Rewriting Every Syscall in a Linux Binary at Load Time
16 hours ago
- #system-calls
- #binary-rewriting
- #security
- Binary rewriting at load time replaces syscall instructions with traps to intercept every system call in a Linux binary.
- This approach enables low overhead, full inspection of pointer arguments, and control over return values and syscall emulation.
- It addresses limitations of existing methods like ptrace, seccomp, and eBPF, which lack inspection or modification capabilities.
- The rewriter uses an Instruction Length Decoder to accurately locate and patch syscall opcodes without corrupting other instructions.
- Edge cases like JIT-compiled code are handled via the LSTAR MSR for self-healing, patching new syscalls on first execution.
- The shim, running in a lightweight VM, dispatches intercepted syscalls to enforce policies, emulate, or escalate to the hypervisor.
- This foundation allows arbitrary policy enforcement on untrusted code with near-native performance, ideal for secure execution environments.