← Back to Labs

System Call Boundary

Follow one syscall from userspace registers through the trap instruction, policy filters, dispatch table, kernel handler, and return value.

user modekernel modelibc wrapperUserspace prepares read(), loads rax=0, and arranges rdi=fd, rsi=buf, rdx=count.syscall instructionThe CPU executes syscall, switches from ring 3 to ring 0, saves user RIP in rcx, and jumps to the kernel entry trampoline.ptrace / audit / seccompTracing and policy hooks can inspect the syscall before dispatch. Seccomp may allow, deny, kill, trap, or notify.syscall table dispatchLinux indexes the architecture-specific syscall table with number 0 and selects the matching handler.kernel handlerThe handler validates user pointers and performs the real work for read(). rax=byte count or -errno.
Step 1 / 5libc wrapper

A process reads bytes from an existing file descriptor. The kernel has to validate the fd, fetch data, and copy it back safely. Userspace prepares read(), loads rax=0, and arranges rdi=fd, rsi=buf, rdx=count.

syscall number
0
register setup
rdi=fd, rsi=buf, rdx=count
current result
ready

Arrow keys · R to reset · toggle seccomp verdict above

Pick a syscall and step across the boundary

Read the full article →Take the quiz →