frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Open in hackernews

Rewriting Every Syscall in a Linux Binary at Load Time

https://amitlimaye1.substack.com/p/rewriting-every-syscall-in-a-linux
37•riteshnoronha16•4d ago

Comments

CableNinja•4d ago
I assume this would break observability through existing methods, right? If you were to strace a process that has been patched, would you see regular syscall data (as if it wasnt patched) or would your syscall replacement appear along the way?
amitlimaye•4d ago
Good question. I didn't cover this in the post — the binary doesn't run on the host kernel directly. It runs inside a lightweight KVM-based VM with no operating system. The shim is the only thing handling syscalls inside the guest. So strace on the host wouldn't see anything — no syscalls reach the host kernel from the guest. From the host side, the only visible activity is the hypervisor process making syscalls on behalf of the guest.

Inside the guest, there's no kernel to attach strace to — the shim IS the syscall handler. But we do have full observability: every syscall that hits the shim is logged to a trace ring buffer with the syscall number, arguments, and TSC timestamp. It's more complete than strace in some ways — you see denied calls too, with the policy verdict, and there's no observer overhead because the logging is part of the dispatch path.

So existing tools don't work, but you get something arguably better: a complete, tamper-proof record of every syscall the process attempted, including the ones that were denied before they could execute. I'll publish a follow-on tomorrow that details how we load and execute this rewritten binary and what the VMM architecture looks like.

coppsilgold•1h ago
You mentioned SECCOMP_RET_TRACE, but there is also SECCOMP_RET_TRAP[1] which appears to perform better. There is also KVM. Both of these are options for gVisor: <https://github.com/google/gvisor>

[1] <https://github.com/google/gvisor/blob/master/pkg/sentry/plat...>

monocasa•1h ago
There's also SECCOMP_RET_USER_NOTIF, which is typically used by container runtimes for their sandboxing.
coppsilgold•1h ago
SECCOMP_RET_USER_NOTIF seems to involve sending a struct over an fd on each syscall. Do they really use it? Performance ought to suffer.

Also gVisor (aka runsc) is a container runtime as well. And it doesn't gatekeep syscalls but chooses to re-implement them in userland.

foota•1h ago
Hah, I've been looking into something amusingly similar to track mmap syscalls for a process :)
jmillikin•1h ago
This might be a very dumb question, but if the process is being run under KVM to catch `int 0x03` then couldn't you also use KVM to catch `syscall` and execute the original binary as-is? I don't understand what value the instruction rewriting is providing here.
ozgrakkurt•48m ago
Really informative writing thank you.

How secure does this make a binary? For example would you be able to run untrusted binary code inside a browser using a method like this?

Then can websites just use C++ instead of javascript for example?

im3w1l•39m ago
What about int 80h?
JSR_FDED•29m ago
Love the detailed write up, thanks!

This is the kind of foundation that I would feel comfortable running agents on. It’s not the whole solution of course (yes agent, you’re allowed to delete this email but not that email can’t be solved at this level)… let me know when you tackle that next :-)

hparadiz•17m ago
I've been thinking of making a kernel patch that disables eBPF for certain processes as a privacy tool. Everyone is using eBPF now.

Category Theory Illustrated – Orders

https://abuseofnotation.github.io/category-theory-illustrated/04_order/
29•boris_m•1h ago•6 comments

Amiga Graphics

https://amiga.lychesis.net/
28•sph•2h ago•0 comments

Show HN: I made a calculator that works over disjoint sets of intervals

https://victorpoughon.github.io/interval-calculator/
138•fouronnes3•7h ago•20 comments

Claude Design

https://www.anthropic.com/news/claude-design-anthropic-labs
1018•meetpateltech•17h ago•668 comments

The simple geometry behind any road

https://sandboxspirit.com/blog/simple-geometry-of-roads/
18•azhenley•2d ago•1 comments

Measuring Claude 4.7's tokenizer costs

https://www.claudecodecamp.com/p/i-measured-claude-4-7-s-new-tokenizer-here-s-what-it-costs-you
599•aray07•17h ago•427 comments

Towards trust in Emacs

https://eshelyaron.com/posts/2026-04-15-towards-trust-in-emacs.html
96•eshelyaron•2d ago•11 comments

All 12 moonwalkers had "lunar hay fever" from dust smelling like gunpowder (2018)

https://www.esa.int/Science_Exploration/Human_and_Robotic_Exploration/The_toxic_side_of_the_Moon
323•cybermango•14h ago•188 comments

Rewriting Every Syscall in a Linux Binary at Load Time

https://amitlimaye1.substack.com/p/rewriting-every-syscall-in-a-linux
38•riteshnoronha16•4d ago•11 comments

Spending 3 months coding by hand

https://miguelconner.substack.com/p/im-coding-by-hand
199•evakhoury•16h ago•196 comments

Michael Rabin Has Died

https://en.wikipedia.org/wiki/Michael_O._Rabin
9•tkhattra•2d ago•0 comments

It is incorrect to "normalize" // in HTTP URL paths

https://runxiyu.org/comp/doubleslash/
19•pabs3•2h ago•4 comments

A simplified model of Fil-C

https://www.corsix.org/content/simplified-model-of-fil-c
169•aw1621107•10h ago•87 comments

Are the costs of AI agents also rising exponentially? (2025)

https://www.tobyord.com/writing/hourly-costs-for-ai-agents
193•louiereederson•2d ago•47 comments

Brunost: The Nynorsk Programming Language

https://lindbakk.com/blog/introducing-brunost
53•atomfinger•4d ago•20 comments

Show HN: Smol machines – subsecond coldstart, portable virtual machines

https://github.com/smol-machines/smolvm
325•binsquare•15h ago•99 comments

Slop Cop

https://awnist.com/slop-cop
170•ericHosick•17h ago•99 comments

Show HN: PanicLock – Close your MacBook lid disable TouchID –> password unlock

https://github.com/paniclock/paniclock/
186•seanieb•15h ago•78 comments

"cat readme.txt" is not safe if you use iTerm2

https://blog.calif.io/p/mad-bugs-even-cat-readmetxt-is-not
171•arkadiyt•13h ago•92 comments

Hyperscalers have already outspent most famous US megaprojects

https://twitter.com/finmoorhouse/status/2044933442236776794
187•nowflux•16h ago•146 comments

NASA Force

https://nasaforce.gov/
268•LorenDB•16h ago•266 comments

Middle schooler finds coin from Troy in Berlin

https://www.thehistoryblog.com/archives/75848
227•speckx•17h ago•102 comments

Landmark ancient-genome study shows surprise acceleration of human evolution

https://www.nature.com/articles/d41586-026-01204-5
73•unsuspecting•10h ago•61 comments

Making Wax Sealed Letters at Scale

https://waxletter.com/
15•hjconstas•2d ago•12 comments

Casus Belli Engineering

https://marcosmagueta.com/blog/casus-belli-engineering/
35•b-man•7h ago•7 comments

NIST gives up enriching most CVEs

https://risky.biz/risky-bulletin-nist-gives-up-enriching-most-cves/
198•mooreds•17h ago•48 comments

Arc Prize Foundation (YC W26) Is Hiring a Platform Engineer for ARC-AGI-4

https://www.ycombinator.com/companies/arc-prize-foundation/jobs/AKZRZDN-platform-engineer-benchma...
1•gkamradt_•11h ago

Introducing: ShaderPad

https://rileyjshaw.com/blog/introducing-shaderpad/
90•evakhoury•2d ago•18 comments

The Unix executable as a Smalltalk method (2025) [video]

https://www.youtube.com/watch?v=sZjPQ7vtLNA
51•surprisetalk•1d ago•3 comments

The GNU libc atanh is correctly rounded

https://inria.hal.science/hal-05591661
89•matt_d•3d ago•19 comments