Chapter 25 Further Reading: System Calls

Open Assembly Language Project

Chapter 25 Further Reading: System Calls

Primary References

Linux Syscall Table (x86-64) https://chromium.googlesource.com/chromiumos/docs/+/master/constants/syscalls.md The authoritative reference for Linux x86-64 syscall numbers, argument types, and return values. Maintained by the Chromium project and synchronized with the kernel. Also available from the kernel source at arch/x86/entry/syscalls/syscall_64.tbl.

Linux man-pages Project — Section 2 (System Calls) https://man7.org/linux/man-pages/dir_section_2.html Every Linux system call documented with argument types, return values, error codes, and behavior notes. Start here for any syscall you are unfamiliar with. The syscall(2) man page specifically documents the calling convention differences between architectures.

Intel 64 and IA-32 Architectures Software Developer's Manual, Volume 2 https://www.intel.com/content/www/us/en/developer/articles/technical/intel-sdm.html Volume 2B, the SYSCALL and SYSRET instruction descriptions. Covers the exact CPU behavior: which MSRs are consulted, which registers are saved, the exact flag semantics. This is the hardware specification, not the OS ABI.

Deep Dives

"Linux x86-64 System Call Entry" — entry_64.S Source https://elixir.bootlin.com/linux/latest/source/arch/x86/entry/entry_64.S The actual Linux kernel code that LSTAR points to. Reading entry_SYSCALL_64 shows exactly how the kernel saves registers, switches stacks, dispatches to the right handler, and returns. Cross-reference with arch/x86/kernel/cpu/common.c:syscall_init() which sets up the MSRs.

Brendan Gregg — "strace Wow Much Syscall" http://www.brendangregg.com/blog/2014-05-11/strace-wow-much-syscall.html A detailed examination of strace's overhead and the correct situations to use it. Gregg argues that strace doubles execution time for syscall-heavy programs and introduces perf-based alternatives. Essential reading for anyone using strace on production systems.

"How the Linux Kernel Handles a System Call" — Gustavo Duarte https://manybutfinite.com/post/system-calls/ A thorough visual walkthrough of the syscall mechanism, from user-space through the kernel entry point to the syscall dispatch table. Includes diagrams of the stack frame at each stage. Older but conceptually accurate.

Tools and Utilities

strace(1) Man Page https://man7.org/linux/man-pages/man1/strace.1.html Complete documentation for strace flags. Pay attention to -f (follow forks), -e expr (filter expressions), -P path (trace operations on specific path), and -k (print stack traces with each syscall — requires DWARF debug info).

ltrace(1) — Library Call Tracer https://ltrace.org/ The complement to strace: ltrace intercepts dynamic library calls (like printf, malloc, fopen). Between strace (syscall level) and ltrace (library level), you can trace almost everything a binary does. Particularly useful when a program's interesting behavior happens in library calls rather than syscalls.

seccomp — Secure Computing Mode https://man7.org/linux/man-pages/man2/seccomp.2.html The Linux mechanism for restricting which syscalls a process can make. Used by Docker, Chrome sandbox, systemd, and every serious security containment system. Understanding the syscall ABI is prerequisite for writing seccomp filters. The seccomp_filter format defines allowed/denied syscalls and can kill the process, return an error, or log the attempt on violation.

Architecture Comparison

ARM64 Linux Syscall Table https://arm64.syscall.sh/ ARM64 syscall numbers, argument conventions, and return values. Essential when writing assembly for ARM64 Linux (Raspberry Pi 4+, Apple Silicon under Linux, Android on ARM64). Note that ARM64 uses openat instead of open, clone instead of fork, and many other differences from x86-64.

"The Definitive Guide to Linux System Calls" — Packagecloud Blog https://blog.packagecloud.io/the-definitive-guide-to-linux-system-calls/ Covers SYSCALL vs. INT 0x80 vs. SYSENTER (32-bit), the vDSO, the syscall table, MSR configuration, and the full path from user space to kernel handler. Excellent for understanding why the current mechanism exists and what it replaced.