Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Privilege escalation
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
===Mitigation strategies=== Operating systems and users can use the following strategies to reduce the risk of privilege escalation: * [[Data Execution Prevention]] * [[Address space layout randomization]] (to make it harder for [[buffer overflow|buffer overruns]] to execute privileged instructions at known addresses in memory) * Running applications with [[Principle of least privilege|least privilege]] (for example by running [[Internet Explorer]] with the Administrator [[Security Identifier|SID]] disabled in the process [[Session (computer science)|token]]) in order to reduce the ability of buffer overrun [[Exploit (computer security)|exploits]] to abuse the privileges of an elevated user. * Requiring kernel mode code to be digitally signed. * [[Patch (computing)|Patching]] * Use of [[compiler]]s that trap buffer overruns<ref>{{Cite web|url=http://download.microsoft.com/documents/customerevidence/12374_Microsoft_GS_Switch_CS_final.doc|publisher=[[Microsoft]]|title=Microsoft Minimizes Threat of Buffer Overruns, Builds Trustworthy Applications|date=September 2005|access-date=2008-08-04}} {{Dead link|date=September 2010|bot=H3llBot}}</ref> * Encryption of software and/or [[firmware]] components. * Use of an operating system with Mandatory Access Controls (MAC) such as [[SELinux]]<ref>{{Cite web|last=Smalley|first=Stephen|title=Laying a Secure Foundation for Mobile Devices|url=http://www.internetsociety.org/sites/default/files/Presentation_Smalley.pdf|access-date=7 March 2014|archive-date=28 August 2017|archive-url=https://web.archive.org/web/20170828232658/http://www.internetsociety.org/sites/default/files/Presentation_Smalley.pdf|url-status=dead}}</ref> * Kernel Data Relocation Mechanism (dynamically relocates privilege information in the running kernel, preventing privilege escalation attacks using memory corruption) Recent research has shown what can effectively provide protection against privilege escalation attacks. These include the proposal of the additional kernel observer (AKO), which specifically prevents attacks focused on OS vulnerabilities. Research shows that AKO is in fact effective against privilege escalation attacks.<ref>{{Cite journal |last=Yamauchi |first=Toshihiro |last2=Akao |first2=Yohei |last3=Yoshitani |first3=Ryota |last4=Nakamura |first4=Yuichi |last5=Hashimoto |first5=Masaki |date=August 2021 |title=Additional kernel observer: privilege escalation attack prevention mechanism focusing on system call privilege changes |url=https://link.springer.com/10.1007/s10207-020-00514-7 |journal=International Journal of Information Security |language=en |volume=20 |issue=4 |pages=461β473 |doi=10.1007/s10207-020-00514-7 |issn=1615-5262 |doi-access=free |access-date=2023-11-10 |archive-date=2024-05-24 |archive-url=https://web.archive.org/web/20240524180458/https://link.springer.com/article/10.1007/s10207-020-00514-7 |url-status=live }}</ref>
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)