Faculté des Sciences appliquées
Faculté des Sciences appliquées

Improved system call detection

Knott, Benoît ULiège
Promotor(s) : Mathy, Laurent ULiège
Date of defense : 26-Jun-2023/27-Jun-2023 • Permalink :
Title : Improved system call detection
Translated title : [fr] Détection de "system call" améliorée
Author : Knott, Benoît ULiège
Date of defense  : 26-Jun-2023/27-Jun-2023
Advisor(s) : Mathy, Laurent ULiège
Committee's member(s) : Leduc, Guy ULiège
Fontaine, Pascal ULiège
Language : English
Number of pages : 79
Keywords : [en] syscall
[en] ELF
[en] assembly
[en] dynamic linking
[en] Unikernels
[en] static analysis
Discipline(s) : Engineering, computing & technology > Computer science
Institution(s) : Université de Liège, Liège, Belgique
Degree: Master : ingénieur civil en informatique, à finalité spécialisée en "computer systems security"
Faculty: Master thesis of the Faculté des Sciences appliquées


[en] Understanding the system call usage of a program can offer valuable insights into its behavior for some and identify critical syscall implementations for others. The primary motivation behind this work aligns more closely with the second aspect mentioned. It aims to be used for the Unikraft project, which aims to assist in building Unikernels. Unikernels are minimal operating systems that implement only the necessary syscalls for their functionality.

Both dynamic and static analysers have been implemented by contributors to the Unikraft project to detect syscalls in applications. However, the binary static analysis tool face limitations when analysing dynamically linked binaries.

The objective of this thesis is to enhance the existing binary static analysis tool to enable detection of syscalls used within dynamic libraries, as the current tool only parses the code within the binary itself.

To achieve this objective, a deep understanding of certain aspects of the ELF binary format and the behavior of the dynamic linker is required. This enhanced static analysis tool should be capable of resolving library function calls within the analysed binary and analysing the syscalls within the resulting code executed.

Furthermore, although not initially part of the objectives, improvements have been made to the syscall detection process itself to enhance its effectiveness in identifying syscalls in more scenarios than before.

The final implementation of the static analyser successfully accomplishes these tasks. However, it still exhibits a significant limitation in resolving indirect calls and poses minor limitations that may present challenges in specific contexts.



Access s182110KnottBenoit2023_thesis.pdf
Description: Report of the master thesis
Size: 984.33 kB
Format: Adobe PDF
Access s182110KnottBenoit2023_abstract.pdf
Description: Abstract of the master thesis
Size: 92.9 kB
Format: Adobe PDF


Access git_repository.txt
Description: Link to the repository + anchor link to the repository at the time of submission
Size: 221 B
Format: Text


  • Knott, Benoît ULiège Université de Liège > Master ingé. civ. info., à fin.


Committee's member(s)

  • Leduc, Guy ULiège Université de Liège - ULiège > Dép. d'électric., électron. et informat. (Inst.Montefiore) > Réseaux informatiques
    ORBi View his publications on ORBi
  • Fontaine, Pascal ULiège Université de Liège - ULiège > Dép. d'électric., électron. et informat. (Inst.Montefiore) > Systèmes informatiques distribués
    ORBi View his publications on ORBi
  • Total number of views 19
  • Total number of downloads 2

All documents available on MatheO are protected by copyright and subject to the usual rules for fair use.
The University of Liège does not guarantee the scientific quality of these students' works or the accuracy of all the information they contain.