Watching a program by every system call it makes
Auris sits above a running ARM64 process and records every syscall it asks the kernel for. From that stream it learns what normal looks like, flags what is not, and blocks calls the program was never meant to make.
A program, described by its system calls
Everything a program does to the outside world goes through a system call. Open a file, open a socket, start another process, change memory permissions. The names on your screen are wrappers. Underneath, it is a few hundred numbered requests to the kernel, and that list is the truest description of what a program is actually doing.
Auris listens to exactly that. It attaches to an ARM64 process through ptrace and stops it at the boundary of every call. It reads the call number from register x8, the arguments from x0 through x5, the return from x0, and records what happened with timing. No kernel module, no patching the target. It stands at the doorway and notes everyone who passes.
Six modes on one stream
The tracer is the foundation. Every mode is built on the same syscall stream, and they chain.
Run a program and record its full syscall trace.
Turn traces into a behavioral baseline: which calls, how often, in what shape.
Run it again and diff against the baseline. What is new, what spiked, what went quiet.
Generate an allowlist from a profile: the exact calls this program may make.
Run under that policy. In block mode a disallowed call never reaches the kernel.
Hand a profile to a local LLM for a plain-language read of the behavior.
What counts as strange
a call the baseline never made
more than 3x the baseline rate
below 0.1x the baseline rate
a high-sensitivity path touched
Blocking a call before the kernel runs it
Enforcement acts inside the same ptrace stop where it observed the call. When a program under a block policy tries a syscall that is not on its allowlist, Auris rewrites the registers before the kernel runs it: the call number in x8 goes to an invalid value, the return in x0 is set to -EPERM. The program gets a clean permission-denied, and the dangerous call never happened.
$ auris enforce -P <policy-id> -m block -- ./myappThe offensive toolkit
A second build adds an offensive toolkit. What is wired, and what is scaffolded:
Wired. It attaches to a running process, finds a code cave, writes shellcode word by word, points the program counter at it, and reads the result from x0. Real ptrace surgery.
Wired. Hand-assembled ARM64 machine code: exec, reverse shell, bind shell, with documented offsets to patch in an address and port.
Partial. It maps an ELF, walks the executable segments, and finds gadgets ending in ret, svc, or blr. The chain builder is a template. It finds the pieces; it does not assemble the exploit.
What it settles
The tracer, the profiler, the compare, and block-mode enforcement all run on ARM64. What Auris settles is that behavioral profiling from raw syscalls is both tractable and readable.
You do not need a model to catch a program doing something it has never done before. You need the stream, a baseline, and the discipline to act at the exact moment the call is made.