Linux Seccomp is widely used by the program developers and the system maintainers to secure the operating systems, which can block unused syscalls for different applications and containers to shrink the attack surface of the operating systems. However, it is difficult to configure the whitelist of a container or application without the help of program developers. Docker containers block about only 50 syscalls by default, and lots of unblocked useless syscalls introduce a big kernel attack surface. To obtain the dependent syscalls, dynamic tracking is a straight-forward approach but it cannot get the full syscall list. Static analysis can construct an over-approximated syscall list, but the list contains many false positives. In this paper, a systematic dependent syscall analysis approach, sysverify, is proposed by combining static analysis and dynamic verification together to shrink the kernel attack surface. The semantic gap between the binary executables and syscalls is bridged by analyzing the binary and the source code, which builds the mapping between the library APIs and syscalls systematically. To further reduce the attack surface at best effort, we propose a dynamic verification approach to intercept and analyze the security of the invocations of indirect-call-related or rarely invoked syscalls with low overhead.

中文翻译：

---

通过静态和动态系统调用限制缩小内核攻击面

Linux Seccomp 被程序开发人员和系统维护人员广泛用于保护操作系统，它可以阻止不同应用程序和容器未使用的系统调用，以缩小操作系统的攻击面。但是，如果没有程序开发人员的帮助，很难配置容器或应用程序的白名单。默认情况下，Docker 容器仅阻止大约 50 个系统调用，而许多未阻止的无用系统调用会引入很大的内核攻击面。要获取依赖的系统调用，动态跟踪是一种直接的方法，但它无法获取完整的系统调用列表。静态分析可以构建一个过度近似的系统调用列表，但该列表包含许多误报。本文提出了一种系统依赖的系统调用分析方法，sysverify，通过将静态分析和动态验证结合在一起来缩小内核攻击面。二进制可执行文件和系统调用之间的语义鸿沟是通过分析二进制文件和源代码来弥合的，系统地构建了库 API 和系统调用之间的映射。为了尽最大努力进一步减少攻击面，我们提出了一种动态验证方法，以低开销拦截和分析与间接调用相关或很少调用的系统调用的调用的安全性。