Techniques are disclosed that exploit system call mechanism to effect robust security applications. In one particular case, security software is able to effectively "sandbox" user mode applications at the thread granularity level, by replacing the system call mechanism of the operating system with a custom mechanism that limits the rights available to a target application that is vulnerable to malicious attack. The techniques allow the security software to create service tables with varying degrees of security levels, and do not impact performance of non-targeted running processes/threads.