Efficient Linux System Call Interception: Beyond the Inefficiencies of ptrace
2025-01-05
This article introduces a more efficient method for intercepting Linux system calls than ptrace: seccomp user notify. Leveraging BPF filters, it returns only for desired system calls, significantly reducing performance overhead. The author uses their tool, copycat, as an example, demonstrating how to intercept open() system calls to achieve file replacement. The article details the seccomp user notify mechanism, including BPF filter creation and system call argument handling. Security and potential issues, such as TOCTOU attacks, are also discussed.
Development
System Calls