Upgrade to Pro — share decks privately, control downloads, hide ads and more …

A beginner's guide to syscalls

A beginner's guide to syscalls

OSCON 2017

Liz Rice

May 10, 2017
Tweet

More Decks by Liz Rice

Other Decks in Technology

Transcript

  1. Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved.

    A beginner’s guide to syscalls Liz Rice @LizRice | @AquaSecTeam
  2. 2 Syscalls ▪ What are syscalls? ▪ How do they

    work? ▪ Security and syscalls ▪ A question answered with syscalls @LizRice | @AquaSecTeam
  3. 3

  4. 4 What do you need syscalls for? ▪ Processes ▪

    Files ▪ Devices ▪ Communications ▪ Time & date See them with strace @LizRice | @AquaSecTeam
  5. 5 Library functions - libc ▪ Standard C library ▪

    basic C functions ▪ wraps system calls (only kernel can execute) ▪ On Linux, it’s the GNU C Library, aka glibc ▪ libc.so.6 tells us it’s glibc @LizRice | @AquaSecTeam
  6. 6 Syscalls all look the same long syscall(long number, …)

    ▪ Syscall code as identifier ▪ Parameters depending on syscall rc = syscall(SYS_chmod, "/etc/passwd", 0444); @LizRice | @AquaSecTeam
  7. 9 Making a syscall ▪ Set registers up with syscall

    ID and parameters ▪ Trigger an interrupt - transition to kernel - run syscall code ▪ Result returned in %rax (x86) @LizRice | @AquaSecTeam x86 64 table from blog.rchapman.org
  8. 11 Syscalls as a portability layer ▪ Implement syscalls interface

    = emulate Linux ▪ Bash shell on Windows @LizRice | @AquaSecTeam
  9. 13 Limiting syscalls with seccomp ▪ Restrict which syscalls this

    process can call ▪ Uses a BPF Check it’s configured in your kernel: cat /boot/config-`uname -r` | grep CONFIG_SECCOMP @LizRice | @AquaSecTeam
  10. 14 Limiting syscalls with seccomp in Go Install libraries for

    manipulating seccomp filters apt install libseccomp-dev And the Golang package go get github.com/seccomp/libseccomp-golang @LizRice | @AquaSecTeam
  11. 15 Security profiles and containers ▪ Microservice in container only

    performs small set of functions ▪ “Least privilege” @LizRice | @AquaSecTeam
  12. 16 Security profiles and containers ▪ Seccomp $ docker run

    \ --security-opt seccomp=/path/sc_profile.json hello-world ▪ AppArmor $ docker run \ --security-opt apparmor=/path/aa_profile.json hello-world @LizRice | @AquaSecTeam
  13. 19 Syscalls ▪ Your interface into the kernel ▪ even

    if you’re not using them directly ▪ Portability ▪ running Linux on different hardware ▪ emulation ▪ Security ▪ limiting which syscalls are permitted @LizRice | @AquaSecTeam
  14. Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved.

    Questions? Liz Rice @LizRice | @AquaSecTeam