Rewriting Every Syscall in a Linux Binary at Load Time
Summary
The article proposes rewriting all Linux syscalls in a binary at load time to minimize the kernel surface area and enable enforcement via a user-space shim inside a minimal VM runtime. It argues binary rewriting over ptrace, seccomp, or eBPF and provides a concrete, detail-rich method: scan instructions with an instruction length decoder, patch every 0F 05 syscall to INT3/NOP, and route through a trap-based shim with policy-driven behavior, including JIT self-healing via LSTAR. It also covers edge cases and establishes groundwork for a multi-part series on agent sandboxing and security runtimes.