Securing Operating Systems Through Fine-grained Kernel Access Limitation for IoT Systems

TL;DR

The paper tackles securing IoT operating systems with low overhead by reducing the kernel attack surface through fine-grained Seccomp policies. It introduces a static dependent syscall analysis that maps dynamic library APIs to syscalls and, via backward taint analysis and symbolic execution, links API arguments to syscall arguments. The approach yields a best-effort Seccomp configuration that blocks unused syscalls and restricts critical arguments, mitigating CVEs with acceptable performance overhead on ARM-based IoT devices. This work enables practical, low-overhead kernel protection for embedded systems without requiring extensive developer intervention, and it lays groundwork for extending to containers and other platforms.

Abstract

With the development of Internet of Things (IoT), it is gaining a lot of attention. It is important to secure the embedded systems with low overhead. The Linux Seccomp is widely used by developers to secure the kernels by blocking the access of unused syscalls, which introduces less overhead. However, there are no systematic Seccomp configuration approaches for IoT applications without the help of developers. In addition, the existing Seccomp configuration approaches are coarse-grained, which cannot analyze and limit the syscall arguments. In this paper, a novel static dependent syscall analysis approach for embedded applications is proposed, which can obtain all of the possible dependent syscalls and the corresponding arguments of the target applications. So, a fine-grained kernel access limitation can be performed for the IoT applications. To this end, the mappings between dynamic library APIs and syscalls according with their arguments are built, by analyzing the control flow graphs and the data dependency relationships of the dynamic libraries. To the best of our knowledge, this is the first work to generate the fine-grained Seccomp profile for embedded applications.

Figures (4)

• Figure 1: Comparison of invoked kernel functions of syscalls with different arguments.
• Figure 2: The workflow of our system. ① The library source code is fed into the mapping construction module. ② The CFG Analysis module outputs the function call graph of the library. ③ By identifying the syscall and API points in the call graph, the mapping between APIs and syscalls can be constructed. ④ The backward taint analysis is used to find out the data sources of each syscall argument. ⑤ The data dependency graph is constructed during the taint analysis. ⑥ The symbolic execution is employed to analyze how the conditional judgment statements can affect the arguments in the data dependency graph. ⑦ Based on the results of taint analysis and symbolic execution, the mapping between API arguments and syscall arguments is constructed. ⑧ The target binary is analyzed to extract the dependent API and arguments. ⑨ The extracted API and arguments are used to search the mapping ①0 for possible dependent syscalls and arguments. ①1 If the binary does not use a dependent library to invoke syscalls, the syscalls and arguments are extracted. ①2 Seccomp configuration with allowed syscalls and arguments can be generated.
• Figure 3: An example to show the workflow of API argument extraction. In the example, the socket API was found to be used for syscall invocation. By analyzing the API invocation callsite, the w0-w2 were used for storing the API arguments. After analyzing the values of w0-w2, the API arguments (2,1,6) were determined.
• Figure 4: The statistics of the syscall dependency analysis on every program, and the number of CVEs involved.