April 18, 2026
40 syscalls, zero chill
Rewriting Every Syscall in a Linux Binary at Load Time
Cutting the operating system down to 40 moves — cheers and panic
TLDR: New trick: swap an app’s OS calls at launch so it only uses a tiny set, promising simpler and safer systems. Commenters split over broken monitoring tools and performance, some pushing virtualization instead, while others joked about C++ in the browser—turning a bold idea into a spicy debate.
Imagine your app talking to your computer’s operating system using just 40 "words" instead of 450. That’s the pitch behind a wild new write-up: rewrite every call to the OS at startup so the app only uses a tiny, custom "library kernel." Security folks swooned; ops teams clutched their dashboards.
The comments were instantly spicy. CableNinja fired the first flare: would this "stealth mode" break everyday monitoring tools? If you ran strace—the classic “what is this app doing?” lens—would you see normal data or a magic trick? Translation: great security means nothing if on-call can’t see the fire.
Performance hawks swooped in next. coppsilgold name-dropped faster trap methods and even gVisor, asking why not lean on proven virtualization. Then jmillikin dropped the mic: if you can use KVM (a hardware sandbox) to catch breakpoints, why not catch syscalls directly—“so why rewrite instructions at all?” Cue record scratch.
Meanwhile, hobbyists cheered the hackery (“I’m tracking memory maps for fun!”), and one bold soul asked if this could let websites run C++ instead of JavaScript. The thread lit up with memes and side-eyes. Net-net: bold idea, huge promise—but the crowd is split between “this slaps” and “this breaks our tools.”
Key Points
- •Single-process containers run atop the full Linux kernel, which exposes ~450 syscalls, most unused by these workloads.
- •Stripping kernel features improves footprint and security but is constrained by deep subsystem interdependencies and fragile workarounds.
- •A measured Python script used roughly 40 distinct syscalls for I/O, networking, and memory management.
- •The proposal is a “library kernel”: implement only the syscalls a process needs as a user-space library, avoiding kernel baggage.
- •A key hurdle is redirecting calls from the real kernel to the library; compiler/toolchain integration is one standard approach but adds maintenance burden.