Using Behavioral detection, SentinelOne Security Researchers, Dor Dankner and Ran Ben Chetrit developed the tool capable of catching Meltdown exploit. The tool goes beyond all offerings available today, some of which just state if a device is exposed or not.
The patching process for the devastating Meltdown vulnerability has left thousands of enterprises with a predictable, yet unenviable, choice: patch immediately for security and risk system-wide impact or, test the patches against their full stack of software applications while remaining exposed to vulnerability exploitation by attackers.
As a result, the industry at large is in a race: patch and secure the many endpoints that are still unprotected before attackers can weaponize the vulnerabilities. This is especially true for Linux-based systems, where no comprehensive protection solution has been released to date.
This is a race that the security industry needs to run together in order to win – which is why SentinelOne today is releasing a new free tool to prevent Meltdown exploitation while the patching process catches up.
Dubbed Blacksmith, this tool detects the attempted exploitation of Meltdown vulnerability on all Linux systems, empowering Linux admins to stop attacks before they take root.
How does Blacksmith work?
The Blacksmith tool leverages the performance counting feature enabled on modern chipsets to monitor processes for malicious caching behavior. The Meltdown vulnerability generates these patterns during exploitation, and Blacksmith uses the built-in Linux “perf events” mechanism to collect information on the running processes. For older processors and virtual environments, Blacksmith also identifies a specific type of page fault which indicates Meltdown exploitation attempts.
There are two key factors for why we chose to prioritize the Linux version of this tool. First, because Linux is very susceptible to such attacks as there is no comprehensive solution available. And second, Linux is the preferred OS of the world’s top supercomputers and therefore, is a high-value target for attackers. Together, these reasons made it clear that it was critical to help secure Linux environments as quickly and effectively as possible right now.
To check Linux for Meltdown vulnerability: https://www.cyberciti.biz/faq/check-linux-server-for-spectre-meltdown-vulnerability
What happens on detection?
When Blacksmith detects an exploitation attempt it reports it to Syslog. The event can be saved locally, sent by email, or sent to remote Syslog server functions. This allows each admin to clean up the exploitation as they see fit.
Why is the tool free?
Other than because it is the right thing to do, we also want to ensure that the tool will work in the best way for each application by each Linux system admin. By providing it for free we allow admins to test it fully against underlying applications, and ensure it in their systems before deploying.
Where is Blacksmith available?
Update: March 1st: BlackSmith is updated to version 2, support also Ubuntu 16.04, 17.04, 17.10 and Centos 6.5. Try at your own risk. Download here: s1-blacksmith (V2)