Infrastructure

Rewriting Every Syscall in a Linux Binary at Load Time

Binary-level syscall rewriting at load time reduces container attack surface by whitelisting only the ~40 syscalls each process actually needs, rather than exposing Linux's full 450+ surface.

Saturday, April 18, 2026 12:00 PM UTC2 MIN READSOURCE: Hacker NewsBY sys://pipeline

The article proposes rewriting syscall instructions (0F 05 opcode) at binary load time to redirect to a custom handler implementing only the ~40 syscalls a process actually needs, rather than exposing the full 450+ Linux syscall surface to untrusted container code. This avoids the limitations of existing approaches like compiler integration, LD_PRELOAD, unikernels, and seccomp-bpf filters. The technique works below the language and compiler level, catching all syscall paths.

Read original at Hacker News

The Godmother of Silicon Valley and her former student want to fix how healthcare gets built

Esther Wojcicki launches Treehub, a mentorship residency program pairing biotech academics with experienced founders to accelerate healthcare innovation from lab to market using her "fail fast" methodology.