• Journal of Advanced Navigation Technology
• /
• v.13 no.4
• /
• pp.586-599
• /
• 2009

Recently, a lot of nations are establish and researches the u-City which ubiquitous technology based city, and u-City Management Center(UMC) is also establish and researches. Technical researches of UMC are increasing. However, administrator privilege management researches for UMC is not enough. If we don't manage to administrator privilege who can access and control all of information in UMC, security problems will be occurs. Therefore, in this paper, analyses of administrator privilege management security problems, and proposed administrator privilege management system classification.

• KIPS Transactions on Computer and Communication Systems
• /
• v.9 no.7
• /
• pp.149-156
• /
• 2020

All operating systems have privileged administrator accounts for efficient management. Dangerous or sensitive tasks or resources should be banned from normal users and should only be accessible by administrators. One example of this privilege is to reset a user's password when the user loses his/her password. In this paper, the privileges of the sudoer group, the administrator group of Linux Ubuntu, and the management system of the sudoer group were analyzed. We show the danger that a sudoer can use the privilege to change the password of other users, including other sudoers, and modify the log, and suggest a countermeasure to prevent the manipulation of shadow files as a solution to this. In addition, the proposed method was implemented and the possibility of practical use was confirmed with excellent performance.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.15 no.3
• /
• pp.31-42
• /
• 2005

We consider a network storage model whose administrator can not be fully trusted. In this model, we assume that all data stored are encrypted for data confidentiality and one owner distributes the decryption key for each time period to users. In this paper, we propose three privilege management schemes. In the first scheme, called Temporal Privilege Management (TPM), we use a symmetric encryption based on one-way function chains for key encapsulation. In the second scheme, called Asymmetric Temporal Privilege Management (ATPM), anyone can encrypt the data using the public key of owner, but only privileged users can decrypt the encrypted data. Finally, we present a scheme to restrict writers' privilege using ID-based signatures in ATPM. In our schemes, the privilege managements are based on the time and the addition of users is efficient. Specially, applying TPM and ATPM, we can solve the back-issue problem.

• The KIPS Transactions:PartC
• /
• v.10C no.6
• /
• pp.675-682
• /
• 2003

Attackers collect vulnerabilities of a target computer system to intrude into it. And using several attack methods, they acquire root privilege. They steal and alter information in the computer system, or destroy the computer sysem. So far many intrusion detection systems and firewallshave been developed, but recently attackers go round these systems and intrude into a computer system . In this paper, we propose security kernel module to prevent attackers having acquired root privilege from doing illegal behaviors. It enhances administrator authentication with additional password, so prevents attackers from doing illegal behaviors such as modification of important files and installation of rootkits. It sends warning mail about sttacker's illegal behaviors to administrators by real time. So using information in the mail, they can estabilish new security policies.

• KIPS Transactions on Computer and Communication Systems
• /
• v.6 no.5
• /
• pp.247-254
• /
• 2017

In a Linux system, a user with malicious intent can acquire administrator privileges through attack types that execute shells, and can leak important user information and install backdoor program. In order to solve this problem, the existing method is to analyze the causes of the elevation of privilege, fix the problems, and then patch the system. Recently, a method of detecting an illegal elevated tasks in which information inconsistency occurs through user credentials in real time has been studied. However, since this credential method uses uid and gid, illegal elevated tasks having the root credentials may not be detected. In this paper, we propose a security module that stores shell commands and paths executed with regular privileges in a table and compares them with every file accesses (open, close, read, write) that are executed to solve the case which cannot detect illegal elevated tasks have same credential.

• KIPS Transactions on Computer and Communication Systems
• /
• v.3 no.11
• /
• pp.427-432
• /
• 2014

The Purpose of local system attacks is to acquire administrator's(root) privilege shell through the execution of the malicious program or change the flow of the program. This acquiring shell through attack is still valid approach method and it is difficult to cope with improving each of vulnerability because the attacker can select various forms of attack. Linux allocate a set of credentials when login, in order to manage user permissions. Credentials were issued and managed by the kernel directly, and also the kernel ensures that any change cannot be occurred outside of kernel. But, user's credentials that acquired root privilege through system attacks occurs a phenomenon that does not remain consistent. In this paper we propose a security module to detect a security threats that may cause to users and tasks by analysis user task execution and inconsistency credentials.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.11 no.6
• /
• pp.115-125
• /
• 2001

Authentication and access control are essential requirements for the information security of distributed environment. Delegation is process whereby an initiator principal in a distributed environment authorizes another principal to carry out some functions on behalf of the former. Delegation of access rights also increases the availability of services offer safety in distributed environments. A delegation easily provides principal to grant privileges in the single domain with Role-Based Access Control(RBAC). But in the multi-domain, initiators who request delegation may require to limit the access right of their delegates with restrictions that are called delegate restriction to protect the abuse of privilege. In this paper, we propose the delegation view as function of delegation restrictions. Proposed delegation view model not only prevent over-exposure of documents from granting multiple step delegation to document sharing in multi-domain with RBAC infrastructure but also reduce overload of security administrator and communication.