SentinelOne this week released Blacksmith, a free Linux tool that can detect Meltdown vulnerability exploitation attempts, so system administrators can stop attacks before they take root.
The company has been working on a similar tool to detect Spectre vulnerability attacks.
Though free, Blacksmith is not open source. SentinelOne decided to expedite its development in-house to save time, said Raj Rajamani, vice president of product management.
The company has made the tool available to everyone for free in the hope of securing Linux systems while reliable patches are developed, he told LinuxInsider.
The Meltdown vulnerability affects Intel chips and Linux-based systems. A similar design flaw, Spectre, affects AMD and ARM chips. No comprehensive solutions currently are available for either flaw.
Meltdown is a design flaw in all Intel chips produced in the last decade. It creates a vulnerability that puts Linux, Windows and macOS-powered computers at risk. The flaw is in the kernel that controls the chip performance that allows commonly used programs to access the contents and layout of a computer’s protected kernel memory areas.
SentinalOne’s Blacksmith tool is interesting for a couple of reasons, noted Charles King, principal analyst at Pund-IT.
“The inherent complexities of the issue are delaying effective fixes,” he told LinuxInsider. “With that in mind, having access to a free, effective tool for spotting Meltdown exploits could be valuable for many IT organizations and businesses, especially in the short term.”
Research Initiative
SentinelOne Security Researcher Dor Dankner used behavioral detection techniques to develop a tool capable of catching the Meltdown exploit.
The tool goes beyond all offerings available today, some of which just state if a device is exposed or not, noted Rajamini.
It took Dankner and fellow researchers, including SentinelOne Security Researcher Ran Ben Chetrit, several weeks to ready the tool for release. It required gathering data from chip makers, industry partners and Microsoft.
When he reviewed the data about the vulnerabilities, Dankner realized that researchers could use a Linux feature that already monitored the kinds of activity involved with incoming traffic during an attack.
Linux in Crosshairs
Two key factors influenced SentinelOne to prioritize the Linux version of the tool. Linux is very susceptible to such attacks, with no comprehensive solution available. Also, Linux is the preferred OS of the world’s top supercomputers. That makes Linux a high-value target for attackers.
Those reasons made it clear that it was critical to help secure Linux environments as quickly and effectively as possible, said Migo Kedem, SentinelOne’s director of product management.
“Some people are hesitant to apply patches without knowing for sure that they are being attacked,” he told LinuxInsider. However, Blacksmith “lets admins run it and then decide what level of mitigation is best for their purposes.”
Stopgap Measure
The Meltdown vulnerability leaves enterprises with two options: patch immediately or delay while testing. The first option carries the risk of system-wide impact. The second option leaves the system exposed to attack while patches are tested against the company’s full stack of software applications.
Either way, until an industry-wide solution to close the vulnerabilities is found, patches do not yet exist to ensure that endpoints are secure. Many remain unprotected, even as attackers may be working to weaponize the vulnerabilities. Linux-based systems so far have no comprehensive protection solution, according to SentinelOne.
“The time crunch forced us to eliminate including any kind of mitigation options. Our choice was to wait until we could provide a solution or give back to the community a detection tool rapidly,” said SentinelOne’s Kedem.
How It Works
The Blacksmith tool leverages the performance counting feature on modern chipsets. This lets Blacksmith monitor processes to detect malicious caching behavior. The Meltdown vulnerability generates these patterns during exploitation, according to Dankner.
On systems running modern chipsets, Blacksmith uses the built-in Linux “perf events” mechanism to collect information on the running processes. For older processors and virtual environments, Blacksmith identifies a specific type of page fault that indicates Meltdown exploitation attempts, Kedem added.
Blacksmith reports exploitation attempts it detects to Syslog locally or sends the report by email or remote Syslog server functions, he said, which allows each admin to take individual action to clean up the exploitation.
Some computer systems may suffer performance hits from the patches. That is one reason IT organizations and their employers may decide to resist or delay implementing patches for their systems, said King. Also, there is an apparent rarity of actual or successful exploits.
“For organizations that choose such a path,” he said, “SentinelOne’s Blacksmith should provide a way for them to remain safer than they would be otherwise.”