Home/ Questions/Q 842145
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-15T05:54:47+00:00

Does anyone tell me how to block some specific system calls within a program,

  • 0

Does anyone tell me how to block some specific system calls within a program, please? I am building a system which takes a piece of C source code, compiles it with gcc and runs it. For security reasons, I need to prevent the compiled program from calling some system calls. Is there any way to do it, from the source code level (e.g. stripping the header files of gcc, detecting malicious external calls, …) to the executable level?

Edited #1: Add details about malicious calls.

Edited #2: My system is a GNU/Linux one.

Edited #3:

I have tried some methods within a few days and here are the conclusions I’ve got so far:

  1. Scanning the source code does not solve the main problem since one can always obsfucate his/her C source file quite well.
  2. “Overriding C symbol” works well for libraries, but for system calls I have not achieved what I wanted. This idea is not dead, however, doing this would definitely cause me a lot of time hacking (gcc and/or ld).
  3. Permission deescalation works like a charm. I could use fakeroot or a “guest” user to do it. This method is also the easiest to implement.

The other one is native client which I have not tried yet but I definitely would in near future due to the common between the project and my work.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    As others have noted, it’s impossible for a program to avoid making system calls, they permate the C library all over the place.

    However you might be able to make some headway with careful use of the LD_PRELOAD mechanism, if your platform supports it (e.g. Linux): you write a shared library with the same symbol names as those in the C library, which are called instead of the intended libc functions. (For example, Electric Fence is built as a shared library on Debian-based systems and intercepts calls to malloc, free et al.)

    I suspect you could use this mechanism to trap or argument-check calls to any libc functions you don’t like, and perhaps to note those which you consider unconditionally safe. It might then be reasonable to scan the compiled executable for the code corresponding to INT 0x80 to trap out any attempts to make raw syscalls (0xcd 0x80 – though beware of false positives). However I have only give this a few moments of thought, I could easily have missed something or this might turn out to be impractical…

    • 0