What have syscalls done for you lately? Liz Rice @lizrice Aqua Security

Agenda ● What are syscalls? ● Syscalls, seccomp & containers ● Shellshock exploit

What is a syscall?

No content

When do you need syscalls? ● Files ● Devices ● Processes ● Communications ● Time & date And creating containers

Let’s see some syscalls strace Using strace

How do you make a syscall? Language-specific library ● C - libc ● Golang - syscall package func Write(fd int, p []byte) (n int, err error)

No content

~ 330 of them Syscall codes

syscall() saves CPU registers before making the system call, restores the registers upon return from the system call, and stores any error code returned by the system call in errno(3) if an error occurs. Making a syscall

Syscall parameters x86 64 table from blog.rchapman.org

ENTRY (syscall) movq %rdi, %rax /* Syscall number -> rax. */ movq %rsi, %rdi /* shift arg1 - arg5. */ movq %rdx, %rsi movq %rcx, %rdx movq %r8, %r10 movq %r9, %r8 movq 8(%rsp),%r9 /* arg6 is on the stack. */ Syscall /* Do the system call. */ cmpq $-4095, %rax /* Check %rax for error. */ jae SYSCALL_ERROR_LABEL /* Jump to error handler if error. */ Ret /* Return to caller. */ PSEUDO_END (syscall) Syscall in assembler GNU C library

Transition to kernel ● Execute in privileged mode ● Look up kernel code to run ○ syscall code from %rax

Portability Different CPUs, same approach

vDSO ● Avoid expensive kernel transitions ● Architecture-specific ● Typical: get time, CPU strace(1) and the vDSO When tracing systems calls with strace(1), symbols (system calls) that are exported by the vDSO will not appear in the trace output.

Syscalls and seccomp

Seccomp { "defaultAction": "SCMP_ACT_ERRNO", "architectures": [ "SCMP_ARCH_X86_64", "SCMP_ARCH_X86", "SCMP_ARCH_X32" ], "syscalls": [ { "name": "accept", "action": "SCMP_ACT_ALLOW", "args": [] }, { "name": "accept4", "action": "SCMP_ACT_ALLOW", "args": [] Restrict the syscalls a process can use

Seccomp ... { "names": [ "reboot" ], "action": "SCMP_ACT_ALLOW", "args": [], "comment": "", "includes": { "caps": [ "CAP_SYS_BOOT" ] }, "excludes": {} }, ... Can I reboot the host?

Stracing Docker containers

Share PID namespace docker run -it --pid=container: \ --cap-add sys_ptrace /bin/bash

So you’ve got your syscalls ● Creating a seccomp profile ● Portability? ○ Kernel / architecture

AppArmor (Not specifically to do with syscalls)

AppArmor profiles Define what a program can do ● File access (read, write, execute…) ● Capabilities ● Network access ● ...

Generating AppArmor profiles ● aa-autodep - blank profile ● aa-complain - Generate logs ● aa-logprof - Review logs ● Manual edits? ● Zzzzzzzzz

#include /usr/sbin/nginx { #include #include #include capability dac_override, capability dac_read_search, capability net_bind_service, capability setgid, capability setuid, /data/www/safe/* r, deny /data/www/unsafe/* r, /etc/group r, /etc/nginx/conf.d/ r, /etc/nginx/mime.types r, /etc/nginx/nginx.conf r, /etc/nsswitch.conf r, /etc/passwd r, /etc/ssl/openssl.cnf r, /run/nginx.pid rw, /usr/sbin/nginx mr, /var/log/nginx/access.log w, /var/log/nginx/error.log w, } Typical profile

Container AppArmor profiles ● Generate profile on host ● Or install apparmor inside container ○ Requires --security-opt apparmor:unconfined --cap-add sys_admin

Runtime profiles are HARD

But... ● Can stop unexpected behaviour ● Microservice behaviour is easier to reason about Powerful with good tooling

Shellshock example

Runtime profile tools

Recap & more info ● How syscalls work ○ Tycho’s kernel talk ● Runtime profiles ○ Powerful in theory, hard in practice ● More on strace ○ Julia Evans strace-zine ○ github.com/lizrice/strace-from-scratch

Thank you Come say hi at Booth G10 @lizrice | @aquasecteam