Identifying syscalls (part2)

First problem that appears in the previous post is that objdump is arch specific, so decompiling for ARM, for example, would need a different implementation of objdump. This is why, in order find all the system calls made in userspace, it is better to use nm, which will include all the calls to libc.

In order to keep a list consisting only of syscalls, we will intersect the ouput of nm with a list resulting from a simple grep in kernel/sys_ni.c that gives us all the possible syscalls that can be conditionally compiled. And this will filter out the first obtained list. So we will have something similar with:

[‘uselib’, ‘io_submit’, ‘io_setup’, ‘madvise’] (1)

list of all syscalls from kernel/sys_ni.c (2)

(2) \ ((1) ∩ (2)) => [list of all syscalls that we don’t need to compile in]

Furthermore, we need to match each syscall with the corresponding symbols that compile it out. This is obtained by parsing all source files and Makefiles in the kernel tree, following the next steps:

– use a stack in order to know between which ifdef and endif a syscall is defined;

– keep a dictionary where the key is the syscall and the values are all the symbols that it depends on and the conditionals between them;

Having all of these done, we can easily combine them and obtain two simple lists [1]. The output is only a suggestion, as opposed to automatically setting the given symbols to ‘no’, for two reasons:

 

– some of those symbols that can be set to ‘no’ (considering syscalls) may compile out some code that is useful for the developer;

– the obtained Kconfig options can have dependencies which need to be solved by hand.

[1] http://pastebin.com/iZ5AcVw2

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s