Saved in:
Bibliographic Details
Main Authors: Zhan, Dongyang, Yu, Zhaofeng, Yu, Xiangzhan, Zhang, Hongli, Ye, Lin
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2510.03720
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866909825338703872
author Zhan, Dongyang
Yu, Zhaofeng
Yu, Xiangzhan
Zhang, Hongli
Ye, Lin
author_facet Zhan, Dongyang
Yu, Zhaofeng
Yu, Xiangzhan
Zhang, Hongli
Ye, Lin
contents Linux Seccomp is widely used by the program developers and the system maintainers to secure the operating systems, which can block unused syscalls for different applications and containers to shrink the attack surface of the operating systems. However, it is difficult to configure the whitelist of a container or application without the help of program developers. Docker containers block about only 50 syscalls by default, and lots of unblocked useless syscalls introduce a big kernel attack surface. To obtain the dependent syscalls, dynamic tracking is a straight-forward approach but it cannot get the full syscall list. Static analysis can construct an over-approximated syscall list, but the list contains many false positives. In this paper, a systematic dependent syscall analysis approach, sysverify, is proposed by combining static analysis and dynamic verification together to shrink the kernel attack surface. The semantic gap between the binary executables and syscalls is bridged by analyzing the binary and the source code, which builds the mapping between the library APIs and syscalls systematically. To further reduce the attack surface at best effort, we propose a dynamic verification approach to intercept and analyze the security of the invocations of indirect-call-related or rarely invoked syscalls with low overhead.
format Preprint
id arxiv_https___arxiv_org_abs_2510_03720
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle Shrinking the Kernel Attack Surface Through Static and Dynamic Syscall Limitation
Zhan, Dongyang
Yu, Zhaofeng
Yu, Xiangzhan
Zhang, Hongli
Ye, Lin
Cryptography and Security
Linux Seccomp is widely used by the program developers and the system maintainers to secure the operating systems, which can block unused syscalls for different applications and containers to shrink the attack surface of the operating systems. However, it is difficult to configure the whitelist of a container or application without the help of program developers. Docker containers block about only 50 syscalls by default, and lots of unblocked useless syscalls introduce a big kernel attack surface. To obtain the dependent syscalls, dynamic tracking is a straight-forward approach but it cannot get the full syscall list. Static analysis can construct an over-approximated syscall list, but the list contains many false positives. In this paper, a systematic dependent syscall analysis approach, sysverify, is proposed by combining static analysis and dynamic verification together to shrink the kernel attack surface. The semantic gap between the binary executables and syscalls is bridged by analyzing the binary and the source code, which builds the mapping between the library APIs and syscalls systematically. To further reduce the attack surface at best effort, we propose a dynamic verification approach to intercept and analyze the security of the invocations of indirect-call-related or rarely invoked syscalls with low overhead.
title Shrinking the Kernel Attack Surface Through Static and Dynamic Syscall Limitation
topic Cryptography and Security
url https://arxiv.org/abs/2510.03720