Hello.
I’ve been writing a software that runs freestanding ELF binaries by implementing its own loader. I want to sandbox this execution. One of my sandboxing layers is to disable all syscalls from the loaded ELF binary. Instead any interaction with the host system has to go through a vtable. On OpenBSD this is easy, because OpenBSD disallows syscalls from untrusted call sites by default. On linux this can be done easily with seccomp. On macos I’m not yet sure, but probably with Hypervisor.framework I can achieve something similar to seccomp albeit with more cost. On windows though I can’t seem to find any way to do this from a unprivileged application.
I first thought doing it costly way, by launching the loader process in a debugger, but I quickly found out that debuggers can’t reliably break on syscalls.
Do you have any recommendations? Is my only option to write a kernel driver?