[lloeki]

(Sqreen Ruby engineer) You're right about the basic premise, (but not about the details, we don't monitor syscalls): since we stand within the application we have context of the operations performed and can pinpoint whether some query fragment is a) executable and b) coming from a user, and therefore reliably conclude the action is malicious.

[codeisawesome]

Interesting! The performance of string matching (or even more exotic things like real-time AST generation or even ML) must be better than interfering with every call to system APIs. Thanks for posting.

[mettamage]

Ah so:

- taint user input

- simulate execution

Sounds really cool!

Almost sound like a fun side project tbh.