Title :
A Qualitative Analysis of Privilege Escalation
Author :
Song, Xinyue ; Stinson, Michael ; Lee, Roger ; Albee, Paul
Author_Institution :
Comput. Sci. Dept., Central Michigan Univ., Mt Pleasant, MI
Abstract :
Many programming bugs can lead to privilege escalation, which is a major security concern. However, there are times when the concern proves to be a false positive. In a previous paper, "An Approach to Analyzing the Windows and Linux Security Models", a set of metrics was proposed to assess risks quantitatively Xinyue Song, et al (2006). However, with the risk quantified, there is still not a clearly defined way of distinguishing between the true and false positives on the continuum of security risks. An effective method needs to be developed to solve this problem. In this paper, a new set of qualitative metrics is proposed in order to draw a correct conclusion on the criticality of a privilege escalation case. This set of qualitative metrics works more effectively to answer this question. Two cases are examined to demonstrate how this set of qualitative metrics works. Through a comparison of these two cases, it is demonstrated that the question of true or false positive to privilege escalation can be answered correctly. Therefore, this is an effective solution in solving this different type of problems
Keywords :
operating systems (computers); program debugging; program diagnostics; risk analysis; security of data; software metrics; privilege escalation; programming bugs; qualitative analysis; qualitative metrics; security risks; Computer bugs; Computer science; Computer security; Information security; Linux; Mathematical model; National security; Operating systems; Risk analysis; Risk management;
Conference_Titel :
Information Reuse and Integration, 2006 IEEE International Conference on
Conference_Location :
Waikoloa Village, HI
Print_ISBN :
0-7803-9788-6
DOI :
10.1109/IRI.2006.252441
