Threats Intro to POSIX Signals: SIGTERM, SIGHUP, and More

Motivated by financial gain, activism, or geopolitics, threat actors attempt to exploit anything they can to cause damage. Attacks target all levels of the OSI model of layered networking protocols to gain initial access, and all layers of the OS/application stack; they even seek to exploit human emotions via social engineering. Some cyber attacks even target the laws of physics themselves—such as electromagnetic interference or audio analysis of keystrokes—to gain an advantage.

This article will evaluate a low-level attack surface that leverages how OS system internals work. POSIX (Portable Operating System Interface) signals recently played an important role in a vulnerability known as RegreSSHion CVE-2024-6387, so it's worthwhile to take a moment to understand them and their role in OS architecture.

What Are POSIX Signals?

In POSIX-compliant operating systems (macOS, Linux distrox, Unix, Solaris for example), signals are a form of limited inter-process communication (IPC) used to inform a process that a specific event has occurred. Signals can be sent by the operating system, a user, or other processes, and they are used to request a process to perform a predefined action, such as termination or suspension. As such signals are both sent by processes and sent to processes (or threads, in multithreaded programs).

When a signal is delivered to a process, the operating system interrupts its normal execution flow and triggers a signal handler function if one is defined in the program. Otherwise, the default behavior associated with the signal is executed by the kernel on behalf of the process. This mechanism is vital for managing process states, handling errors, and responding to asynchronous events.

How SSH Vulnerability RegreSSHion Exploited POSIX Signals

In 2024, the vulnerability known as RegreSSHion (CVE-2024-6387) made headlines for reintroducing a dangerous flaw in the OpenSSH server (sshd)—one that had been patched more than a decade prior. The vulnerability allowed unauthenticated remote attackers to gain root-level code execution by exploiting how sshd handled POSIX signals, particularly under specific race conditions.

POSIX-compliant systems (i.e. Linux, macOS, and other UNIX-based systems) use signals, a process-level mechanism—such as SIGALRM, SIGHUP, and SIGCHLD—to manage asynchronous events like timeouts and child processes. In sshd, certain signals were used to manage session timeouts and connection errors. However, due to unsafe use of signal-handling functions, CVE-2024-6387 allowed an attacker to send repeated SSH connection attempts that would trigger specific signals to exploit the race condition. This flaw made it possible for attackers to corrupt memory and force sshd into unsafe states, eventually gaining arbitrary code execution as root. 

RegreSSHion highlighted a critical lesson in secure coding for signal handling on UNIX-like systems: signal handlers must only use async-signal-safe functions, and shared state must be carefully guarded. It also served as a cautionary tale about regression vulnerabilities—bugs thought to be patched can reappear if legacy code is reintroduced or if test coverage fails.

Common POSIX Signals

Below is a comprehensive list of the most common signals defined in POSIX, along with their names, signal numbers, and descriptions of their typical use cases:

• SIGHUP (1): Sent to a process when its controlling terminal is closed or when the process receives a hangup signal. It is often used to instruct a process to reload its configuration files without terminating.

• SIGINT (2): Triggered by the user pressing Ctrl+C in the terminal. It is used to interrupt and terminate a process.

• SIGQUIT (3): Sent when the user presses Ctrl+\. This signal causes the process to terminate and produce a core dump for debugging purposes.

• SIGILL (4): Indicates that the process has attempted to execute an illegal, malformed, or privileged instruction. Typically used to detect corruption or programming errors.

• SIGTRAP (5): Generated by the debugging mechanism when a process reaches a breakpoint or performs a trace operation.

• SIGABRT (6): Sent when a process calls the abort() function, typically to signal an abnormal termination, such as assertion failures.

• SIGBUS (7): Indicates a memory access error, such as accessing an unaligned address.

• SIGFPE (8): Indicates an erroneous arithmetic operation, such as division by zero or overflow.

• SIGKILL (9): Used to forcefully terminate a process. This signal cannot be caught, blocked, or ignored, making it a reliable way to kill an unresponsive or misbehaving process.

Understanding Signal Handling in POSIX

Signal handling allows developers to define how their applications respond to various signals. SIGTERM (terminate) or SIGUSR1 (user-defined) can be intercepted and handled, allowing for graceful shutdowns or custom behavior. However, certain signals like SIGKILL (immediate termination) and SIGSTOP (pause) cannot be caught, blocked, or ignored, making them reliable for terminating or suspending processes unconditionally.

Each language provides different levels of support for signal handling, and choosing the appropriate one depends on the application's requirements and the developer's familiarity with the language. For system-level programming and process management, languages like C, C++, and Go offer more control over signal handling, while higher-level languages like Python and JavaScript offer more convenience and ease of use.

Understanding and properly implementing signal handling allows applications to gracefully handle unexpected events, respond to external triggers, and maintain robustness and stability in various operational environments.

Conclusion

POSIX signals are a fundamental part of UNIX-like operating systems, enabling process control and communication. Recent vulnerabilities like RegreSSHion (CVE-2024-6387) highlight how mishandled signals can lead to critical exploits. Understanding signal behavior and safe handling practices is essential for secure system design and defense.