Slide 1

Slide 1 text

Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved. A Go programmer’s guide to syscalls Liz Rice @LizRice | @AquaSecTeam

Slide 2

Slide 2 text

2 ■ What are syscalls? ■ How syscalls work ■ Fun with ptrace ■ Syscalls and security Syscalls @lizrice

Slide 3

Slide 3 text

3

Slide 4

Slide 4 text

4 What do you need syscalls for? ■ Files ■ Devices ■ Processes ■ Communications ■ Time & date See them with strace @lizrice

Slide 5

Slide 5 text

5 @lizrice

Slide 6

Slide 6 text

6 Golang syscall package ■ OS-specific files ■ e.g. https://golang.org/src/syscall/syscall_linux.go ■ Autogenerated files ■ e.g. https://golang.org/src/syscall/zsyscall_linux_386.go @lizrice

Slide 7

Slide 7 text

7 @lizrice

Slide 8

Slide 8 text

8 Syscall codes @lizrice

Slide 9

Slide 9 text

9 Making a syscall @lizrice

Slide 10

Slide 10 text

10 Making a syscall ■ Set registers up with syscall ID (%rax on x86) & parameters ■ Trap - transition to kernel - run syscall code ■ Result returned in %rax (x86) x86 64 table from blog.rchapman.org @lizrice

Slide 11

Slide 11 text

11 Making a syscall ■ Different architectures, same approach @lizrice

Slide 12

Slide 12 text

12 Syscalls as a portability layer ■ Implement syscalls interface = emulate Linux ■ Just one syscall function - can implement a subset ■ Bash shell on Windows @lizrice

Slide 13

Slide 13 text

13 What syscalls are being called? ■ Linux strace ■ strace -c for a summary @lizrice

Slide 14

Slide 14 text

14 ptrace The ptrace() system call provides a means by which one process (the "tracer") may observe and control the execution of another process (the "tracee"), and examine and change the tracee's memory and registers. It is primarily used to implement breakpoint debugging and system call tracing. @lizrice

Slide 15

Slide 15 text

15 ptrace @lizrice

Slide 16

Slide 16 text

16 ptrace @lizrice

Slide 17

Slide 17 text

Let’s build our own strace! With hat tips to @mlowicki and @nelhage

Slide 18

Slide 18 text

18 ■ PTRACE_SYSCALL Restart the stopped tracee ... but arrange for the tracee to be stopped at the next entry to or exit from a system call From the tracer's perspective, the tracee will appear to have been stopped by receipt of a SIGTRAP. Catching system calls with ptrace @lizrice

Slide 19

Slide 19 text

19 Two stops for PTRACE_SYSCALL ■ The tracee enters syscall-enter-stop just prior to entering any system call … the tracee enters syscall-exit-stop when the system call is finished ■ Syscall-enter-stop and syscall-exit-stop are indistinguishable from each other by the tracer. ■ The tracer needs to keep track of the sequence of ptrace-stops @lizrice

Slide 20

Slide 20 text

Syscalls and security

Slide 21

Slide 21 text

21 Security profiles & microservices ■ Microservice only performs small set of functions ■ “Least privilege” @lizrice

Slide 22

Slide 22 text

22 Security profiles & microservices ■ Seccomp restricts permitted syscalls $ docker run \ --security-opt seccomp=/path/sc_profile.json hello-world @lizrice

Slide 23

Slide 23 text

23 Security profiles and containers @lizrice

Slide 24

Slide 24 text

Let’s try it!

Slide 25

Slide 25 text

25 Syscalls ■ Your interface into the kernel ■ even if you’re not using them directly ■ Portability ■ running Linux on different hardware ■ emulation ■ Strace and ptrace ■ see / manipulate syscalls ■ Security ■ limiting which syscalls are permitted @lizrice

Slide 26

Slide 26 text

Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved. code will be at github.com/lizrice/strace-from-scratc h @LizRice | @AquaSecTeam