Improved system call detection

Abstract

Understanding the system call usage of a program can offer valuable insights into its behavior for some and identify critical syscall implementations for others. The primary motivation behind this work aligns more closely with the second aspect mentioned. It aims to be used for the Unikraft project, which aims to assist in building Unikernels. Unikernels are minimal operating systems that implement only the necessary syscalls for their functionality.

Both dynamic and static analysers have been implemented by contributors to the Unikraft project to detect syscalls in applications. However, the binary static analysis tool face limitations when analysing dynamically linked binaries.

The objective of this thesis is to enhance the existing binary static analysis tool to enable detection of syscalls used within dynamic libraries, as the current tool only parses the code within the binary itself.

To achieve this objective, a deep understanding of certain aspects of the ELF binary format and the behavior of the dynamic linker is required. This enhanced static analysis tool should be capable of resolving library function calls within the analysed binary and analysing the syscalls within the resulting code executed.

Furthermore, although not initially part of the objectives, improvements have been made to the syscall detection process itself to enhance its effectiveness in identifying syscalls in more scenarios than before.

The final implementation of the static analyser successfully accomplishes these tasks. However, it still exhibits a significant limitation in resolving indirect calls and poses minor limitations that may present challenges in specific contexts.