The App Shield Agent uses the DOCA App Shield library to monitor processes running on the host system. This security feature allows for the detection of core process corruption from a trusted, independent DPU, providing an intrusion detection system (IDS) that otherwise cannot be achieved from within the host itself.

The DOCA App Shield library enables the DPU to directly read, analyze, and verify the memory of the host, whether it's a bare metal system or a virtual machine. By using this library, the application calculates cryptographic hashes of non-writable memory pages, including those that are unloaded, for a specific process and its associated libraries. It then periodically re-verifies these pages to identify any unauthorized changes.

After each check, the application outputs a pass or fail attestation result, continuing the process until the first failure is detected. These results are logged to the console and also sent to the DOCA Telemetry Service (DTS) via inter-process communication (IPC).

This guide illustrates how to implement secure process monitoring using the DOCA App Shield library, taking advantage of the BlueField DPU's capabilities, such as hardware-accelerated DMA and root-of-trust integrity enforcement.