What Have Syscalls Done for you Lately?
2 likes397 views
Liz Rice discusses system calls (syscalls), their role in managing resources like files and processes, and their importance in container security through seccomp. She explains how syscalls interact with the kernel and demonstrates the process of creating seccomp profiles to restrict syscall usage for enhanced security. Additionally, the document covers tools like strace and AppArmor for monitoring and managing syscall behavior in applications.
![How do you make a syscall?
Language-specific library
● C - libc
● Golang - syscall package
func Write(fd int, p []byte) (n int, err error)](https://image.slidesharecdn.com/jpt8dzzoqt2yyyvauj9x-signature-76a2b8b00f2c637591e165d53be3c358bdf8c2d91f80c46237cb5f85f8a53dbb-poli-171025034013/85/What-Have-Syscalls-Done-for-you-Lately-7-320.jpg)
![Seccomp
{
"defaultAction": "SCMP_ACT_ERRNO",
"architectures": [
"SCMP_ARCH_X86_64",
"SCMP_ARCH_X86",
"SCMP_ARCH_X32"
],
"syscalls": [
{
"name": "accept",
"action": "SCMP_ACT_ALLOW",
"args": []
},
{
"name": "accept4",
"action": "SCMP_ACT_ALLOW",
"args": []
Restrict the
syscalls a
process can
use](https://image.slidesharecdn.com/jpt8dzzoqt2yyyvauj9x-signature-76a2b8b00f2c637591e165d53be3c358bdf8c2d91f80c46237cb5f85f8a53dbb-poli-171025034013/85/What-Have-Syscalls-Done-for-you-Lately-18-320.jpg)
![Seccomp
...
{
"names": [
"reboot"
],
"action": "SCMP_ACT_ALLOW",
"args": [],
"comment": "",
"includes": {
"caps": [
"CAP_SYS_BOOT"
]
},
"excludes": {}
},
...
Can I reboot
the host?](https://image.slidesharecdn.com/jpt8dzzoqt2yyyvauj9x-signature-76a2b8b00f2c637591e165d53be3c358bdf8c2d91f80c46237cb5f85f8a53dbb-poli-171025034013/85/What-Have-Syscalls-Done-for-you-Lately-19-320.jpg)
What Have Syscalls Done for you Lately?
- 1. What have syscalls done for you lately? Liz Rice @lizrice Aqua Security
- 2. Agenda ● What are syscalls? ● Syscalls, seccomp & containers ● Shellshock exploit
- 3. What is a syscall?
- 5. When do you need syscalls? ● Files ● Devices ● Processes ● Communications ● Time & date And creating containers
- 6. Let’s see some syscalls strace Using strace
- 7. How do you make a syscall? Language-specific library ● C - libc ● Golang - syscall package func Write(fd int, p []byte) (n int, err error)
- 9. ~ 330 of them Syscall codes
- 10. syscall() saves CPU registers before making the system call, restores the registers upon return from the system call, and stores any error code returned by the system call in errno(3) if an error occurs. Making a syscall
- 11. Syscall parameters x86 64 table from blog.rchapman.org
- 12. ENTRY (syscall) movq %rdi, %rax /* Syscall number -> rax. */ movq %rsi, %rdi /* shift arg1 - arg5. */ movq %rdx, %rsi movq %rcx, %rdx movq %r8, %r10 movq %r9, %r8 movq 8(%rsp),%r9 /* arg6 is on the stack. */ Syscall /* Do the system call. */ cmpq $-4095, %rax /* Check %rax for error. */ jae SYSCALL_ERROR_LABEL /* Jump to error handler if error. */ Ret /* Return to caller. */ PSEUDO_END (syscall) Syscall in assembler GNU C library
- 13. Transition to kernel ● Execute in privileged mode ● Look up kernel code to run ○ syscall code from %rax
- 15. vDSO ● Avoid expensive kernel transitions ● Architecture-specific ● Typical: get time, CPU
- 16. strace(1) and the vDSO When tracing systems calls with strace(1), symbols (system calls) that are exported by the vDSO will not appear in the trace output.
- 18. Seccomp { "defaultAction": "SCMP_ACT_ERRNO", "architectures": [ "SCMP_ARCH_X86_64", "SCMP_ARCH_X86", "SCMP_ARCH_X32" ], "syscalls": [ { "name": "accept", "action": "SCMP_ACT_ALLOW", "args": [] }, { "name": "accept4", "action": "SCMP_ACT_ALLOW", "args": [] Restrict the syscalls a process can use
- 19. Seccomp ... { "names": [ "reboot" ], "action": "SCMP_ACT_ALLOW", "args": [], "comment": "", "includes": { "caps": [ "CAP_SYS_BOOT" ] }, "excludes": {} }, ... Can I reboot the host?
- 21. Share PID namespace docker run -it --pid=container:<target> --cap-add sys_ptrace <image_w_strace> /bin/bash
- 22. So you’ve got your syscalls ● Creating a seccomp profile ● Portability? ○ Kernel / architecture
- 23. AppArmor (Not specifically to do with syscalls)
- 24. AppArmor profiles Define what a program can do ● File access (read, write, execute…) ● Capabilities ● Network access ● ...
- 25. Generating AppArmor profiles ● aa-autodep - blank profile ● aa-complain - Generate logs ● aa-logprof - Review logs ● Manual edits? ● Zzzzzzzzz
- 26. #include <tunables/global> /usr/sbin/nginx { #include <abstractions/apache2-common> #include <abstractions/base> #include <abstractions/nis> capability dac_override, capability dac_read_search, capability net_bind_service, capability setgid, capability setuid, /data/www/safe/* r, deny /data/www/unsafe/* r, /etc/group r, /etc/nginx/conf.d/ r, /etc/nginx/mime.types r, /etc/nginx/nginx.conf r, /etc/nsswitch.conf r, /etc/passwd r, /etc/ssl/openssl.cnf r, /run/nginx.pid rw, /usr/sbin/nginx mr, /var/log/nginx/access.log w, /var/log/nginx/error.log w, } Typical profile
- 27. Container AppArmor profiles ● Generate profile on host ● Or install apparmor inside container ○ Requires --security-opt apparmor:unconfined --cap-add sys_admin
- 28. Runtime profiles are HARD
- 29. But... ● Can stop unexpected behaviour ● Microservice behaviour is easier to reason about Powerful with good tooling
- 32. Recap & more info ● How syscalls work ○ Tycho’s kernel talk ● Runtime profiles ○ Powerful in theory, hard in practice ● More on strace ○ Julia Evans strace-zine ○ github.com/lizrice/strace-from-scratch
- 33. Thank you Come say hi at Booth G10 @lizrice | @aquasecteam