[← back]
auris · KM-2024-0002 · syscall tracer

Watching a program by every system call it makes

Auris sits above a running ARM64 process and records every syscall it asks the kernel for. From that stream it learns what normal looks like, flags what is not, and blocks calls the program was never meant to make.

ARM64 LinuxptraceC11live enforcement
open the live siteauris.kuladeepmantri.com
the syscall stream
EVERY SYSTEM CALL, AS IT HAPPENS./myapptraced processaurisptrace tracerx8 · x0–x5profilebaseline · anomaliesopenatexecve
01

A program, described by its system calls

Everything a program does to the outside world goes through a system call. Open a file, open a socket, start another process, change memory permissions. The names on your screen are wrappers. Underneath, it is a few hundred numbered requests to the kernel, and that list is the truest description of what a program is actually doing.

Auris listens to exactly that. It attaches to an ARM64 process through ptrace and stops it at the boundary of every call. It reads the call number from register x8, the arguments from x0 through x5, the return from x0, and records what happened with timing. No kernel module, no patching the target. It stands at the doorway and notes everyone who passes.

02

Six modes on one stream

The tracer is the foundation. Every mode is built on the same syscall stream, and they chain.

learn

Run a program and record its full syscall trace.

profile

Turn traces into a behavioral baseline: which calls, how often, in what shape.

compare

Run it again and diff against the baseline. What is new, what spiked, what went quiet.

policy

Generate an allowlist from a profile: the exact calls this program may make.

enforce

Run under that policy. In block mode a disallowed call never reaches the kernel.

analyze

Hand a profile to a local LLM for a plain-language read of the behavior.

03

What counts as strange

anomaly types · scored against a baseline
new syscall0.7

a call the baseline never made

frequency spikescaled

more than 3x the baseline rate

frequency dropscaled

below 0.1x the baseline rate

sensitive access0.8

a high-sensitivity path touched

why statistics, not a model
This is statistics, not machine learning, on purpose. A new syscall, a rate past three times the baseline, a drop below a tenth of it, a read of a path marked sensitive. Each carries a severity, and they roll up into a deviation score. Simple enough that I can explain every number it produces.
04

Blocking a call before the kernel runs it

Enforcement acts inside the same ptrace stop where it observed the call. When a program under a block policy tries a syscall that is not on its allowlist, Auris rewrites the registers before the kernel runs it: the call number in x8 goes to an invalid value, the return in x0 is set to -EPERM. The program gets a clean permission-denied, and the dangerous call never happened.

$ auris enforce -P <policy-id> -m block -- ./myapp
the ptrace stop loop
targetPTRACE_TRACEMEtracerPTRACE_SYSCALLentry · x8, x0–x5exit · x0, timing
05

The offensive toolkit

A second build adds an offensive toolkit. What is wired, and what is scaffolded:

process injection
real

Wired. It attaches to a running process, finds a code cave, writes shellcode word by word, points the program counter at it, and reads the result from x0. Real ptrace surgery.

shellcode
real

Wired. Hand-assembled ARM64 machine code: exec, reverse shell, bind shell, with documented offsets to patch in an address and port.

ROP gadget finder
partial

Partial. It maps an ELF, walks the executable segments, and finds gadgets ending in ret, svc, or blr. The chain builder is a template. It finds the pieces; it does not assemble the exploit.

06

What it settles

The tracer, the profiler, the compare, and block-mode enforcement all run on ARM64. What Auris settles is that behavioral profiling from raw syscalls is both tractable and readable.

You do not need a model to catch a program doing something it has never done before. You need the stream, a baseline, and the discipline to act at the exact moment the call is made.