Systrack v0.5.1

Improvements:

• x86: improve x86 syscall extraction code fixing undetected CALL targets.

Internal changes:

• x86: add some tests for syscall extraction based on v6.11 kernel build.

Systrack v0.5

We tried so hard, and got so far, but in the end, we need a disassembler! x86 mitigations have defeated us, we no longer have syscall tables to rely on. Kernel developers were kind enough to write very simple ABI-specific switch-based handlers to dispach syscalls, so analysis is still possible... just significantly more complicated.

Breaking changes:

• Drop support for Python 3.6 and 3.7. Systrack now requires Python 3.8+. This is because of the new dependency on iced-x86.

Improvements:

• x86: support new kernels (6.9+) with no syscall tables.
• Remove unnecessary spaces between asterisks for double pointers in function signatures.
• Avoid KFCI __{cfi,pfx}_ symbols when looking for ni_syscall symbols.

Internal changes:

• Depend on iced-x86 for disassembling x86 instructions and on jinja2 for HTML output directly. Remove optional dependencies and only build one package.
• Rename test folder to tests to use the hatch test as test commnad.
• Improve logging reproducibility by sorting more debugging log output.
• Improve broken Python package metadata (Python packaging moment).

Systrack v0.5-rc1

Systrack v0.5-rc1

Systrack v0.4

New arch support: PowerPC 32-bit, tested on v5.0+ kernels.

Improvements:

• Improve kconfig dependency checking logic for better warning/error messages.
• PowerPC PPC64: improve esoteric fast switch_endian syscall detection.
• Better (narrower) emoji spacing in HTML output.

Bug fixes:

• Correctly report delete_module depending on CONFIG_MODULE_UNLOAD=y.
• Fix incorrectly handled shared syscall table in x86-64 x32 ABI resulting in duplicated and unwanted entries in the output for kernels older than v5.4.
• Fix chance of building kernels without memfd_create, memfd_secret, delete_module (and possibly others) by always enabling MEMFD_CREATE, MODULE_UNLOAD, NET and SECRETMEM when available.
• Fix wrong handling of relative --kdir path (e.g., .) in some cases.
• Fix missed detection of non-implemented syscalls pointing to kernel/sys_ni.c when DWARF debug info contains relative paths.
• x86 x32: fix some x64 syscalls reported twice because both the x64 number and the historycally misnumbered x32 numbers (512-547) were being considered valid.

Internal changes:

• Ignore sound/ and user/ dirs to speed up grepping syscall definitions.
• Implement some basic unit tests for powerpc dummy/esoteric syscall detection.

Systrack v0.4-rc3

Systrack v0.4-rc3

Systrack v0.4-rc2

Systrack v0.4-rc2

Systrack v0.4-rc1

Systrack v0.4-rc1

Systrack v0.3.3

Improvements:

• Correctly report lsm_{list_modules,get_self_attr,set_self_attr} depending on CONFIG_SECURITY=y.

Systrack v0.3.2

Improvements:

• Correctly report new futex_{wait,wake,requeue} syscalls depending on CONFIG_FUTEX=y.
• Use unicorn emoji (cuter) instead of test tube for esoteric syscalls in HTML output.

Systrack v0.3.1

Improvements:

• x86: Add build support for map_shadow_stack.
• Prefer compat_sys_ over __se_compat_sys_ and other longer symbol synonyms; same for .compat_sys_ on PowerPC.

Bug fixes:

• Fix broken naive grepping of syscall definitions when no ripgrep is available.
• Correctly report cachestat depending on CACHESTAT_SYSCALL=y.

Internal changes:

• Sort stderr logs for reproducible output and easier diffing.
• Skip lib/ directory in kernel sources to improve grepping performance.