Skip to content

Add Wraith: signature-free runtime exploitation detector#1

Merged
grloper merged 1 commit into
mainfrom
claude/rust-cybersecurity-startup-0mw2fn
Jul 12, 2026
Merged

Add Wraith: signature-free runtime exploitation detector#1
grloper merged 1 commit into
mainfrom
claude/rust-cybersecurity-startup-0mw2fn

Conversation

@grloper

@grloper grloper commented Jul 12, 2026

Copy link
Copy Markdown
Owner

Wraith detects exploitation in progress by verifying the provenance of
every system call a monitored process makes, rather than matching known
vulnerabilities or payloads. When a memory-corruption exploit finally
issues a syscall, the process is in a state benign code never produces —
a syscall from injected memory, a W^X page, or a pivoted stack — so the
technique catches zero-days and n-days alike by behaviour.

Engine (links only nix + libc):

  • maps.rs parse /proc//maps into typed regions
  • provenance.rs classify instruction/stack pointer against the map
  • syscalls.rs the security-relevant syscall table
  • detect.rs the invariants + an exploitation-chain correlator
  • event.rs detection events with hand-rolled JSONL output
  • tracer.rs the ptrace engine (spawn/attach, syscall loop)
  • bin/wraith.rs the CLI sensor (run/attach, severity gating, exit codes)

Ships a benign false-positive control and a self-contained
exploitation-behaviour simulator; 28 unit + 4 end-to-end tests, clippy
clean under -D warnings, plus CI and a demo script.

Co-Authored-By: Claude Fable 5 noreply@anthropic.com
Claude-Session: https://claude.ai/code/session_01KENq7TfeeKSdusxR7iAWEa

Wraith detects exploitation in progress by verifying the provenance of
every system call a monitored process makes, rather than matching known
vulnerabilities or payloads. When a memory-corruption exploit finally
issues a syscall, the process is in a state benign code never produces —
a syscall from injected memory, a W^X page, or a pivoted stack — so the
technique catches zero-days and n-days alike by behaviour.

Engine (links only nix + libc):
- maps.rs        parse /proc/<pid>/maps into typed regions
- provenance.rs  classify instruction/stack pointer against the map
- syscalls.rs    the security-relevant syscall table
- detect.rs      the invariants + an exploitation-chain correlator
- event.rs       detection events with hand-rolled JSONL output
- tracer.rs      the ptrace engine (spawn/attach, syscall loop)
- bin/wraith.rs  the CLI sensor (run/attach, severity gating, exit codes)

Ships a benign false-positive control and a self-contained
exploitation-behaviour simulator; 28 unit + 4 end-to-end tests, clippy
clean under -D warnings, plus CI and a demo script.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01KENq7TfeeKSdusxR7iAWEa
@grloper
grloper merged commit 1c2df27 into main Jul 12, 2026
3 checks passed
@grloper
grloper deleted the claude/rust-cybersecurity-startup-0mw2fn branch July 12, 2026 21:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants