{"id":40805331,"url":"https://github.com/nevinshine/sentinel-runtime","last_synced_at":"2026-01-21T21:02:36.790Z","repository":{"id":330284834,"uuid":"1119965794","full_name":"nevinshine/sentinel-runtime","owner":"nevinshine","description":"Runtime Malware Analysis Engine using Linux ptrace \u0026 Isolation Forests.","archived":false,"fork":false,"pushed_at":"2026-01-18T08:11:09.000Z","size":8409,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-01-18T16:57:27.503Z","etag":null,"topics":["linux","linux-kernel","malware-analysis","ptrace","system-security"],"latest_commit_sha":null,"homepage":"https://nevinshine.github.io/runtime-security-dossier/sentinel-architecture","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nevinshine.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-12-20T07:42:57.000Z","updated_at":"2026-01-18T07:51:25.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/nevinshine/sentinel-runtime","commit_stats":null,"previous_names":["nevinshine/sentinel-sandbox","nevinshine/sentinel-runtime"],"tags_count":6,"template":false,"template_full_name":null,"purl":"pkg:github/nevinshine/sentinel-runtime","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nevinshine%2Fsentinel-runtime","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nevinshine%2Fsentinel-runtime/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nevinshine%2Fsentinel-runtime/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nevinshine%2Fsentinel-runtime/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nevinshine","download_url":"https://codeload.github.com/nevinshine/sentinel-runtime/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nevinshine%2Fsentinel-runtime/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28642697,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-21T18:04:35.752Z","status":"ssl_error","status_checked_at":"2026-01-21T18:03:55.054Z","response_time":86,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["linux","linux-kernel","malware-analysis","ptrace","system-security"],"created_at":"2026-01-21T21:02:35.898Z","updated_at":"2026-01-21T21:02:36.780Z","avatar_url":"https://github.com/nevinshine.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Sentinel Runtime: Host-Based Active Defense\n\n![Milestone](https://img.shields.io/badge/milestone-M3.0_Cognitive_Engine-blueviolet?style=flat-square\u0026logo=linux)\n![Architecture](https://img.shields.io/badge/architecture-research_modular-orange?style=flat-square)\n![Focus](https://img.shields.io/badge/focus-systems_security_research-363636?style=flat-square)\n\n\u003e **Status:** Research Artifact (Active)\n\u003e **Current Capability:** M3.0 (Semantic Understanding \u0026 Behavioral Policy)\n\u003e **Target:** CISPA / Saarland MSc Application\n\n## Abstract\n\n**Sentinel Runtime** is a Linux runtime defense system designed to investigate syscall-level observability and semantic enforcement.\n\nUnlike traditional signature-based AVs, Sentinel leverages `ptrace` to establish a closed-loop runtime control system. It connects a high-speed C interception kernel to a Python-based **Cognitive Engine (WiSARD)** to evaluate process intent against behavioral policies in real-time.\n\n**System Security Research Dossier:** [nevinshine.github.io/system-security-research-dossier](https://nevinshine.github.io/runtime-security-dossier/)\n\n---\n\n## M3.0: Cognitive Defense (Live Demo)\n\nDemonstration of **Sentinel Runtime** operating in \"Cognitive Mode.\" The engine actively translates raw file paths into security concepts (e.g., `/etc/shadow` → `CRITICAL_AUTH`) to enforce higher-level behavioral policies.\n\n### View 1: The Sentinel (Kernel Interceptor)\n**Scenario:** User attempts to delete a sensitive file (`rm protected.txt`).\n**Result:** The kernel injects an `EPERM` error, blocking the execution.\n\n![Sentinel Shell Demo](assets/sentinel_demo.gif)\n\n### View 2: The Brain (Cognitive Engine)\n**Analysis:** Real-time logs showing the transition from \"Context Awareness\" (Green) to \"Threat Detection\" (Red). Note the **SEMANTIC TAG** column identifying the file as `SENSITIVE_USER_FILE`.\n\n![Sentinel Brain Demo](assets/sentinel_brain.gif)\n\n---\n\n## Capability Milestone Status\n\n| Feature | Milestone | Status | Description |\n| :--- | :--- | :--- | :--- |\n| **Deep Introspection** | M0.8 | [COMPLETE] | Argument extraction via `PTRACE_PEEKDATA`. |\n| **Online Inference Loop** | M1.0 | [COMPLETE] | Real-time decision pipeline via Named Pipes (IPC). |\n| **Recursive Process Tracking** | M2.0 | [COMPLETE] | Tracing dynamic trees via `PTRACE_O_TRACEFORK`. |\n| **Universal Extraction** | M2.1 | [COMPLETE] | **The Universal Eye.** Map-based extraction for `unlink`, `openat`, `execve`. |\n| **Active Blocking** | M2.1 | [COMPLETE] | **Kill Switch.** Injecting `EPERM` verdicts to prevent execution. |\n| **Semantic Understanding** | M3.0 | [OPERATIONAL] | **Cognitive Engine.** Translating paths to concepts (e.g., `CRITICAL_AUTH`). |\n\n---\n\n## Research Roadmap\n\n* **M1.0: The Closed Loop (Completed)**\n    * Connected C Engine to Python Brain via IPC Pipes.\n    * Established the ALLOW/BLOCK decision protocol.\n* **M2.0: Recursive Vision (Completed)**\n    * Implemented `PTRACE_O_TRACEFORK` to track process trees (Parent -\u003e Child).\n* **M2.1: Universal Defense (Completed)**\n    * **Stealth Tracking:** Added `PTRACE_O_TRACEVFORK` to detect optimized shells (`dash`, `sh`).\n    * **Active Blocking:** Validated \"Kill Switch\" for file deletion attempts.\n* **M3.0: Semantic Understanding (CURRENT)**\n    * **Knowledge Base:** Implemented `SemanticMapper` (`semantic.py`) with regex taxonomy.\n    * **Behavioral Policy:** Moving from \"Signature Based\" (String Match) to \"Concept Based\" (Tag Match).\n* **M3.1: State Machine (Next)**\n    * **Sequence Detection:** Detect multi-step attacks (e.g., \"Open\" -\u003e \"Read\" -\u003e \"Socket Write\" = Exfiltration).\n\n---\n\n## Architecture (Refactored M3.0)\n\nSentinel operates as a modular closed-loop runtime control system:\n\n### 1. Systems Layer (C / Kernel Space)\n*Located in `src/engine/`*\n- **Interception Engine (`main.c`):** A recursive `ptrace` monitor supporting `FORK`, `CLONE`, and `VFORK`.\n- **Universal Map (`syscall_map.h`):** A research artifact defining the \"DNA\" of syscalls (Registers, Types, Names).\n- **Visualization (`logger.c`):** Real-time tree hierarchy rendering.\n\n### 2. Analysis Layer (Python / Data Space)\n*Located in `src/analysis/`*\n- **Neural Engine (`brain.py`):** The decision center. Parses `SYSCALL:verb:arg` signals and issues Block/Allow verdicts.\n- **Semantic Mapper (`semantic.py`):** **[NEW]** The Knowledge Base. Classifies raw arguments into Semantic Tags.\n\n---\n\n## Usage\n\nSentinel M3.0 uses a standard `make` build system.\n\n### 1. Build the Artifact\n```bash\nmake clean \u0026\u0026 make\n# Compiles ./bin/sentinel\n\n```\n\n### 2. Execute Control Loop\n\nYou must run the Analysis Engine (Brain) and the Kernel Interceptor (Sentinel) simultaneously.\n\n**Terminal 1 (The Cognitive Brain):**\n\n```text\n$ python3 src/analysis/brain.py\n+ [INFO] Neural Engine Online (M3.0 Cognitive Mode).\n+ [INFO] Semantic Knowledge Base Loaded.\n---------------------------------------------------------------------------\nVERDICT    | ACTION     | SEMANTIC TAG         | PATH\n---------------------------------------------------------------------------\nALLOW      | execve     | SYSTEM_BINARY        | /bin/ls\nBLOCK      | unlink     | SENSITIVE_USER_FILE  | protected.txt\n\n```\n\n**Terminal 2 (The Sentinel):**\n\n```bash\n# Syntax: ./bin/sentinel \u003ctrigger_word\u003e \u003ctarget_binary\u003e\nsudo ./bin/sentinel test /bin/sh\n\n# Inside the monitored session:\n# touch protected.txt\n# rm protected.txt\nrm: cannot remove 'protected.txt': Operation not permitted\n\n```\n\n---\n\n*Research Author: Nevin Shine.*","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnevinshine%2Fsentinel-runtime","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnevinshine%2Fsentinel-runtime","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnevinshine%2Fsentinel-runtime/lists"}