Shrinking the Kernel Attack Surface Through Static and Dynamic Syscall Limitation
Dongyang Zhan, Zhaofeng Yu, Xiangzhan Yu, Hongli Zhang, Lin Ye
TL;DR
Sysverify addresses the challenge of automatically shrinking the Linux kernel attack surface in containers by pairing systematic static analysis of binaries and dependent libraries with runtime dynamic verification. It constructs an over-approximate API-to-syscall mapping from direct and indirect call graphs, generates Seccomp profiles, and then verifies indirect-call-related and rarely invoked syscalls at run time via a kernel-hooking verification module. The approach yields substantial reductions in accessible syscalls (averaging hundreds fewer per program) and mitigates CVEs associated with syscalls, all with modest overhead (~1%). The combination of binary-focused direct graph analysis, source-code-informed indirect-call analysis, and targeted dynamic checks offers a practical, developer-agnostic path to tighter container security and broader Seccomp deployment. The work also outlines extension opportunities to additional language ecosystems and VM-based containers as future directions.
Abstract
Linux Seccomp is widely used by the program developers and the system maintainers to secure the operating systems, which can block unused syscalls for different applications and containers to shrink the attack surface of the operating systems. However, it is difficult to configure the whitelist of a container or application without the help of program developers. Docker containers block about only 50 syscalls by default, and lots of unblocked useless syscalls introduce a big kernel attack surface. To obtain the dependent syscalls, dynamic tracking is a straight-forward approach but it cannot get the full syscall list. Static analysis can construct an over-approximated syscall list, but the list contains many false positives. In this paper, a systematic dependent syscall analysis approach, sysverify, is proposed by combining static analysis and dynamic verification together to shrink the kernel attack surface. The semantic gap between the binary executables and syscalls is bridged by analyzing the binary and the source code, which builds the mapping between the library APIs and syscalls systematically. To further reduce the attack surface at best effort, we propose a dynamic verification approach to intercept and analyze the security of the invocations of indirect-call-related or rarely invoked syscalls with low overhead.