A beginner's guide to syscalls

Transcript

1. Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved.

   A beginner’s guide to syscalls Liz Rice @LizRice | @AquaSecTeam

2. 2 Syscalls ▪ What are syscalls? ▪ How do they

   work? ▪ Security and syscalls ▪ A question answered with syscalls @LizRice | @AquaSecTeam

3. 3

4. 4 What do you need syscalls for? ▪ Processes ▪

   Files ▪ Devices ▪ Communications ▪ Time & date See them with strace @LizRice | @AquaSecTeam

5. 5 Library functions - libc ▪ Standard C library ▪

   basic C functions ▪ wraps system calls (only kernel can execute) ▪ On Linux, it’s the GNU C Library, aka glibc ▪ libc.so.6 tells us it’s glibc @LizRice | @AquaSecTeam

6. 6 Syscalls all look the same long syscall(long number, …)

   ▪ Syscall code as identifier ▪ Parameters depending on syscall rc = syscall(SYS_chmod, "/etc/passwd", 0444); @LizRice | @AquaSecTeam

7. 7 Syscall codes @LizRice | @AquaSecTeam

8. 8 Making a syscall @LizRice | @AquaSecTeam

9. 9 Making a syscall ▪ Set registers up with syscall

   ID and parameters ▪ Trigger an interrupt - transition to kernel - run syscall code ▪ Result returned in %rax (x86) @LizRice | @AquaSecTeam x86 64 table from blog.rchapman.org

10. 10 Making a syscall @LizRice | @AquaSecTeam ▪ Different architectures,

    same approach

11. 11 Syscalls as a portability layer ▪ Implement syscalls interface

    = emulate Linux ▪ Bash shell on Windows @LizRice | @AquaSecTeam

12. Syscalls and security

13. 13 Limiting syscalls with seccomp ▪ Restrict which syscalls this

    process can call ▪ Uses a BPF Check it’s configured in your kernel: cat /boot/config-`uname -r` | grep CONFIG_SECCOMP @LizRice | @AquaSecTeam

14. 14 Limiting syscalls with seccomp in Go Install libraries for

    manipulating seccomp filters apt install libseccomp-dev And the Golang package go get github.com/seccomp/libseccomp-golang @LizRice | @AquaSecTeam

15. 15 Security profiles and containers ▪ Microservice in container only

    performs small set of functions ▪ “Least privilege” @LizRice | @AquaSecTeam

16. 16 Security profiles and containers ▪ Seccomp $ docker run

    \ --security-opt seccomp=/path/sc_profile.json hello-world ▪ AppArmor $ docker run \ --security-opt apparmor=/path/aa_profile.json hello-world @LizRice | @AquaSecTeam

17. 17 Security profiles and containers @LizRice | @AquaSecTeam

18. A question answered with syscalls

19. 19 Syscalls ▪ Your interface into the kernel ▪ even

    if you’re not using them directly ▪ Portability ▪ running Linux on different hardware ▪ emulation ▪ Security ▪ limiting which syscalls are permitted @LizRice | @AquaSecTeam

20. Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved.

    Questions? Liz Rice @LizRice | @AquaSecTeam