Tweet
Tweet

Slide 1

Slide 1 text

Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved. A beginner’s guide to syscalls Liz Rice @LizRice | @AquaSecTeam

Slide 2

Slide 2 text

2 Syscalls ■ What are syscalls? ■ How do they work? ■ Security and syscalls ■ A question answered with syscalls @LizRice | @AquaSecTeam

Slide 3

Slide 3 text

3

Slide 4

Slide 4 text

4 What do you need syscalls for? ■ Processes ■ Files ■ Devices ■ Communications ■ Time & date See them with strace @LizRice | @AquaSecTeam

Slide 5

Slide 5 text

5 Library functions - libc ■ Standard C library ■ basic C functions ■ wraps system calls (only kernel can execute) ■ On Linux, it’s the GNU C Library, aka glibc ■ libc.so.6 tells us it’s glibc @LizRice | @AquaSecTeam

Slide 6

Slide 6 text

6 Syscalls all look the same long syscall(long number, …) ■ Syscall code as identifier ■ Parameters depending on syscall rc = syscall(SYS_chmod, "/etc/passwd", 0444); @LizRice | @AquaSecTeam

Slide 7

Slide 7 text

7 Syscall codes @LizRice | @AquaSecTeam

Slide 8

Slide 8 text

8 Making a syscall @LizRice | @AquaSecTeam

Slide 9

Slide 9 text

9 Making a syscall ■ Set registers up with syscall ID and parameters ■ Trigger an interrupt - transition to kernel - run syscall code ■ Result returned in %rax (x86) @LizRice | @AquaSecTeam x86 64 table from blog.rchapman.org

Slide 10

Slide 10 text

10 Making a syscall @LizRice | @AquaSecTeam ■ Different architectures, same approach

Slide 11

Slide 11 text

11 Syscalls as a portability layer ■ Implement syscalls interface = emulate Linux ■ Bash shell on Windows @LizRice | @AquaSecTeam

Slide 12

Slide 12 text

Syscalls and security

Slide 13

Slide 13 text

13 Limiting syscalls with seccomp ■ Restrict which syscalls this process can call ■ Uses a BPF Check it’s configured in your kernel: cat /boot/config-`uname -r` | grep CONFIG_SECCOMP @LizRice | @AquaSecTeam

Slide 14

Slide 14 text

14 Limiting syscalls with seccomp in Go Install libraries for manipulating seccomp filters apt install libseccomp-dev And the Golang package go get github.com/seccomp/libseccomp-golang @LizRice | @AquaSecTeam

Slide 15

Slide 15 text

15 Security profiles and containers ■ Microservice in container only performs small set of functions ■ “Least privilege” @LizRice | @AquaSecTeam

Slide 16

Slide 16 text

16 Security profiles and containers ■ Seccomp $ docker run \ --security-opt seccomp=/path/sc_profile.json hello-world ■ AppArmor $ docker run \ --security-opt apparmor=/path/aa_profile.json hello-world @LizRice | @AquaSecTeam

Slide 17

Slide 17 text

17 Security profiles and containers @LizRice | @AquaSecTeam

Slide 18

Slide 18 text

A question answered with syscalls

Slide 19

Slide 19 text

19 Syscalls ■ Your interface into the kernel ■ even if you’re not using them directly ■ Portability ■ running Linux on different hardware ■ emulation ■ Security ■ limiting which syscalls are permitted @LizRice | @AquaSecTeam

Slide 20

Slide 20 text

Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved. Questions? Liz Rice @LizRice | @AquaSecTeam