Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Limiting syscall access for a Linux application

Tags:

linux

security

linux-kernel

hook

system-calls

Assume a Linux binary foobar which has two different modes of operation:

  • Mode A: A well-behaved mode in which syscalls a, b and c are used.
  • Mode B: A things-gone-wrong mode in which syscalls a, b, c and d are used.

Syscalls a, b and c are harmless, whereas syscall d is potentially dangerous and could cause instability to the machine.

Assume further that which of the two modes the application runs is random: the application runs in mode A with probability 95 % and in mode B with probability 5 %. The application comes without source code so it cannot be modified, only run as-is.

I want to make sure that the application cannot execute syscall d. When executing syscall d the result should be either a NOOP or an immediate termination of the application.

How do I achieve that in a Linux environment?

like image 862
knorv Avatar asked Jan 27 '10 10:01

knorv

People also ask

What does syscall do in Linux?

As the name suggests, syscalls are system calls, and they're the way that you can make requests from user space into the Linux kernel. The kernel does some work for you, like creating a process, then hands control back to user space.

What is Linux Seccomp?

Secure computing mode ( seccomp ) is a Linux kernel feature. You can use it to restrict the actions available within the container. The seccomp() system call operates on the seccomp state of the calling process. You can use this feature to restrict your application's access.

What is syscall hooking?

Hooking a system call means that you are able to manipulate data sent from userland applications to the operating system (OS) and vice versa. This means that you can hide things from applications running on the OS and influence their behaviour.

1 Answers

Is the application linked statically?

If not, you may override some symbols, for example, let's redefine socket:

int socket(int domain, int type, int protocol)
{
        write(1,"Error\n",6);
        return -1;
}

Then build a shared library:

gcc -fPIC -shared test.c -o libtest.so

Let's run:

nc -l -p 6000

Ok.

And now:

$ LD_PRELOAD=./libtest.so nc -l -p 6000
Error
Can't get socket

What happens when you run with variable LD_PRELOAD=./libtest.so? It overrides with symbols defined in libtest.so over those defined in the C library.

like image 153
Artyom Avatar answered Oct 11 '22 16:10

Artyom
Sign in to Comment

Related questions

Making a 3d text editor in c++
Why is gcc using jmp to call a function in the optimized version
C++ compiles but gives error when executed
concatenate inputs in bash script [duplicate]
How to autoload a kernel module in Gentoo Linux? [closed]
How do I compile a static library
cd.. command does not work [closed]
Issues while connecting psql
What is the benefit of Docker container for a memcached instance?
Get last parameter on shell script [duplicate]
kill remote process by ssh [closed]
quantal (12.10) ubuntu repos
How do I package a Go program so that it is self sufficient?
bash: Iterating over members of a JSON array selected by index
How to use gtalk/hangout on ubuntu terminal? [closed]
I cannot clone git tree
webpack --watch exits after building once
Portable shared objects?
How to list all subdirectories in a given directory in C?
What is the easiest x86 Embedded Linux? [closed]

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!