Papers

Topics

Authors

Recent

View all

Assistant

AI Research Assistant

Well-researched responses based on relevant abstracts and paper content.

Custom Instructions Pro

Preferences or requirements that you'd like Emergent Mind to consider when generating responses.

Gemini 2.5 Flash

Gemini 2.5 Flash 168 tok/s

Gemini 2.5 Pro 48 tok/s Pro

GPT-5 Medium 28 tok/s Pro

GPT-5 High 25 tok/s Pro

GPT-4o 122 tok/s Pro

Kimi K2 188 tok/s Pro

GPT OSS 120B 464 tok/s Pro

Claude Sonnet 4.5 36 tok/s Pro

2000 character limit reached

Static Dependent Syscall Analysis

Updated 11 October 2025

Static dependent syscall analysis is a technique that employs static code inspection to determine potential syscall invocations and their argument dependencies in binaries.
It leverages control-flow recovery, symbolic execution, and backward taint analysis to generate precise, phase-aware syscall filtering rules for shrinking the kernel attack surface.
Real-world implementations demonstrate significant CVE mitigation and minimal performance overhead, making the approach vital for securing cloud, container, and IoT environments.

Static dependent syscall analysis is an advanced technique in operating systems and security disciplines for precisely determining which system calls ("syscalls") an application or binary may invoke, under which conditions, and with which arguments—using static code analysis methods to infer this information prior to execution. The objective is to systematically reduce the kernel attack surface by generating granular filtering rules for syscall mediation frameworks, such as seccomp, without the need for source code or developer intervention. State-of-the-art static dependent syscall analysis approaches combine control-flow and data-dependency analysis of binaries and libraries to build accurate syscall-to-API and syscall-argument mapping, facilitate phase-based filtering, and overcome historical precision and applicability limitations. These methods are critical for securing multi-tenant, containerized, and embedded environments where only binaries are available.

1. Key Concepts and Objectives

Static dependent syscall analysis seeks to answer, with high precision, the following core questions:

Which syscalls can be reached or potentially issued by an application binary or its dependent libraries?
What library APIs transitively invoke which syscalls?
Can argument dependencies from high-level API to syscall be captured, enabling fine-grained policy generation?
Can execution phases be detected so policies can be tightened dynamically as the program transitions through different stages?

The primary motivation is to shrink the attack surface at the kernel interface, avoiding both over- and under-permissive syscall filters. Over-approximation leads to larger attack surfaces and more residual vulnerability exposure; under-approximation risks fatal application errors due to legitimate syscalls being blocked. Solutions like Chestnut (Canella et al., 2020), B-Side (Thévenon et al., 23 Oct 2024), Sysverify (Zhan et al., 4 Oct 2025), and the IoT-specific approach in (Zhan et al., 4 Oct 2025), address these by integrating inter-procedural control-flow analysis, symbolic execution, and argument tracking to systematically map dependencies between the API layers and actual syscalls—with or without source code.

2. Methodological Foundations

Static analysis operates by reconstructing function control-flow graphs (CFGs), tracking call sites and propagation of syscall numbers (usually via ABI-defined registers such as %rax/rdi/w0), and correlating argument flows from the API surface down to raw syscalls. Approaches vary in their focus and technical depth:

Direct and Indirect Call Graph Construction

Direct calls (immediate operands) in binaries are detected via disassembly and pattern matching.
Indirect calls are resolved using address-taken heuristics, type-based alias analysis, and, where available, debug/source information.

Syscall Identification and Mapping

Syscall sites are found by locating instructions like x86-64 "syscall" or ARM "svc 0" and by analyzing known syscall wrapper functions in libraries.
Backward data-flow analysis and symbolic execution track register values to resolve the actual syscall numbers invoked at each site.

Argument Dependency Extraction

Backward taint analysis traces the origins of syscall arguments through the API and library stack.
When control-flow modulation (branches, conditionals) impact arguments, symbolic execution assigns symbolic values to API parameters to systematically enumerate their propagation into syscall arguments.

Method	Binary-only?	Indirect Calls?	Argument Analysis	Phase Detection
Chestnut	Yes	Heuristics	No	No
B-Side	Yes	Symbolic + Heuristics	No	Yes
Sysverify	Yes+Source	Alias+Type	Partial (dynamic)	No
IoT Fine-Grained	Yes	Alias+Type	Yes	No

Systems such as B-Side demonstrate that symbolic execution across directed CFG paths, combined with wrapper-detection, can eliminate false negatives and dramatically reduce false positives (e.g., an average $F_1$ score of 0.81 compared to 0.31 and 0.53 for competitors (Thévenon et al., 23 Oct 2024)). Approaches integrating dynamic verification, like Sysverify, further intercept rarely invoked syscalls at runtime to confirm or block them based on their call chain, which effectively narrows the whitelist in deployed environments (Zhan et al., 4 Oct 2025).

3. Fine-Grained Policy Synthesis

The most recent approaches expand beyond syscall presence to policy specialization based on syscall arguments and execution context:

(Zhan et al., 4 Oct 2025) analyzes both control flow and argument data dependencies to construct mappings: each dynamic library API is associated not only with a syscall, but also with the constraint set on its allowable arguments, derived from symbolic and backward taint analysis.
This allows formation of Seccomp profiles that block unused syscalls and restrict argument values such as socket domain types or flag settings. For example, only permitting AF_INET sockets, not AF_PACKET, sharply reduces the associated kernel code paths and mitigates additional CVEs.

On ARM Linux IoT targets, blocking syscalls alone yielded mitigation of ~35.79 CVEs per application, with argument constraints further mitigating an additional ~61.19 CVEs (on a sample of 120) and an overall performance overhead below 2% relative to classic coarse-grained filtering (Zhan et al., 4 Oct 2025).

4. Automation, Precision, and Performance Analysis

Precision and scalability are central concerns for static dependent syscall analysis:

B-Side's symbolic execution and wrapper-aware approach achieves near-perfect recall and superior precision, identifying on average 55 syscalls per binary (close to ground truth), as opposed to Chestnut's 274 and SysFilter's 96, which suffer from over-approximation due to imprecise indirect call and wrapper handling (Thévenon et al., 23 Oct 2024).
Sysverify employs direct and indirect call analysis across source and binary to bridge the semantic gap, using dynamic hooks to intercept suspicious syscalls, reconstruct execution paths (via stack inspection), and validate them against secure chains, thus eliminating false positives with minimal runtime overhead (~1%) (Zhan et al., 4 Oct 2025).
Automation of phase detection (as in SYSPART (Rajagopalan et al., 2023) and B-Side (Thévenon et al., 23 Oct 2024)) enables temporal specialization: filters are dynamically adjusted as servers move from initialization to serving, allowing stricter policies during steady-state operation.

5. Security Implications and Real-World Deployment

The deployment of static dependent syscall analysis has measurable impact on kernel attack surface reduction:

Automated filter generation frameworks (Chestnut (Canella et al., 2020), B-Side (Thévenon et al., 23 Oct 2024), Sysverify (Zhan et al., 4 Oct 2025), and IoT fine-grained (Zhan et al., 4 Oct 2025)) are demonstrated to block 80–90% of Linux syscalls, with verified mitigation of more than 60% of vulnerable CVEs for production deployments.
For example, Chestnut blocked 302 syscalls (86.5%) via compiler-based static analysis on 18 representative binaries, and its filters prevented exploitation of more than 62% of 175 CVEs in its test set (Canella et al., 2020).
Phase-aware and argument-dependent profiles further reduce attack windows; in evaluation, phase-based filtering decreased allowed syscalls by an additional 11–15% over whole-program filtering (Thévenon et al., 23 Oct 2024).
Fine-grained argument constraints, notably in IoT systems, produced maximally strict profiles with negligible performance cost, vital for resource-constrained environments.

6. Limitations, Challenges, and Future Work

Static approaches—especially those restricted to binary analysis—face inherent limitations:

Precision in indirect call resolution and handling of global variables, complex structures, and pointer-based call chains remains an open research problem.
Existing solutions restrict filtering to numeric arguments, as the underlying seccomp framework cannot efficiently inspect pointers, buffers, or dynamic memory references.
Static analysis may still over-approximate legitimate syscall sets; thus, dynamic verification (as employed in Sysverify or Finalyzer) is a viable method to eliminate rare-path false positives (Zhan et al., 4 Oct 2025).

A plausible implication is that further refinement of inter-procedural analysis, integration of advanced dynamic profiling, and adoption of automata-theoretic phase aggregation (as in B-Side) will continue to drive improvements in precision, scalability, and practicality of automated syscall filtering for both cloud and embedded systems.

7. Synthesis and Outlook

Static dependent syscall analysis now enables comprehensive attack surface minimization through precise and systematic mapping of application/library behavior to kernel interfaces. By leveraging advanced control-flow graph recovery, symbolic execution, call-graph flattening, and argument propagation, modern approaches are capable of producing fine-grained, phase-aware, argument-restricted seccomp profiles with minimal developer involvement. As demonstrated by frameworks including Chestnut (Canella et al., 2020), B-Side (Thévenon et al., 23 Oct 2024), Sysverify (Zhan et al., 4 Oct 2025), and IoT fine-grained analysis (Zhan et al., 4 Oct 2025), this paradigm is essential for securing systems in environments—cloud, container, IoT—where only binaries may be available, and resource and security constraints are paramount.

Advancement in both static and dynamic verification, handling of complex indirect calls, and scalable phase/argument analysis is anticipated to further strengthen automatic kernel access limitation, making this a continually evolving field in operating systems and security research.