Profiling and monitoring webserver execution over HTTP requests at the kernel level
I would like to know if there is a way to run an app to exhaustion in terms of all possible outcomes that it can provide.
What do I mean by that:
Let's assume that someone has an (Apache) HTTP Server. What I am trying to do is to create profiles of the nominal execution of this HTTP server. These profiles will then be used as a sandbox/wrapper for this specific app, and if the app executes anything else other than that (due to malicious activity to the app such as code injection) to halt the execution and throw a warning.
So to make it more clear let's assume that the execution of an app is completely deterministic.
We know from the start that the app will output either the number 30, the number -5, or the number 0. If the app, for example, outputs any other number than the aforementioned ones, then I need to show an error. Or maybe if it outputs a string or a character, then again, I need to throw an error because we are expecting only the numbers 30, -5, or 0.
To make it more realistic:
What I am trying to do is exhaust all possible execution outcomes of an HTTP server and audit what calls it makes on the Linux kernel. That way, I could profile how it normally interacts with the kernel, considering all normal executions, and then compare these/this profile(s) with real-life executions. If, at some point, the real-life executions diverge from these/this profile(s), then I should display a message that something is off.
Now, you may wonder that if, for example, the server receives a software update, its execution may diverge because the source code changed from the previous version. And you are right. But let's assume that we stick with a specific version and do not move from there, regardless of whether there are updates. So, we profile only one version of the HTTP server.
So far, I have tried downloading Apache, running a strace, and sending HTTP requests via Postman. However, this does not seem very helpful, as I do not see much difference in the strace logs.
So, is it possible to create such profiles?
You could provide real-life scenarios with an Apache server (if possible) or any other HTTP server that is easier.
---UPDATE---
CLARIFICATIONS:
I understand that I have not made the problem very clear. I apologize for any confusion that my question has created. I was not in the right mind when I was writing this. So, to clarify things:
Basically, if I have an HTTP server (Apache or any other), I want to observe/audit how it interacts with the Linux Kernel according to its different possible executions.
Let me give you an example:
Let's assume that I run an HTTP server on 10.0.0.2 on an Ubuntu machine and make a GET request like this: http://10.0.0.2/log/log.txt.
I want to see on the level of the Linux kernel how the HTTP server interacts with the kernel for this request. For example, did the server try to call some version of alloc()(malloc(), calloc() etc.)? If yes, what were the parameters? Or maybe it's called system(). Why? What were the parameters, if any?
Now according to what functions it calls and what type of parameters it passes through the calls I want to profile the server.
I get the fact that there are tons of different requests on HTTP servers with different parameters and false-positives (FP), false-negatives (FN), , etc., are very much possible. But at least I want to try and see what data I could possibly trace.
Sorry again for the confusion and I hope it clarifies things a little bit more.
