SentinelOne Releases Free Linux Tool to Detect Meltdown Vulnerability Exploitations

April 24, 2018 Migo Kedem

Using Behavioral detection, SentinelOne Security Researchers, Dor Dankner and Ran Ben Chetrit developed the tool capable of catching Meltdown exploit. The tool goes beyond all offerings available today, some of which just state if a device is exposed or not. 

The patching process for the devastating Meltdown vulnerability has left thousands of enterprises with a predictable, yet unenviable, choice: patch immediately for security and risk system-wide impact or, test the patches against their full stack of software applications while remaining exposed to vulnerability exploitation by attackers.

As a result, the industry at large is in a race: patch and secure the many endpoints that are still unprotected before attackers can weaponize the vulnerabilities. This is especially true for Linux-based systems, where no comprehensive protection solution has been released to date.

This is a race that the security industry needs to run together in order to win – which is why SentinelOne today is releasing a new free tool to prevent Meltdown exploitation while the patching process catches up.

Dubbed Blacksmith, this tool detects the attempted exploitation of Meltdown vulnerability on all Linux systems, empowering Linux admins to stop attacks before they take root.

How does Blacksmith work?

The Blacksmith tool leverages the performance counting feature enabled on modern chipsets to monitor processes for malicious caching behavior. The Meltdown vulnerability generates these patterns during exploitation, and Blacksmith uses the built-in Linux “perf events” mechanism to collect information on the running processes. For older processors and virtual environments, Blacksmith also identifies a specific type of page fault which indicates Meltdown exploitation attempts.

Why Linux?

There are two key factors for why we chose to prioritize the Linux version of this tool. First, because Linux is very susceptible to such attacks as there is no comprehensive solution available. And second, Linux is the preferred OS of the world’s top supercomputers and therefore, is a high-value target for attackers. Together, these reasons made it clear that it was critical to help secure Linux environments as quickly and effectively as possible right now.

To check Linux for Meltdown vulnerability: https://www.cyberciti.biz/faq/check-linux-server-for-spectre-meltdown-vulnerability 

What happens on detection?

When Blacksmith detects an exploitation attempt it reports it to Syslog. The event can be saved locally, sent by email, or sent to remote Syslog server functions. This allows each admin to clean up the exploitation as they see fit.

Why is the tool free?

Other than because it is the right thing to do, we also want to ensure that the tool will work in the best way for each application by each Linux system admin. By providing it for free we allow admins to test it fully against underlying applications, and ensure it in their systems before deploying.

Demo

Where is Blacksmith available?

Update: March 1st: BlackSmith is updated to version 2, support also Ubuntu 16.04, 17.04, 17.10 and Centos 6.5. Try at your own risk. Download here: s1-blacksmith (V2)

This article was originally published here.

Previous Article
SentinelOne - The Best AV for MacOS
SentinelOne - The Best AV for MacOS

We are thrilled to share that AV-Test certified SentinelOne as the best corporate AntiVirus solution.

Next Article
8 Visionary Predictions for InfoSec in 2018
8 Visionary Predictions for InfoSec in 2018

As we enter the new year, here are some predictions from the security experts at SentinelOne for what you c...

×

Something pique your interest? Request a call back here

First Name
Last Name
Company
Business Phone
City
!
Thank you!
Error - something went wrong!