👉 Overview
👀 What ?
Seccomp, or Secure Computing Mode, is a security feature in the Linux kernel. Seccomp allows a process to make a one-way transition into a 'secure' state where it cannot make any system calls except exit(), sigreturn(), read() and write() to already-open file descriptors. If the process attempts any other system calls, the kernel will terminate the process with SIGKILL or SIGSYS.
🧐 Why ?
In the context of cybersecurity, Seccomp is significant as it provides an additional layer of security in the Linux operating system. By limiting the system calls a process can make, Seccomp reduces the attack surface and the potential damage that can be done if a process is compromised. It's particularly valuable in environments where untrusted or user-supplied code is executed, such as web servers and virtual machines.
⛏️ How ?
To use Seccomp in a Linux environment, you need to include the 'linux/seccomp.h' header file in your program, and then use the prctl() function with the PR_SET_SECCOMP argument to enable Seccomp. Once Seccomp is enabled for a process, it cannot be disabled, and the restrictions apply to all child processes created with fork() or clone().
⏳ When ?
Seccomp was first introduced in Linux kernel 2.6.12, which was released in June 2005. It was initially implemented as a means of safely running untrusted bytecode in the Google Chrome web browser, but it has since been adopted by other projects and applications.
⚙️ Technical Explanations
Seccomp, or Secure Computing Mode, is a critical security feature within the Linux kernel. Its primary purpose is to control the system calls that a process can make, thereby limiting the attack surface and potential damage in case of a process compromise.
Seccomp operates by transitioning the process into a 'secure' state, where the only system calls it can make are exit(), sigreturn(), read(), and write() to already-open file descriptors. If the process attempts any other system calls, the Linux kernel will terminate the process immediately with SIGKILL or SIGSYS.
Seccomp utilizes the Berkeley Packet Filter (BPF), an in-kernel virtual machine, to filter system calls. When a process enables Seccomp, it provides a BPF program that the kernel uses as a deciding mechanism for handling system calls. The BPF program returns a value that instructs the kernel on how to respond to the system call: allow the system call, deny it with an error, deny it with a signal, or trace the system call for debugging purposes.
This mechanism allows for a high degree of control over the system calls a process can make, providing an additional layer of security, especially in environments where untrusted or user-supplied code is executed. However, to use it effectively, it requires a strong understanding of the Linux system call interface.
Seccomp was first introduced in the Linux kernel 2.6.12, released in June 2005. Originally, it was developed to safely run untrusted bytecode in the Google Chrome web browser. Since then, it has been adopted by various projects and applications for its valuable security contributions.
Let's look at a simplified example of how to use Seccomp in a C program. The goal of this program is to secure a child process using Seccomp.
Firstly, include the necessary header files:
#include <sys/prctl.h>
#include <linux/seccomp.h>
#include <unistd.h>
Next, define the main function:
int main() {
// Create a child process
if (fork() == 0) {
// Enable Seccomp
prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT);
// Attempt to execute a forbidden system call
execl("/bin/sh", "/bin/sh", NULL);
} else {
// Parent process waits for child to finish
wait(NULL);
}
return 0;
}
In this example, a child process is created with fork()
. In the child process, Seccomp is enabled with prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT)
. Then, the child process attempts to execute /bin/sh
with execl()
, which is a system call that is not allowed under Seccomp strict mode.
The process should be terminated by the kernel, because execl()
is not one of the system calls allowed in the secure state that Seccomp enforces.
Remember, this is a simplified example. Real usage would involve using BPF to set up a more complex filter for system calls. This example is meant to illustrate the basic concept of how Seccomp works.