Securing Operating Systems Through Fine-grained Kernel Access Limitation for IoT Systems
- URL: http://arxiv.org/abs/2510.03737v1
- Date: Sat, 04 Oct 2025 08:42:17 GMT
- Title: Securing Operating Systems Through Fine-grained Kernel Access Limitation for IoT Systems
- Authors: Dongyang Zhan, Zhaofeng Yu, Xiangzhan Yu, Hongli Zhang, Lin Ye, Likun Liu,
- Abstract summary: Seccomp is widely used by developers to secure the kernels by blocking the access of unused syscalls.<n>Existing Seccomp configuration approaches are coarse-grained, which cannot analyze and limit the syscall arguments.<n>In this paper, a novel static dependent syscall analysis approach for embedded applications is proposed.
- Score: 9.530140349882954
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: With the development of Internet of Things (IoT), it is gaining a lot of attention. It is important to secure the embedded systems with low overhead. The Linux Seccomp is widely used by developers to secure the kernels by blocking the access of unused syscalls, which introduces less overhead. However, there are no systematic Seccomp configuration approaches for IoT applications without the help of developers. In addition, the existing Seccomp configuration approaches are coarse-grained, which cannot analyze and limit the syscall arguments. In this paper, a novel static dependent syscall analysis approach for embedded applications is proposed, which can obtain all of the possible dependent syscalls and the corresponding arguments of the target applications. So, a fine-grained kernel access limitation can be performed for the IoT applications. To this end, the mappings between dynamic library APIs and syscalls according with their arguments are built, by analyzing the control flow graphs and the data dependency relationships of the dynamic libraries. To the best of our knowledge, this is the first work to generate the fine-grained Seccomp profile for embedded applications.
Related papers
- Shrinking the Kernel Attack Surface Through Static and Dynamic Syscall Limitation [9.260981761468491]
Linux Seccomp is widely used by the program developers and the system maintainers to secure the operating systems.<n>Docker containers block about only 50 syscalls by default, and lots of unblocked useless syscalls introduce a big kernel attack surface.<n>In this paper, a systematic dependent syscall analysis approach, sysverify, is proposed by combining static analysis and dynamic verification.
arXiv Detail & Related papers (2025-10-04T07:51:08Z) - DRIFT: Dynamic Rule-Based Defense with Injection Isolation for Securing LLM Agents [52.92354372596197]
Large Language Models (LLMs) are increasingly central to agentic systems due to their strong reasoning and planning capabilities.<n>This interaction also introduces the risk of prompt injection attacks, where malicious inputs from external sources can mislead the agent's behavior.<n>We propose a Dynamic Rule-based Isolation Framework for Trustworthy agentic systems, which enforces both control and data-level constraints.
arXiv Detail & Related papers (2025-06-13T05:01:09Z) - Cognitive Kernel: An Open-source Agent System towards Generalist Autopilots [54.55088169443828]
We introduce Cognitive Kernel, an open-source agent system towards the goal of generalist autopilots.<n>Unlike copilot systems, which primarily rely on users to provide essential state information, autopilot systems must complete tasks independently.<n>To achieve this, an autopilot system should be capable of understanding user intents, actively gathering necessary information from various real-world sources, and making wise decisions.
arXiv Detail & Related papers (2024-09-16T13:39:05Z) - Designing and Implementing a Generator Framework for a SIMD Abstraction Library [53.84310825081338]
We present TSLGen, a novel end-to-end framework for generating an SIMD abstraction library.
We show that our framework is comparable to existing libraries, and we achieve the same performance results.
arXiv Detail & Related papers (2024-07-26T13:25:38Z) - KGym: A Platform and Dataset to Benchmark Large Language Models on Linux Kernel Crash Resolution [59.20933707301566]
Large Language Models (LLMs) are consistently improving at increasingly realistic software engineering (SE) tasks.
In real-world software stacks, significant SE effort is spent developing foundational system software like the Linux kernel.
To evaluate if ML models are useful while developing such large-scale systems-level software, we introduce kGym and kBench.
arXiv Detail & Related papers (2024-07-02T21:44:22Z) - Making 'syscall' a Privilege not a Right [4.674007120771649]
nexpoline is a secure syscall interception mechanism combining Memory Protection Keys (MPK) and Seccomp or Syscall User Dispatch (SUD)
It offers better efficiency than secure interception techniques like ptrace, as nexpoline can intercept syscalls through binary rewriting securely.
Notably, it operates without kernel modifications, making it viable on current Linux systems without needing root privileges.
arXiv Detail & Related papers (2024-06-11T16:33:56Z) - HasTEE+ : Confidential Cloud Computing and Analytics with Haskell [50.994023665559496]
Confidential computing enables the protection of confidential code and data in a co-tenanted cloud deployment using specialized hardware isolation units called Trusted Execution Environments (TEEs)
TEEs offer low-level C/C++-based toolchains that are susceptible to inherent memory safety vulnerabilities and lack language constructs to monitor explicit and implicit information-flow leaks.
We address the above with HasTEE+, a domain-specific language (cla) embedded in Haskell that enables programming TEEs in a high-level language with strong type-safety.
arXiv Detail & Related papers (2024-01-17T00:56:23Z) - KernelGPT: Enhanced Kernel Fuzzing via Large Language Models [8.77369393651381]
We propose KernelGPT, the first approach to automatically synthesizing syscall specifications via Large Language Models (LLMs)<n>Our results demonstrate that KernelGPT can generate more new and valid specifications and achieve higher coverage than state-of-the-art techniques.
arXiv Detail & Related papers (2023-12-31T18:47:33Z) - SYSPART: Automated Temporal System Call Filtering for Binaries [4.445982681030902]
Recent approaches automatically identify the system calls required by programs to block unneeded ones.
SYSPART is an automatic system-call filtering system designed for binary-only server programs.
arXiv Detail & Related papers (2023-09-10T23:57:07Z) - Harnessing Deep Learning and HPC Kernels via High-Level Loop and Tensor Abstractions on CPU Architectures [67.47328776279204]
This work introduces a framework to develop efficient, portable Deep Learning and High Performance Computing kernels.
We decompose the kernel development in two steps: 1) Expressing the computational core using Processing Primitives (TPPs) and 2) Expressing the logical loops around TPPs in a high-level, declarative fashion.
We demonstrate the efficacy of our approach using standalone kernels and end-to-end workloads that outperform state-of-the-art implementations on diverse CPU platforms.
arXiv Detail & Related papers (2023-04-25T05:04:44Z) - Performance portability through machine learning guided kernel selection
in SYCL libraries [0.0]
General purpose compute libraries must be able to cater to all inputs and parameters provided by a user.
Machine learning methods can be used to mitigate against both of these problems.
tuning the process for new hardware or problems does not require any developer effort or expertise.
arXiv Detail & Related papers (2020-08-30T11:44:37Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.