Control flow integrity enforcement for applications running on platforms

What is claimed is: 1 . A method for monitoring a computing system, comprising: determining hardware telemetry representing execution of a process on the computing system; accessing a learned control flow graph for the process, the learned control flow graph being generated based on observing previous executions of the process by the computing system and central processing unit (CPU) telemetry generated by the previous executions; determining, based on the hardware telemetry, a transfer of an instruction pointer; determining CPU telemetry for a predetermined number of transitions before the transfer; determining a validity of the transfer and the predetermined number of transitions based on the learned control flow graph; determining a policy to enforce associated with the validity of the transfer and the predetermined number of transitions; and terminating, based on the policy, at least a portion of the process. 2 . The method of claim 1 , wherein terminating at least the portion of the process is on a bare metal computing system. 3 . The method of claim 1 , wherein terminating at least the portion of the process is performed by a virtual machine running the process. 4 . The method of claim 1 , wherein terminating at least the portion of the process comprises blocking a first set of system calls from execution by the computing system and enabling a second set of system to continue executing. 5 . The method of claim 4 , wherein blocking the first set of system calls comprises: determining first system calls associated with security integrity of the computing system; and determining second system calls unrelated to the security integrity of the computing system, wherein the first set of system calls includes the first system calls and excludes the second system calls. 6 . The method of claim 4 , wherein the first set of system calls comprise write operations. 7 . The method of claim 1 , further comprising determining a risk score for the transfer based at least in part on a security rating associated with the transfer, and wherein determining the policy is further based on the risk score. 8 . A system comprising: one or more processors; and one or more non-transitory computer-readable media storing computer-executable instructions that, when executed by the one or more processors, cause the one or more processors to perform operations comprising: determining hardware telemetry representing execution of a process on a computing system; accessing a learned control flow graph for the process, the learned control flow graph being generated based on observing previous executions of the process by the computing system and other hardware telemetry associated with the previous executions; determining, based on the hardware telemetry, a transfer of an instruction pointer; determining a portion of the hardware telemetry for a predetermined number of transitions before the transfer; determining validity of the transfer and the predetermined number of transitions based on the learned control flow graph; determining a policy to enforce associated with the validity of the transfer or the predetermined number of transitions; and based on applying the policy, terminating at least a portion of the process. 9 . The system of claim 8 , wherein the policy is based on one or more of an environment executing the process, execution context associated with the process, permissions associated the process, or communications sent or received by the process. 10 . The system of claim 8 , wherein terminating at least the portion of the process comprises: blocking communications from the process from executing; and enabling system calls unrelated to the communications to continue executing. 11 . The system of claim 10 , wherein the communications comprise communications to a remote computing system or a local computing system. 12 . The system of claim 8 , the operations further comprising: determining a risk score for the transfer based at least in part on a security rating associated with the transfer, wherein determining the policy is further based on the risk score. 13 . The system of claim 12 , wherein the transfer comprises a system call, and wherein determining the risk score for the system call comprises accessing a cataloged risk score for the system call. 14 . The system of claim 8 , wherein the hardware telemetry for the predetermined number of transitions comprises central processing unit (CPU) telemetry, the operations further comprising: validating the CPU telemetry for the predetermined number of transitions based at least in part on the learned control flow graph; and allowing the transfer in response to the CPU telemetry being validated based at least in part on the learned control flow graph. 15 . One or more non-transitory computer-readable media storing computer-readable instructions that, when executed by one or more processors, cause the one or more processors to perform operations comprising: determining hardware telemetry representing execution of a process on a computing system; accessing, based on the hardware telemetry, at least a portion of a learned control flow graph for the process, the learned control flow graph being generated based on observing previous executions of the process and other hardware telemetry associated with the previous executions; determining a transfer of an instruction pointer based at least in part on the hardware telemetry; determining a portion of the hardware telemetry for a predetermined number of transitions before the transfer; determining, based on the learned control flow graph, a validity of the transfer and the predetermined number of transitions; determining, based in part on the validity, a policy associated with the process or the predetermined number of transitions; and blocking, based at least in part on the policy, a first portion of system calls of the process and enabling a second portion of the system calls to execute. 16 . The one or more non-transitory computer-readable media of claim 15 , the operations further comprising determining a risk score for the transfer based at least in part on a security rating associated with the transfer, wherein determining the policy is further based on the risk score. 17 . The one or more non-transitory computer-readable media of claim 15 , wherein the hardware telemetry for the predetermined number of transitions comprises central processing unit (CPU) telemetry, the operations further comprising: validating the CPU telemetry for the predetermined number of transitions based at least in part on the learned control flow graph; allowing the transfer in response to the CPU telemetry being validated based at least in part on the learned control flow graph; and terminating the process in response to the CPU telemetry being invalid based at least in part on the learned control flow graph. 18 . The one or more non-transitory computer-readable media of claim 15 , wherein blocking the first portion of the system calls comprises: determining first system calls associated with security integrity of the computing system; and determining second system calls unrelated to the security integrity of the computing system, wherein the first portion of the system calls comprises the first system calls and the second portion of the system calls comprises the second system calls. 19 . The one or more non-transitory computer-readable media of claim 15 , wherein the policy is based on one