Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Syscall prioritization #233

Closed
1 of 2 tasks
fw-immunant opened this issue Jun 28, 2023 · 1 comment
Closed
1 of 2 tasks

Syscall prioritization #233

fw-immunant opened this issue Jun 28, 2023 · 1 comment
Assignees
@fw-immunant
Labels
syscalls

Comments

@fw-immunant
Copy link
Contributor

fw-immunant commented Jun 28, 2023
edited
Loading

There are hundreds of x86_64 syscalls, categorized in #231. We want to start by winnowing these down to a starting subset that we can allowlist and implement specialized policies for as needed. Once we're secure on programs that use only the allowlisted subset, we can expand to support more programs as needed.

I've surveyed a few programs, and the below are dedup'd+sorted lists of syscalls executed.

Collected with:

strace -f $PROGRAM 2>&1 | grep -o -P '^[^ =(]+(?=\()' | sort -u
ls 
access
arch_prctl
brk
close
execve
exit_group
getdents64
getrandom
ioctl
mmap
mprotect
munmap
newfstatat
openat
prctl
pread64
prlimit64
read
rseq
set_robust_list
set_tid_address
write
sh -c exit 
access
arch_prctl
brk
close
execve
exit_group
futex
getdents64
getegid
geteuid
getgid
getpgrp
getpid
getppid
getrandom
getuid
ioctl
mmap
mprotect
munmap
newfstatat
openat
pread64
prlimit64
read
rseq
rt_sigaction
rt_sigprocmask
set_robust_list
set_tid_address
sysinfo
uname
w 
access
alarm
arch_prctl
brk
close
connect
execve
exit_group
fcntl
futex
getdents64
getrandom
ioctl
lseek
mmap
mprotect
munmap
newfstatat
openat
prctl
pread64
prlimit64
read
rseq
rt_sigaction
set_robust_list
set_tid_address
socket
write
echo 4+4 | python3 -i 
access
arch_prctl
brk
chown
close
execve
exit_group
fcntl
futex
getcwd
getdents64
getegid
geteuid
getgid
getpid
getrandom
gettid
getuid
ioctl
lseek
mmap
mprotect
munmap
newfstatat
openat
pread64
prlimit64
read
readlink
rename
rseq
rt_sigaction
setfsgid
setfsuid
set_robust_list
set_tid_address
sysinfo
write

Across our tests, we have the following syscall counts:

 22 access
 22 arch_prctl
 22 brk
  1 clone3
 22 close
 23 execve
 20 exit_group
 22 futex
 22 getrandom
 22 mmap
 22 mprotect
 22 munmap
 22 newfstatat
 22 openat
 22 pkey_alloc
 22 pkey_mprotect
 22 pread64
 22 prlimit64
 22 read
 22 rseq
 11 rt_sigaction
  1 rt_sigprocmask
 22 set_robust_list
 22 set_tid_address
 20 write

We should also characterize nginx, but I think these give a good idea of where to start with an initial syscall allowlist. Of these syscalls, mmap/munmap/mprotect, pkey_alloc/pkey_mprotect, rt_sigaction/rt_sigprocmask, clone3, and openat are the syscalls that require the most infrastructure to properly implement policy for.

TODOs:
@fw-immunant fw-immunant mentioned this issue Jun 28, 2023
Open
@fw-immunant fw-immunant mentioned this issue Aug 11, 2023
Merged
This was referenced Sep 25, 2023
Merged
Open
Closed
@fw-immunant
Copy link
Contributor Author

We have an initial set of allowed syscalls as of PR #290, so this bug as "make a first pass by prioritizing a few core syscalls" is complete.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fw-immunant fw-immunant

Labels
syscalls
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@fw-immunant