Systrack v0.6

Improvements:

• More robust and comprehensive syscall definition location search.

Bug fixes:

• Fix broken syscall definition location search and subsequent signature
  extraction. Some syscalls were incorrectly reported as defined in place of
  others, also causing the wrong signature to be extracted. Do not fully trust
  the output of addr2line and perform full syscall name matching to fix this.
  PowerPC was notably affected the most by this issue.

Systrack v0.5.1

Improvements:

• x86: improve x86 syscall extraction code fixing undetected CALL targets.

Internal changes:

• x86: add some tests for syscall extraction based on v6.11 kernel build.

Systrack v0.5

We tried so hard, and got so far, but in the end, we need a disassembler! x86 mitigations have defeated us, we no longer have syscall tables to rely on. Kernel developers were kind enough to write very simple ABI-specific switch-based handlers to dispach syscalls, so analysis is still possible... just significantly more complicated.

Breaking changes:

• Drop support for Python 3.6 and 3.7. Systrack now requires Python 3.8+. This is because of the new dependency on iced-x86.

Improvements:

• x86: support new kernels (6.9+) with no syscall tables.
• Remove unnecessary spaces between asterisks for double pointers in function signatures.
• Avoid KFCI __{cfi,pfx}_ symbols when looking for ni_syscall symbols.

Internal changes:

• Depend on iced-x86 for disassembling x86 instructions and on jinja2 for HTML output directly. Remove optional dependencies and only build one package.
• Rename test folder to tests to use the hatch test as test commnad.
• Improve logging reproducibility by sorting more debugging log output.
• Improve broken Python package metadata (Python packaging moment).

Systrack v0.5-rc1

Systrack v0.5-rc1

Systrack v0.4

New arch support: PowerPC 32-bit, tested on v5.0+ kernels.

Improvements:

• Improve kconfig dependency checking logic for better warning/error messages.
• PowerPC PPC64: improve esoteric fast switch_endian syscall detection.
• Better (narrower) emoji spacing in HTML output.

Bug fixes:

• Correctly report delete_module depending on CONFIG_MODULE_UNLOAD=y.
• Fix incorrectly handled shared syscall table in x86-64 x32 ABI resulting in duplicated and unwanted entries in the output for kernels older than v5.4.
• Fix chance of building kernels without memfd_create, memfd_secret, delete_module (and possibly others) by always enabling MEMFD_CREATE, MODULE_UNLOAD, NET and SECRETMEM when available.
• Fix wrong handling of relative --kdir path (e.g., .) in some cases.
• Fix missed detection of non-implemented syscalls pointing to kernel/sys_ni.c when DWARF debug info contains relative paths.
• x86 x32: fix some x64 syscalls reported twice because both the x64 number and the historycally misnumbered x32 numbers (512-547) were being considered valid.

Internal changes:

• Ignore sound/ and user/ dirs to speed up grepping syscall definitions.
• Implement some basic unit tests for powerpc dummy/esoteric syscall detection.

Systrack v0.4-rc3

Systrack v0.4-rc3

Systrack v0.4-rc2

Systrack v0.4-rc2

Systrack v0.4-rc1

Systrack v0.4-rc1

Systrack v0.3.3

Improvements:

• Correctly report lsm_{list_modules,get_self_attr,set_self_attr} depending on CONFIG_SECURITY=y.

Systrack v0.3.2

Improvements:

• Correctly report new futex_{wait,wake,requeue} syscalls depending on CONFIG_FUTEX=y.
• Use unicorn emoji (cuter) instead of test tube for esoteric syscalls in HTML output.