If you've ever written any code - even just Hello World - you've used some syscalls. In this talk we'll explore what syscalls are, how they are used to set up containers, and how to make your deployment more secure at runtime by limiting the syscalls your containers can make thanks to seccomp and Linux security modules like AppArmor. We'll also discuss how, if your architecture is broken into containerized microservices, this gives you a great opportunity to improve security by limiting what each container can do. This is where containerized microservices really shine over traditional monoliths from a security perspective - so it's helpful to know about if you're trying to convince your security team that containers are a good idea. There will be lots of live demos!

1. What have
syscalls done
for you lately?
Liz Rice
@lizrice
Aqua Security

2. Agenda
● What are syscalls?
● Syscalls, seccomp & containers
● Shellshock exploit

3. What is a syscall?

5. When do you need syscalls?
● Files
● Devices
● Processes
● Communications
● Time & date
And creating
containers

6. Let’s see some syscalls
strace
Using strace

7. How do you make a syscall?
Language-specific library
● C - libc
● Golang - syscall package
func Write(fd int, p []byte) (n int, err error)

9. ~ 330 of them
Syscall codes

10. syscall() saves CPU registers before making the system call,
restores the registers upon return from the system call, and
stores any error code returned by the system call in errno(3) if
an error occurs.
Making a syscall

11. Syscall parameters
x86 64 table from blog.rchapman.org

12. ENTRY (syscall)
movq %rdi, %rax /* Syscall number -> rax. */
movq %rsi, %rdi /* shift arg1 - arg5. */
movq %rdx, %rsi
movq %rcx, %rdx
movq %r8, %r10
movq %r9, %r8
movq 8(%rsp),%r9 /* arg6 is on the stack. */
Syscall /* Do the system call. */
cmpq $-4095, %rax /* Check %rax for error. */
jae SYSCALL_ERROR_LABEL /* Jump to error handler if error. */
Ret /* Return to caller. */
PSEUDO_END (syscall)
Syscall in assembler
GNU C library

13. Transition to kernel
● Execute in privileged mode
● Look up kernel code to run
○ syscall code from %rax

14. Portability
Different CPUs,
same approach

15. vDSO
● Avoid expensive kernel transitions
● Architecture-specific
● Typical: get time, CPU

16. strace(1) and the vDSO
When tracing systems calls with strace(1), symbols (system calls)
that are exported by the vDSO will not appear in the trace output.

17. Syscalls and seccomp

18. Seccomp
{
"defaultAction": "SCMP_ACT_ERRNO",
"architectures": [
"SCMP_ARCH_X86_64",
"SCMP_ARCH_X86",
"SCMP_ARCH_X32"
],
"syscalls": [
{
"name": "accept",
"action": "SCMP_ACT_ALLOW",
"args": []
},
{
"name": "accept4",
"action": "SCMP_ACT_ALLOW",
"args": []
Restrict the
syscalls a
process can
use

19. Seccomp
...
{
"names": [
"reboot"
],
"action": "SCMP_ACT_ALLOW",
"args": [],
"comment": "",
"includes": {
"caps": [
"CAP_SYS_BOOT"
]
},
"excludes": {}
},
...
Can I reboot
the host?

20. Stracing Docker
containers

21. Share PID namespace
docker run -it
--pid=container:<target>
--cap-add sys_ptrace
<image_w_strace> /bin/bash

22. So you’ve got your syscalls
● Creating a seccomp profile
● Portability?
○ Kernel / architecture

23. AppArmor
(Not specifically to do with syscalls)

24. AppArmor profiles
Define what a program can do
● File access (read, write, execute…)
● Capabilities
● Network access
● ...

25. Generating AppArmor profiles
● aa-autodep - blank profile
● aa-complain - Generate logs
● aa-logprof - Review logs
● Manual edits?
● Zzzzzzzzz

26. #include <tunables/global>
/usr/sbin/nginx {
#include <abstractions/apache2-common>
#include <abstractions/base>
#include <abstractions/nis>
capability dac_override,
capability dac_read_search,
capability net_bind_service,
capability setgid,
capability setuid,
/data/www/safe/* r,
deny /data/www/unsafe/* r,
/etc/group r,
/etc/nginx/conf.d/ r,
/etc/nginx/mime.types r,
/etc/nginx/nginx.conf r,
/etc/nsswitch.conf r,
/etc/passwd r,
/etc/ssl/openssl.cnf r,
/run/nginx.pid rw,
/usr/sbin/nginx mr,
/var/log/nginx/access.log w,
/var/log/nginx/error.log w,
}
Typical profile

27. Container AppArmor profiles
● Generate profile on host
● Or install apparmor inside container
○ Requires --security-opt
apparmor:unconfined
--cap-add sys_admin

28. Runtime profiles are HARD

29. But...
● Can stop unexpected behaviour
● Microservice behaviour is easier
to reason about
Powerful with good tooling

30. Shellshock example

31. Runtime
profile tools

32. Recap & more info
● How syscalls work
○ Tycho’s kernel talk
● Runtime profiles
○ Powerful in theory, hard in practice
● More on strace
○ Julia Evans strace-zine
○ github.com/lizrice/strace-from-scratch

33. Thank you
Come say hi at Booth G10
@lizrice | @aquasecteam