Bezopasnostʹ Informacionnyh Tehnologij | |
An Analysis of Local Security Authority Subsystem Services for Windows and Linux | |
Igor Y. Korkin1  Svetlana A. Golub1  | |
[1] National Research Nuclear University MEPhI (Moscow Engineering Physics Institute); | |
关键词: extraction credentials, passwords in memory, ascii and unicode passwords, operating system security, gnome-keyring-daemon, lsass, mimikatz.; | |
DOI : 10.26583/bit.2022.1.06 | |
来源: DOAJ |
【 摘 要 】
The paper is devoted to the security analysis of authority subsystem services for Windows and Linux operating systems. The paper provides security analysis for both local and network-based authentication in Windows. The Mimikatz (France) will be presented to demonstrate attacks on the authentication subsystem. Mimikatz is a software tool that can extract users’ credentials and password information from the memory of the LSASS process. To prevent such attacks on process memory Windows OS includes several security mechanisms: Security Reference Monitor, Protected Process Light, and Virtualization-Based Security. However, attackers can bypass these mechanisms to get illegal access to the process memory and steal users’ credentials. A similar analysis of the local authority subsystem for Linux OSes shows that gnome-keyring-daemon stores the users’ passwords in plain text. As a result, attackers can easily extract this sensitive information using memory forensics techniques via user-mode applications. Several modern Linux Distributions based on Red Hat Enterprise Linux (RHEL) still have this security issue: CentOS, Ubuntu, GNU/ Linux Rolling. Experts have developed software tools to locate and remove passwords from the memory to tackle this security challenge: MimiPenguin (USA) and Mimipy (USA). Comparison analysis of these tools reveals their drawbacks: these security tools cannot locate passwords with Unicode characters, and these tools have low speed. The proposed security solution called MimiDove is designed to solve both these issues. MimiDove expands features of MimiPenguin and Mimipy by locating and deleting passwords with ASCII and Unicode characters. MimiDove is faster than MimiPenguin and Mimipy.
【 授权许可】
Unknown