By Shantanu Bhattacharya
Posted on February 06, 2025 | Originally published on RSAC Conference
📌 Read the original article on RSAC Conference
In the ever-evolving landscape of cybersecurity, attackers are constantly seeking new ways to bypass traditional defenses. This blog delves into the often-overlooked methods they use, focusing on how obscure techniques, specifically within UNIX system calls and file system manipulation, are employed to gain access and exfiltrate sensitive data. While a similar situation occurs with Windows system calls, we decided to focus on one system for better understanding and conciseness. It is important to recognize that our primary focus is on attacks leveraging user mode and how we can protect access using that.
We begin by exploring “the shadows” of UNIX-like systems, highlighting system calls that are typically not monitored, such as openat, ptrace, mmap, and others. These system calls are not inherently malicious; however, attackers cleverly misuse them. Think of it as using the wrong key to open a door. Attackers use ptrace, for example, to manipulate running processes and access data they’re not supposed to. Or they use mmap to map sensitive files like /etc/shadow directly into memory, bypassing traditional file-based access controls. Other examples include sendfile which can be used to transfer data directly from the file system to an unauthorized remote network location or rename that is used to exchange sensitive files with malicious ones. We even see the exploitation of dup to duplicate file descriptors to access privileged data. While a similar set of attacks are also possible with Windows based systems, these methods are very similar to their UNIX system-based counterparts, and hence it will not provide additional context.
Attackers manipulate file system features and metadata to carry out their activities. Methods range from hiding data within alternate data streams (ADS) and sparse files, to exploiting NTFS junctions, symbolic links, and even the use of rootkits to hide the malicious activities from the security tools. These methods are difficult to detect as they often utilize system level tools and techniques and do not necessarily leave a trail, particularly in the user-mode.
The current security landscape is often lacking when it comes to protecting against these more subtle attacks. Traditional security solutions, while proficient with user authentication, often fall short on device authentication using easily spoofable IP and MAC addresses, and they completely overlook software authentication, a huge gap that needs to be addressed. Consider this: current security checks if the user has the permission to use the software, but not the specific instance of that software is trusted and is authorized. This is a key weakness which can be exploited using compromised software instances to gain unauthorized access.
This is where a new solution comes in, using a multi-dimensional approach. Unlike traditional security which focuses on user credentials, the solution requires not only the right user, but also the right device and the right software. It authenticates each of the three, ensuring that the valid user with valid device and valid software instance is given access. In addition, it provides 24×7 monitoring of all data access paths, so even if an attack uses an obscure or unintended system call, access is automatically denied. This multi-faceted approach provides significantly more stringent access controls. It’s like adding multiple layers to a bank transaction. Organizations should take into consideration many of the obscure techniques used by hackers for their attack vectors. By treating administrator access as a higher privileged user, organizations can close the loopholes usually present in the security system.
Much like fortifying the foundation of a building, it is critical to ensure that operating system security is strengthened at both user and kernel level. It’s fundamental to all secure computing going forward.
In conclusion, by understanding obscure attack vectors and implementing robust and comprehensive security solutions such as the one offered by the solution, organizations and users can move closer to a truly secure digital environment. It’s time to look beyond the usual and fortify every aspect of our systems from the ground up.