Computer system administrators may collect various data related to the use of system resources to help characterize the use of the system resources, particularly with intent to prevent unauthorized access, identify malicious software, or to improve the allocation of the system resources, among other reasons.
Collection of this data may traditionally be accomplished by attaching an observer to a kernel and/or system call interface of an Operating System (OS). Accordingly, when a user-level process requests system resources using the observed kernel system call, the observer may collect data and analyze the data as appropriate.
But Operating Systems have grown in functionality to support interfaces to system resources other than kernel systems calls. For example, an OS may provide functionality via a Remote Procedure Call (RPC) interface. In some instances, the RPC interface may be implemented as a Local Procedure Call (LPC) interface configured to use RPC-style transport, serialization, and runtime-binding to perform LPC system calls without actually sending a call to a remote system.
Some LPC interfaces exist entirely in userspace, preventing any traditional form of observation by intercepting kernel system calls. Other LPC interfaces also reside in userspace and can make a kernel system call on behalf of the client, thereby masking the identity of the client process because the system call may appear to originate from the LPC interface.
In general, an LPC interface may not lend itself to observation by a kernel system call as described above. Thus, despite the use of various kernel observers, any calls made to the LPC interface may remain uncollected and unanalyzed. Accordingly, the computer system administrators may capture an incomplete picture of the use of system resources.