Safer Seccomp: Dead Syscalls Elimination - Yuan Tan & Siqi Fan, Lanzhou University; Xiao Liu
Safer Seccomp: Dead Syscalls Elimination - Yuan Tan & Siqi Fan, Lanzhou University; Xiao Liu, Yunnan University
Restricting system calls can significantly reduce the attack surface. However, solutions like seccomp can be bypassed(CVE-2009-0835, CVE-2019-2054, CVE-2023-2431, etc.). If unused syscalls can be eliminated at config level and compile time, the attack surface can be fundamentally controlled.
However, the widespread presence of .pushsection in kernel code prevents linker to perform code garbage collection. The associated KEEP() directive also causes ownership reversal issues, resulting in related sections that should be removed to remain, leaving more unused code for potential exploitation by hackers.
By systematically reworking the .pushsection directive, we propose dead syscalls elimination. After specifying the syscalls that need to be retained, it can remove other syscalls' code without affecting the normal operation of the kernel. Attackers cannot exploit something that does not exist. This not only reduces the kernel size and eliminates the overhead of seccomp but also completely eradicates the possibility of exploitation.
Besides, the approach of eliminating the KEEP() directive can be generalized, further reducing the kernel's dead code and decreasing the attack surface.
Contributors: Tan Yuan, Fan Siqi, Liu Xiao, Wu Zhangjin, Liu Xin
Restricting system calls can significantly reduce the attack surface. However, solutions like seccomp can be bypassed(CVE-2009-0835, CVE-2019-2054, CVE-2023-2431, etc.). If unused syscalls can be eliminated at config level and compile time, the attack surface can be fundamentally controlled.
However, the widespread presence of .pushsection in kernel code prevents linker to perform code garbage collection. The associated KEEP() directive also causes ownership reversal issues, resulting in related sections that should be removed to remain, leaving more unused code for potential exploitation by hackers.
By systematically reworking the .pushsection directive, we propose dead syscalls elimination. After specifying the syscalls that need to be retained, it can remove other syscalls' code without affecting the normal operation of the kernel. Attackers cannot exploit something that does not exist. This not only reduces the kernel size and eliminates the overhead of seccomp but also completely eradicates the possibility of exploitation.
Besides, the approach of eliminating the KEEP() directive can be generalized, further reducing the kernel's dead code and decreasing the attack surface.
Contributors: Tan Yuan, Fan Siqi, Liu Xiao, Wu Zhangjin, Liu Xin
The Linux Foundation
The Linux Foundation is a nonprofit consortium dedicated to fostering the growth of Linux and collaborative software development. Founded in 2000, the organization sponsors the work of Linux creator Linus Torvalds and promotes, protects and advances the L...