POSTER: Transparent Temporally-Specialized System Call Filters
Matthew Rossi, Michele Beretta, Dario Facchinetti, Stefano ParaboschiIn Proc. of the 20th ACM ASIA Conference on Computer and Communications Security (ASIACCS) — Ha Noi, Vietnam, August 25-29, 2025
Reducing the attack surface of the OS kernel is an effective defense-in-depth technique to enhance the security of application workloads. In Linux-based systems, developers can implement this strategy by restricting the set of available system calls using seccomp. Although this approach is widely adopted in browsers, container runtimes, and sandboxing tools, it also presents challenges. On one hand, defining precise filters often requires significant application modifications, which can impede developer productivity. On the other hand, the transparent enforcement of the seccomp filter is bound to use a single, static list with all the syscalls the application might ever need. This, coupled with the inherent difficulty in the definition of which syscalls should be included in the seccomp filter, often results in overly permissive and less effective security boundaries.
In this paper we address these limitations by proposing: (i) an automated method to generate specialized seccomp filters based on the application state, and (ii) a tool to dynamically apply them at runtime. Our approach permits to transparently enforce temporally-specialized policies that are tailored to the specific application state, significantly enhancing the effectiveness of filters, and overcoming the major limitation associated with using a single, static filter.
We implement this approach by leveraging the eBPF subsystem in the Linux kernel. Specifically, we use in-kernel eBPF programs to monitor the application's state and dynamically enable or disable specialized seccomp filters in response to state transitions. We discuss how this approach addresses the limitations of state-of-the-art solutions. Finally, we validate the feasibility of our proposal and show that it introduces a limited overhead.
@inproceedings{syscall-filtering,
author = {Matthew Rossi and Michele Beretta and Dario Facchinetti and Stefano Paraboschi},
booktitle = {Proceedings of the 20th ACM ASIA Conference on Computer and
Communications Security (ACM ASIACCS 2025)},
title = {POSTER: Transparent Temporally-Specialized System Call Filters},
year = {2025}
}