What have syscalls done for you lately?

What have syscalls done for you lately? Liz Rice @lizrice
Aqua Security

Agenda • What are syscalls? • Syscalls, seccomp & containers
• Shellshock exploit

What is a syscall?

When do you need syscalls? • Files • Devices •
Processes • Communications • Time & date And creating containers

Let’s see some syscalls strace Using strace

How do you make a syscall? Language-specific library • C
- libc • Golang - syscall package func Write(fd int, p []byte) (n int, err error)

~ 330 of them Syscall codes

syscall() saves CPU registers before making the system call, restores
the registers upon return from the system call, and stores any error code returned by the system call in errno(3) if an error occurs. Making a syscall

Syscall parameters x86 64 table from blog.rchapman.org

ENTRY (syscall) movq %rdi, %rax /* Syscall number -> rax.
*/ movq %rsi, %rdi /* shift arg1 - arg5. */ movq %rdx, %rsi movq %rcx, %rdx movq %r8, %r10 movq %r9, %r8 movq 8(%rsp),%r9 /* arg6 is on the stack. */ Syscall /* Do the system call. */ cmpq $-4095, %rax /* Check %rax for error. */ jae SYSCALL_ERROR_LABEL /* Jump to error handler if error. */ Ret /* Return to caller. */ PSEUDO_END (syscall) Syscall in assembler GNU C library

Transition to kernel • Execute in privileged mode • Look
up kernel code to run ◦ syscall code from %rax

Portability Different CPUs, same approach

vDSO • Avoid expensive kernel transitions • Architecture-specific • Typical:
get time, CPU strace(1) and the vDSO When tracing systems calls with strace(1), symbols (system calls) that are exported by the vDSO will not appear in the trace output.

Syscalls and seccomp

Seccomp { "defaultAction": "SCMP_ACT_ERRNO", "architectures": [ "SCMP_ARCH_X86_64", "SCMP_ARCH_X86", "SCMP_ARCH_X32" ],
"syscalls": [ { "name": "accept", "action": "SCMP_ACT_ALLOW", "args": [] }, { "name": "accept4", "action": "SCMP_ACT_ALLOW", "args": [] Restrict the syscalls a process can use

Seccomp ... { "names": [ "reboot" ], "action": "SCMP_ACT_ALLOW", "args":
[], "comment": "", "includes": { "caps": [ "CAP_SYS_BOOT" ] }, "excludes": {} }, ... Can I reboot the host?

Stracing Docker containers

Share PID namespace docker run -it --pid=container:<target> \ --cap-add sys_ptrace
<image_w_strace> /bin/bash

So you’ve got your syscalls • Creating a seccomp profile
• Portability? ◦ Kernel / architecture

AppArmor (Not specifically to do with syscalls)

AppArmor profiles Define what a program can do • File
access (read, write, execute…) • Capabilities • Network access • ...

Generating AppArmor profiles • aa-autodep - blank profile • aa-complain
- Generate logs • aa-logprof - Review logs • Manual edits? • Zzzzzzzzz

#include <tunables/global> /usr/sbin/nginx { #include <abstractions/apache2-common> #include <abstractions/base> #include <abstractions/nis>
capability dac_override, capability dac_read_search, capability net_bind_service, capability setgid, capability setuid, /data/www/safe/* r, deny /data/www/unsafe/* r, /etc/group r, /etc/nginx/conf.d/ r, /etc/nginx/mime.types r, /etc/nginx/nginx.conf r, /etc/nsswitch.conf r, /etc/passwd r, /etc/ssl/openssl.cnf r, /run/nginx.pid rw, /usr/sbin/nginx mr, /var/log/nginx/access.log w, /var/log/nginx/error.log w, } Typical profile

Container AppArmor profiles • Generate profile on host • Or
install apparmor inside container ◦ Requires --security-opt apparmor:unconfined --cap-add sys_admin

Runtime profiles are HARD

But... • Can stop unexpected behaviour • Microservice behaviour is
easier to reason about Powerful with good tooling

Shellshock example

Runtime profile tools

Recap & more info • How syscalls work ◦ Tycho’s
kernel talk • Runtime profiles ◦ Powerful in theory, hard in practice • More on strace ◦ Julia Evans strace-zine ◦ github.com/lizrice/strace-from-scratch

Thank you Come say hi at Booth G10 @lizrice |
@aquasecteam

What have syscalls done for you lately?

What have syscalls done for you lately?

Liz Rice

More Decks by Liz Rice

Other Decks in Technology

Featured

Transcript