If you've ever written any code - even just Hello World - you've used some syscalls. In this talk we'll explore what syscalls are, how they are used to set up containers, and how to make your deployment more secure at runtime by limiting the syscalls your containers can make thanks to seccomp and Linux security modules like AppArmor.
We'll also discuss how, if your architecture is broken into containerized microservices, this gives you a great opportunity to improve security by limiting what each container can do. This is where containerized microservices really shine over traditional monoliths from a security perspective - so it's helpful to know about if you're trying to convince your security team that containers are a good idea.
There will be lots of live demos!
10. syscall() saves CPU registers before making the system call,
restores the registers upon return from the system call, and
stores any error code returned by the system call in errno(3) if
an error occurs.
Making a syscall
15. vDSO
● Avoid expensive kernel transitions
● Architecture-specific
● Typical: get time, CPU
16. strace(1) and the vDSO
When tracing systems calls with strace(1), symbols (system calls)
that are exported by the vDSO will not appear in the trace output.
32. Recap & more info
● How syscalls work
○ Tycho’s kernel talk
● Runtime profiles
○ Powerful in theory, hard in practice
● More on strace
○ Julia Evans strace-zine
○ github.com/lizrice/strace-from-scratch