Amit Limaye, co-founder of AgentOps, has built a Linux security technique that rewrites every syscall instruction in a binary at load time. He demonstrated the approach by patching 363 syscalls in a Python 3.12 binary, replacing each with a trap that redirects to custom code running in a lightweight VM. The goal is total control over untrusted processes with less overhead than ptrace, seccomp, or eBPF.

The core insight is straightforward. Every Linux syscall, regardless of language, compiler, or runtime, eventually becomes the same two-byte instruction: 0F 05. Limaye's approach operates at that level, below everything else. An Instruction Length Decoder scans the binary, finds every syscall, and patches it. The process can't tell the difference as long as the replacement honors the same ABI contract. Put a syscall number in rax, arguments in the right registers, get a result back.

Existing interception methods all fall apart in practice. ptrace adds 10-20 microseconds per syscall through two context switches. seccomp-bpf can't inspect pointer arguments and only offers coarse actions like killing the process or returning an error. LD_PRELOAD only catches libc calls, which means Go binaries, JIT output, and statically-linked executables slip through entirely. Limaye's technique catches everything because it works at the single point where every code path converges.

This matters directly for AI agent infrastructure. Autonomous agents run generated and third-party code that you can't fully trust, but containers expose the host kernel's entire 450-syscall surface. Most single-process workloads use roughly 40 of those. Limaye's approach lets you implement only what's needed and control what happens with the rest. It targets the same problem Google's gVisor solves but takes a different implementation path that avoids some of the performance cost. Early tests show the trap overhead landing in the low single-digit microseconds, roughly an order of magnitude faster than ptrace, though comprehensive benchmarks are still in progress.