Skip to content

[Feat]: Implement syscall categorization framework #700

New issue
New issue
Open
Open
[Feat]: Implement syscall categorization framework#700
Labels
feature
@Vyom-Yadav

Description

@Vyom-Yadav
Vyom-Yadav
opened on Dec 16, 2025

Describe the solution you'd like:

Currently, we only record SYS_OPENAT and SYS_EXECVE syscalls in commandrun attestor. Instead, we should record a lot more syscalls and categorize them as following:

1. Tracked (security/integrity relevant)

Eg: SYS_OPENAT, SYS_OPEN, SYS_CREAT, SYS_READ, SYS_WRITE, SYS_EXECVE, SYS_SOCKET, SYS_CONNECT ...

The idea is for witness to recognize these sycalls and produce attestations for a subset of file-system/network access syscalls. Recording each and every syscall and adding that to attestation may create a humongous attestation.

For syscalls that are called often in build processes, either the output can be deduplicated (reading the same file again) which would have to be implemented at per syscall level, or just recording that the syscall was invoked.

But witness should recognize that syscall as security/integrity related.

2. Ignored (no security impact)

Eg: SYS_GETTIMEOFDAY, SYS_CLOCK_GETTIME, SYS_NANOSLEEP, SYS_SELECT ...

3. Unknown

These are the syscalls we don't recognize yet and have not classified into the above two categories. These should be flagged to the user as it might be of security/integrity relevance.

User value:

This feature would allow users to:

  1. Discover unknown/unclassified syscalls in their build pipelines that may warrant investigation
  2. See a summary of security-relevant syscalls that were invoked, even if witness doesn't yet produce detailed attestations for all of them

Ultimately this is for users to have visibility over their pipeline.

Expected behavior:

CLI output example (can be translated to attestation)

Unknown syscalls detected (may be security relevant):
  - memfd_create: called 2 times

Tracked syscalls:
  - openat: 847 calls (attested)
  - execve: 23 calls (attested)  
  - socket: 15 calls
  - connect: 12 calls

Proposed solution:

commandrun attestor right now records openat and execve, extending it to record other syscalls might be one option.

However, the networktrace attestor that is WIP (by me) operates beyond just the command and supports recording traffic from daemons and other cgroups during the command's execution.

Anything else you would like to add:

Syscall numbers differ between architectures, so we'll have to keep that in mind (support different architectures)

Testing changes required:

Implementation detail - will be updated.

Documentation changes required:

Implementation detail - will be updated post implementation in logic.

Metadata

Metadata

Assignees

No one assigned

    Labels

    feature

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions