[nibbleshifter]

Hmmm, there's interesting possibilities here to build a kind of application-IDS.

Execute and monitor a program/app while running its full test suite, to generate a model of all the stuff that program normally does.

Then monitor it in prod and if it starts behaving weirdly, kill it (and investigate).

I wonder how well the models will hold up against attacks that merely exercise normal application functions in unusual ways?

[chrismarlow9]

Sounds like you might like apparmor

https://debian-handbook.info/browse/stable/sect.apparmor.htm...

Also worth looking into is seccomp profiles, although that's a bit different but useful for containers and securing your own code where the attack surface might be massive or you may be running untrusted code. Think trying to secure things like online language "playgrounds" from server side exploitation.

[jeffbee]

It might be worth it in certain cases of extreme security requirements, but the implications of what you suggest are severe. For example, you've ruled out the convenience of many operator actions. Instead of being able to change your resolver configs, first you'd have to change the resolver configs in the training environment, deploy a model that permits the old and new behavior into prod, then finally deploy your new configs. The same would be true for other things like timezone database updates. Any kind of external stimulus that changes your application's syscall pattern would require such forethought, and it could be a DoS vector.

Also, I think people underestimate the runtime cost of linux syscall tracing. It's pretty high.

[tomrod]

When people describe process monitoring, this is what I imagine.