Story

We give autonomous AI agents shell access and API keys, relying on system prompts or Docker for security. This is fundamentally broken. When an agent is hit with an indirect prompt injection, it doesn't download a rootkit. It uses standard, signed binaries like curl or base64 to exfiltrate data. To the OS, this looks like a legitimate user executing a legitimate request. EDR fails because the binary isn't malware. Docker fails because it still allows outbound network access.

I’ve been engineering a split-plane defense architecture to solve this. Telos is an experimental hybrid runtime bridging LLM intent tracking with low-level kernel isolation. Instead of static firewall rules, Telos dynamically bounds execution and network access in real-time using eBPF-LSM hooks, Information Flow Control (IFC), and XDP hardware drops.

The Dual-Gate Architecture

Telos operates on one rule: Intent equals the perimeter. Agents declare intent to a local control plane, which translates it into O(1) eBPF hash maps.

1. Execution Gate (lsm/bprm_check_security)

Intercepts the execve() syscall. Telos checks the binary against the process's intent-map. If an agent authorized to "read logs" tries to execute nc, the kernel instantly returns -EACCES. This inherits down the process tree, killing fork/exec evasion.

2. Network Gate (lsm/socket_connect)

Intercepts outbound connections. Windows auto-expire via a TTL. If the agent is tricked into connecting to an unauthorized IP, the socket is killed before the TCP handshake.

The Capstone: Cross-Vector Taint Tracking (IFC)

What stops an agent from curl-ing a sensitive file it's allowed to read to a malicious server?

Telos monitors lsm/file_open, checking targets against an inode sensitivity map.

If the agent reads a CRITICAL file (like .env), Telos dynamically elevates the agent's taint to TAINT_CRITICAL in the eBPF process map.

The moment that process invokes socket_connect, Telos checks the taint state and triggers a Network Slam.

All outbound connections permanently return -EPERM. The data cannot leave the machine.

Escaping the OS: The Hyperion XDP Bridge

Telos routes agent DNS through a proxy pipeline (checking for typosquatting/homoglyphs). If a domain is flagged malicious, Telos resolves the IPs and pushes them via RPC to Hyperion XDP on the physical NIC. Packets matching that IP are dropped with XDP_DROP at wire-speed, before the Linux kernel even allocates an SKB.

The "AI" Anti-Hype

Putting an LLM in the hot path introduces massive latency. Telos keeps AI entirely out of the kernel hot path. All enforcement happens via deterministic, O(1) hash table lookups in C. The LLM only adjudicates complex edge cases asynchronously in the control plane.

Benchmarks and Trade-offs

I ran a 10-million operation torture test on bare-metal (AMD Ryzen 7 Pro 5850U, 5.15+ kernel).

file_open: +2.27 µs overhead (+8.5%)

bprm_check_security: +193 µs overhead (+3.0%)

socket_connect: +3.89 µs overhead (+1.9%)

Trade-offs: Telos fails closed; unparsed actions are instantly killed. Heavy bash-scripting workloads involving thousands of rapid fork() calls experience elevated eBPF map contention. To mitigate this under memory pressure, Telos utilizes BPF_MAP_TYPE_LRU_HASH to gracefully evict stale process states.

What's Next

Securing AI requires enforcement at the layer the AI cannot manipulate: the kernel. Telos is an open-source research runtime. I am particularly interested in feedback on bypass vectors I haven't considered, whether the IFC taint model holds under heavily multi-threaded agent workloads, or ways to optimize eBPF map lookups.

GitHub Repository: https://github.com/nevinshine/telos-runtime