Post

What Are Syscalls in Linux and How Can We Use Them?

Posted Updated
By Nathan Berg
7 min read
What Are Syscalls in Linux and How Can We Use Them?

System calls serve as a fundamental interface between a program and the operating system. When a program needs to perform operations such as reading from a file, sending data over a network, or allocating memory, it makes a syscall. These calls execute in kernel mode, which provides the privileges needed to access hardware resources and core system functionalities. Without syscalls, user-space programs would be unable to do even the most basic tasks—like reading input or writing output—since they lack the permissions to directly manipulate hardware or protected system memory.

Syscalls abstract the complexity of hardware operations, allowing developers to focus on higher-level logic rather than low-level hardware details. It’s akin to asking a librarian to fetch a specific book from the archive rather than rummaging around yourself. This abstraction not only streamlines development but also helps maintain overall system stability and security by preventing user applications from interfering with kernel-level operations. Thanks to syscalls, developers can write code that is simultaneously powerful and portable, working smoothly across different Linux distributions and hardware architectures.

The Mechanics of Syscalls

When a syscall is invoked, several critical steps take place under the hood:

  1. Triggering the syscall: In assembly (on x86), the classic approach uses the int 0x80 instruction, although modern systems might use the syscall instruction. Either way, this special instruction switches the processor from user mode to kernel mode, initiating the syscall.

  2. Switching to kernel mode: Once the interrupt or syscall instruction executes, the CPU transitions into privileged kernel mode, allowing access to protected resources and system memory. This prevents user-space code from directly manipulating critical kernel structures or hardware.

  3. Executing the syscall: Inside the kernel, the requested operation—such as reading from a file or allocating memory—is carried out. The kernel maintains a syscall table that maps syscall numbers to their corresponding handler functions.

  4. Returning the result: After the kernel finishes the requested operation, it switches back to user mode and returns the result to the calling program. This protects the system from arbitrary user-space code continuing to run with elevated privileges.

Commonly Used Syscalls

Linux provides a wide variety of syscalls. Some of the most frequently used include:

  • open: Opens a file and returns a file descriptor.

  • read: Reads data from a file descriptor into a buffer.

  • write: Writes data from a buffer to a file descriptor.

  • close: Closes an open file descriptor, ensuring that resources are freed.

  • sendfile: Transfers data between two file descriptors efficiently with minimal copying overhead.

Collectively, these syscalls enable robust file and device I/O, allowing developers to seamlessly interact with the underlying system in a standardized, uniform way.

How to Use Syscalls in Linux

While high-level languages such as C typically wrap syscalls in more convenient library functions (e.g., fopenfclose, etc.), understanding how syscalls work under the hood offers deeper insight into Linux internals, especially for those interested in systems programming or information security.

Using Syscalls in C

Below is an example of using syscalls directly in C to open a file, read its contents, and display the data on screen using the syscall() function from unistd.h:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38

#include <stdio.h>
#include <unistd.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>

int main(void) {
    int fd;
    char buffer[128];
    ssize_t bytesRead;

    // Open the file
    fd = syscall(SYS_open, "example.txt", O_RDONLY);
    if (fd < 0) {
        perror("Error opening file");
        return 1;
    }

    // Read from the file
    bytesRead = syscall(SYS_read, fd, buffer, sizeof(buffer) - 1);
    if (bytesRead < 0) {
        perror("Error reading file");
        syscall(SYS_close, fd);
        return 1;
    }

    // Null-terminate the buffer so we can safely print it
    buffer[bytesRead] = '\0';
    // Print to STDOUT using the standard library's printf (for convenience)
    printf("%s", buffer);

    // Close the file
    syscall(SYS_close, fd);

    return 0;
}

In this snippet:

  • syscall(SYS_open, ...) opens "example.txt" in read-only mode and returns a file descriptor.

  • syscall(SYS_read, ...) reads up to sizeof(buffer) - 1 bytes, placing them into buffer.

  • We then insert a null terminator ('\0') so that standard C functions like printf() know where the string ends.

  • Finally, syscall(SYS_close, ...) closes the file, ensuring the file descriptor is freed.

Using Syscalls in x86 Assembly

For an even deeper look at how syscalls operate, you can use 32-bit x86 assembly with the int 0x80 mechanism. Note that modern 64-bit systems typically use the syscall instruction instead, but the principle is similar.

Below is an example assembly program that opens a file, reads its contents, writes those contents to standard output, and then exits. This code is intended for a 32-bit environment (e.g., assembled with nasm -f elf32 and linked with ld -m elf_i386):

section .data
    filename db 'example.txt', 0      ; Null-terminated filename
    buffer   times 128 db 0          ; 128-byte buffer initialized to 0

section .text
    global _start

_start:
    ; 1. Open the file: open("example.txt", O_RDONLY)
    mov eax, 5               ; syscall number for sys_open (32-bit)
    mov ebx, filename        ; address of filename
    mov ecx, 0               ; flags = O_RDONLY
    mov edx, 0               ; mode (unused for read-only)
    int 0x80
    mov esi, eax             ; store the file descriptor in ESI

    ; 2. Read from the file: read(fd, buffer, 127)
    mov eax, 3               ; syscall number for sys_read
    mov ebx, esi             ; file descriptor
    mov ecx, buffer          ; buffer to store data
    mov edx, 127             ; number of bytes to read
    int 0x80
    mov edi, eax             ; store the number of bytes read in EDI

    ; 3. Write to stdout: write(1, buffer, bytes_read)
    mov eax, 4               ; syscall number for sys_write
    mov ebx, 1               ; file descriptor 1 = stdout
    mov ecx, buffer          ; buffer containing data
    mov edx, edi             ; number of bytes to write
    int 0x80

    ; (Optional) Close the file: close(fd)
    mov eax, 6               ; syscall number for sys_close
    mov ebx, esi             ; file descriptor
    int 0x80

    ; 4. Exit the program: exit(0)
    mov eax, 1               ; syscall number for sys_exit
    xor ebx, ebx             ; exit status = 0
    int 0x80

Key points about this assembly example:

  1. We place the syscall number in the eax register (e.g., eax = 5 for openeax = 3 for read, etc.).

  2. We set the appropriate arguments in ebxecx, and edx, following the 32-bit Linux syscall calling convention.

  3. The int 0x80 instruction triggers the system call, switching to kernel mode to execute the requested operation.

  4. The return value is placed in eax. For the read operation, eax holds the number of bytes actually read. We move it into edi so that we can use it later without overwriting the file descriptor.

  5. Finally, we clean up by optionally closing the file and then calling exit(0) to terminate the program gracefully.

Assembly tips:

  • On a 64-bit system, you may need a special environment or cross-compiler flags to produce 32-bit binaries (e.g., -m32 in GCC or using ld -m elf_i386).

  • If you want to use the 64-bit syscall instruction, the calling convention and register usage differ. You’d also rely on different syscall numbers (consult /usr/include/asm/unistd_64.h on a typical Linux system).

Security Implications of Syscalls

Because syscalls provide direct interaction with the operating system, improper usage can lead to security vulnerabilities such as buffer overflows or privilege escalation. An attacker who exploits a flawed syscall invocation could potentially execute arbitrary code with elevated privileges.

From an information security standpoint, you should:

  • Validate all inputs: Ensure buffers are adequately sized and user input is sanitized before issuing syscalls.

  • Check return values: After every syscall, verify whether it succeeded. This prevents unexpected states or unhandled errors.

  • Apply the principle of least privilege: Only request the capabilities and file permissions you truly need.

  • Use modern security tools: Static analysis, fuzz testing, and runtime monitoring can reveal hidden flaws in syscall usage.

Conclusion

Syscalls form the backbone of Linux, bridging the gap between user-space programs and the kernel. Understanding these low-level interfaces is crucial for anyone working in system programming, performance optimization, or information security. By mastering syscalls, you can:

  • Write more efficient and transparent code,

  • Gain insights into kernel-level operations and how the OS enforces security,

  • Develop applications with greater control over file I/O, networking, and memory management.

Whether you’re performing a simple file read or implementing complex kernel-level logic, syscalls open the door to unlocking the full potential of Linux. With the right precautions, they allow you to build powerful, flexible, and secure software on one of the most widely used operating systems in the world. Happy coding!

blog
syscalls linux programming security kernel c assembly
This post is licensed under CC BY 4.0 by the author.