Can I use Argos to protect my desktop system?
You could, but only if you are willing to suffer a huge performance penalty. Current measurements show a slowdown of a factor 18 for the Apache webserver. While we are working on faster implementations, really, you want to use Argos for honeypots.
What do you mean by full system protection?
Argos sits below the OS. It will trigger alerts when it detects a violation, irrespective of who caused the violation: the kernel or some application. Neither the OS, nor the applications need to be modified. The OS and any application installed on the OS are automatically protected.
What is dynamic taint analysis?
Dynamic taint analysis means that we track what happens to data coming from the outside (i.e., the network). We mark the area in memory where such data is stored as 'tainted'. When we copy tainted data (or used it in ALU operations, etc.) we also mark the destination (registers or memory) tainted. We raise an alert when tainted data is used in illegitimate ways (e.g., when it is used a jump target).
My exploit works under Vmware, but not under Qemu. Does this mean that Argos will not capture this attack?
Qemu without the kernel accelerator performs dynamic code translation, which differs from running code under Vmware or Qemu with the kernel accelerator, because code is not run as is. This implies that even though an exploit succeeds, its payload fails to execute successfully, because the emulator has not translated it. You can determine whether an exploit succeeds under Qemu with the kernel accelerator. Argos does not require a payload to execute to detect an attack. Any attempt to divert control will cause an alert.