security hole based on constraint analysis and model checking, which can extract the source code of a C program in a constraint way and detect the security hole of the program with the model checking. The main content comprises the following steps: buffer attribute information which is involved in the source code of the C program is extracted with a constraint analysis technology; the corresponding ASSERT sentence information of attribute generation, attribute transmission and attribute constraint is inserted into variable declaration, variable assignment and function call site with the buffer attribute information; the inserted code can be taken as the input of the model checking to judge whether the program is accessible, find whether the dangerous points in the program really has an accessible path and finally find the security hole in the source code. Currently, independent model checking can not detect the security hole of the buffer and the like, the method combines the static detecting technology of the constraint analysis with the model detecting technology to realize the detection of the security hole of the buffer overflow and the like, wherein, the detecting precision of the method is higher than that of the general static detecting technology. By extracting the other dangerous function information of the source code, corresponding inserting process is carried out. The invention also can detect the security holes such as formative character string, code injection, privilege escalation, etc.

Techniques for privilege escalation protection are disclosed. In some embodiments, a system / process / computer program product for privilege escalation protection includes monitoring a process executed on a computing device, detecting an unauthorized change in a token value associated with the process, and performing an action based on a policy (e.g., a kernel protection security policy / rule(s), which can include a whitelisted set of processes and / or configured actions / responses to perform for other / non-whitelisted processes) in response to an unauthorized change in the token value associated with the process.

A data collection application is executed on a target system. Various data indicative of privilege elevation pathways is collected, including user account data, file permission data, and system registry data. The collected data is analyzed according to heuristics. System accounts are displayed on a graph as nodes. Detected privilege elevations between the accounts are displayed as edges between their corresponding accounts. A user may customize the displayed graph to focus on particular goal accounts, and categories of privilege elevations.

The invention discloses a control method and system of restricted access in an Android application multi-running environment, an open source virtualization framework is extended, and a privilege escalation attack initiated by a ClientApp due to the sharing of a permission of a HostApp is limited. The method includes a step of judging whether a current sensitive API call operation is legal or not with the combination of loaded policy information if a current operation is the sensitive API call operation when the ClientApp is running, and allowing the ClientApp to call a real API if so, a step of triggering an IOHook module to obtain a currently accessed file directory if the current operation belongs to a file access operation, then allowing an IoCheck module to check whether current accessis legal or not with the combination of a policy library, and calling a real system for file operation if so, and a step of analyzing a permission list to be a default quasi-permission authorizationset while the HostApp loads the ClientApp, and forming an authorization set with the integration of a developer-configured policy. According to the method and the system, the sensitive API access control in a third-party application multi-running environment is achieved.

An apparatus and method for cyber risk quantification calculated from the likelihood of a cyber-attack on the target enterprise and / or cyber ecosystem based on its security posture. The cyber-attack likelihood can be derived as a probability-based time-to-event (TTE) measure using survivor function analysis. The likelihood probability measure can also be passed to cyber risk frameworks to determine financial impacts of the cyber-attacks. Embodiments of the present invention also relate to an apparatus and method (1) to identify and validate application attack surfaces and protect web applications against business logic-based attacks, sensitive data leakage and privilege escalation attacks; and / or (2) that protects web applications against business logic-based attacks, sensitive data leakage and privilege escalation attacks. This can include implementing an intelligent learning loop using artificial intelligence that creates an ontology-based knowledge base from application request and response sequences. Stochastic probabilistic measures are preferably applied to a knowledge base for predicting malicious user actions in real time.

The invention discloses an android privilege escalation attack detection system and method based on cloud platform, which comprises the following steps: a cloud end downloads application programs from an application market and adds into an application program information database by using the crawler program, the application market comprises an official market and a third-party market, and formulates the security policy according to known privilege escalation attack sample, the cloud end classifies the application programs according to the security policy, the mobile terminal initializes the classified application program database and judges whether the application programs have update operation, if yes, the mobile terminal judges the type of the update operation is installation operation or un-installation operation, and the mobile terminal updates the classified application program database and the program privilege database directly or according to the result sent by the cloud end. By adoption of the method disclosed by the invention, the problem that the detection operation which wastes time and resource is performed every time when invoking the ICC (inter-component communication) is avoided.

A method for storing and processing data includes providing an operating system (OS) virtualization running on a processor and having a plurality of containers. Each container may prevent privilege escalation by a user to an administrator of a global zone running the OS virtualization. The method may also include providing a hardware virtual machine (HVM) for the user, the HVM encapsulated in one of the containers. A system for storing and processing data is provided that includes an operating system (OS) virtualization stored in a memory and running on a processor. The OS virtualization has a plurality of containers, and each container prevents privilege escalation by a user to an administrator of a global zone running the OS virtualization. The HVM may be encapsulated in one of the containers. A non-transitory computer readable storage medium having a program recorded thereon is provided.

The invention discloses a method for vulnerability detection in a Windows operating environment based on an instrumentation tool. The method comprises the steps that when it is detected that a target process executes a function call instruction, a next instruction address and a function return address are saved; if the instruction corresponding to the skip destination address of the target progress is not a start instruction of a function, ROP vulnerability existing is determined; when it is detected that the target process executes the function return address, whether the return address in a current thread stack is stored or not is detected, and if the return address is stored, a buffer overflow vulnerability is determined; whether the address of a function return instruction is same as the stored return address or not is judged, the address of the function return instruction is saved if the address of the function return instruction is not same as the stored return address, and it is judged that a ROP vulnerability exists in the target progress when it is detected that the address is executed for multiple times; a preset debugged progress is opened based on a function call interface, then whether the preset debugged progress can open the target process or not is judged, and if the preset debugged progress cannot open the target process, a local privilege escalation vulnerability exists. By means of the method, multiple samples can be automatically identified and detected concurrently.

The invention relates to an access control method and system for an Android operation system, wherein the access control method for the Android operation system comprises the steps of step A, controlling the access of application programs to private data by the private permission set for the application programs; step B, according to a preset strategy for preventing privilege promoting attack and collusion attack, controlling the communication request between the first application program and the second application program. According to the access control method and system for the Android operation system, the safety when a single application program accesses the system resource or user private data is improved, and the safety during communication of multiple application programs is enhanced, so the flexibility of an Android permission mechanism is improved, the collusion attack and privilege enhancing attack can be effectively prevented, and the safety of a middleware layer in the Android operation is greatly improved.

The invention discloses a user privilege escalation method supporting mandatory access control. The method comprises the following steps that: (1) privilege programs of an operating system are subjected to mandatory classification in advance and are correlated with different administrator roles; (2) access requests of users are detected, and when a privilege operation request is detected, jumping is carried out to execute the step (3); and (3) a user sending out the privilege operation request is authenticated, if the authentication is passed, a child process is derived, security attributes of the child process are set and are enabled to inherit security attributes of the administrator roles corresponding to the target privilege programs, and the target privilege programs are executed through the child process; and if the authentication is not passed, the privilege operation request of the user is refused, and exiting is carried out. The user privilege escalation method has the advantages that a realization method is simple; the privilege escalation operation of the user can be realized; in addition, the mandatory access control is supported; the safety of the operating system is high; and in addition, the usability is high.

This invention provides a privilege delegation mechanism, which allows a privilege and associated control attributes to be delegated from a security token to another security token or an intelligent device such as a computer system. The privilege may be in the form of an attribute certificate, a key component of a cryptographic key, a complete cryptographic key, digital certificate, digital right, license or loyalty credits. The purpose of the delegation is to allow another security token or computer system to act as a surrogate for the security token or to access a resource which requires components from both units before access is permitted. Attributes associated with the delegated privilege control the scope and use of the privilege. The delegation may allow the surrogate to perform authentications, access data or resources included on another security token or computer system. Authentications are performed prior to transferring of the delegable privileges.

A processor and a method for privilege escalation in a processor are provided. The method may comprise fetching an instruction from a fetch address, where the instruction requires the processor to be in supervisor mode for execution, and determining whether the fetch address is within a predetermined address range. The instruction is filtered through an instruction mask and then it is determined whether the instruction, after being filtered through the mask, equals the value in an instruction value compare register. The processor privilege is raised to supervisor mode for execution of the instruction in response to the fetch address being within the predetermined address range and the filtered instruction equaling the value in the instruction value compare register, wherein the processor privilege is raised to supervisor mode without use of an interrupt. The processor privilege returns to its previous level after execution of the instruction.

The invention discloses a system bug attack detection method and apparatus. The system bug attack detection method is provided according to one aspect of embodiments of the invention. The system bug attack detection method comprises: obtaining operation information of an operation currently performed by an account with a non highest system privilege in a system; and determining whether the operation indicated by the operation information is used for modifying a privilege of the account to a highest system privilege from the non highest system privilege or not, and if the operation indicated by the operation information is used for modifying the privilege of the account to the highest system privilege from the non highest system privilege, determining that a bug attack event exists in the system. With the adoption of the method and the apparatus, the problem of low detection accuracy of detecting a privilege escalation bug attack in the prior art is solved and the effect of detecting the system bug attack event timely and accurately is achieved.

The invention provides a method for clearing application data. The method comprises the following steps: a server-side sends an application program to a client-side, and a cleanup service package is inserted into the application program; the server-side sends an application data clearing instruction to the client-side or the client-side locally sends an application data clearing instruction according to the state of the client-side; the client-side obtains the application data clearing instruction; an interface of a corresponding cleanup service package in the application program is called according to the clearing instruction; the cleanup service package executes the clearing operation and clears data of the application grogram which the cleanup service package belongs to. The invention also provides a device for clearing application data. According to the method, the device can be independent from privilege escalation, and can clear application data produced by corresponding programs.

Embodiments disclosed herein describe a method to determine consequences of a privilege escalation alert from an intrusion detection system, the method comprising the steps of obtaining privilege escalation alert from the intrusion detection system and analyzing said privilege escalation alert information. The analysis further comprises of identifying the program affected by said privilege escalation alert and determining if it can be circumvented. The users affected by said privilege escalation alert and the transitive effects of said privilege escalation alert are identified.

A secure promotion mechanism promotes a current privilege level of a processor in a computer system. The current privilege level controls application instruction execution in the computer system by controlling accessibility to system resources. An operating system performs a privilege promotion instruction, which is stored in a first page of memory not writeable by an application instructions at a first privilege level. The privilege promotion instruction reads a stored previous privilege level state, compares the read previous privilege level state to the current privilege level, and if the previous privilege level state is equal to or less privileged than the current privilege level, promotes the current privilege level to a second privilege level which is higher than the first privilege level.

The invention relates to a security defense method and device of the Android privilege escalation attacks based on integrity verifications. The method comprises the steps that the case that whether or not an application program is executing the system calls associated with sensitive kernel functions is detected in real time; integrity verifications are conducted on the sensitive kernel functions to be executed by the system calls; the accuracy and reliability of the kernel function pointer corresponding to the sensitive kernel functions are examined; the case that whether or not the internal storage pointed by the kernel function pointers has the commands for the privilege escalation attack features is evaluated; the detected application privilege escalation attacks are given warnings and blocked. According to the security defense method and device of the Android privilege escalation attacks based on integrity verifications, the privilege escalation attack behaviors of malicious programs are detected in real time and are given warnings and blocked, and the damages caused by attacks on the Android system are prevented, and the securities of the application and data are effectively protected. The security defense method and device of the Android privilege escalation attacks based on integrity verifications reduce security threats brought to the Android system by the privilege escalation vulnerabilities, and enhance the security of the Android system.

A simulated penetration testing system that assigns network nodes of the tested networked system to classes based on current information about the compromisability of the nodes at a current state of a penetration testing campaign, the classes consisting of (i) a red class for nodes known to be compromisable by the attacker in a way that gives the attacker full control of the nodes, (ii) a blue class for nodes that are not known to be compromisable by the attacker, and (iii) a purple class for nodes known to be compromisable by the attacker in a way that does not give the attacker full control of the purple-class-member network node. The campaign tests whether an attacker would be able to achieve full control of a target node by using privilege escalation techniques and one or more access rights achieved by compromising the target node.

A system and method for automated defensive penetration test analysis that predicts the evolution of new cybersecurity attack strategies and makes recommendations for cybersecurity improvements to networked systems based on a cost / benefit analysis. The system and method use captured system data to classify networked system based upon their susceptibility to privilege escalation attacks measured against the networked system's response to a penetration test. The system and method use machine learning algorithms to run simulated attack and defense strategies against a model of the networked system created using a directed graph. Recommendations are generated based on an analysis of the simulation results and system classifications against a variety of cost / benefit indicators.

The invention discloses a method for feedback of privilege escalation configuration information and a related device. The method comprises the following steps of obtaining a request containing characteristic information of terminal equipment; searching configuration information used for obtaining Root permission according to the characteristic information; sorting the searched configuration information according to history service data stored for the configuration information and forming a recommendation list containing the searched configuration information; responding to the request and pushing the recommendation list containing the sorted configuration information. The invention further discloses a method and a device for matching of the privilege escalation configuration information. The method comprises the following steps of transmitting a request containing the characteristic information collected by the terminal equipment; obtaining a configuration information recommendation list, which responds to the request and is used for obtaining the Root permission of the terminal equipment; applying privilege escalation to the terminal equipment by utilizing at least one piece of configuration information. According to the methods and the devices, a more effective scheme for obtaining highest permission of terminal equipment system is provided for a user.

The present invention discloses a remote control debugging method and system based on Android equipment. The method includes the steps as follows: a controlling terminal of the Android equipment receives remote control debugging information transmitted by a controlled terminal of the Android equipment, distributes and marks verification codes, and transmits verification code prompting information; when the controlling terminal receives correct verification code prompting information inputted by the controlled terminal, and acquires reception instruction confirmation of the controlled terminal for processing the remote control debugging, the controlled terminal establishes a pseudo-terminal service in local, the controlling terminal acquires a bottom layer linux terminal of the controlled terminal, and the controlling terminal acquires root privileges through a privilege escalation operation so that the controlled terminal is remotely controlled. The remote control debugging method and system based on Android equipment control remote terminals among Android equipment, and remotely control remote menus. The remote control debugging method and system based on Android equipment can greatly increase the remote control efficiency and reduce the realizing cost for remote control, and provide subscribers with convenience.

Automatic detection of software that performs unauthorized privilege escalation is disclosed. The techniques cause a programmable device to obtain a trace event of a program from an event logger, parse the trace event to determine a privilege level for an event, compare the privilege level for the event to an expected privilege level, and block execution of the program based on the comparison.

The embodiment of the invention provides a privilege escalation method and system in a Unix-like environment of a windows system. The privilege escalation method comprises adding an operation and maintenance account into an administrator group; receiving an operation request of privilege escalation, analyzing out the operation and maintenance account and an operation command of privilege escalation of a Unix-like format from the operation request of privilege escalation, and converting the operation command of privilege escalation of the Unix-like format into an operation command of privilege escalation of a windows format; applying the operation and maintenance account and creating sub-processes through an API (application program interface) which allows a user to use an assigned user account for creating processes to execute the operation command of privilege escalation of the windows format. According to the privilege escalation method and system in the Unix-like environment of the windows system, the function of command privilege escalation in the Unix-like environment can be achieved in the windows system, environments of Cygwin and cmd in the windows system are compatible and supported, and path analyses of Cygwin and redirecting of output results are supported.

An apparatus, method, computer readable storage medium are provided in one or more examples and comprise accessing an application, identifying an access token of the application, determining if the access token is a system token, and responsive to the access token failing to be a system token, enabling a runtime module.

The various embodiments herein disclose a system and method for detecting zero-day privilege escalation malware at host level. The method identifies whether a privileged escalation state is initiated and executed by a user or by a malware program. The method uses keystrokes, Mouse events along with OCR output extracted from recorded background screen image for checking if user has initiated the privilege escalation. If a new process starts automatically without any pattern in Key Strokes, Mouse Strokes and background screen, then the process is identified as zero-day privilege escalation malware.