Linux Monitoring Tool Detects Meltdown Attacks

The security company SentinelOne has released a free-to-use monitoring tool that will alert when attackers attempt to exploit the Meltdown vulnerability.

Christine Hall

January 29, 2018

3 Min Read

The cybersecurity company SentinelOne may have bought some time for harried system administers dealing with the multiple problems being posed by Meltdown and Spectre. It's issued a proprietary but free-to-use Linux monitoring tool to notify admins of attempts to exploit the Meltdown vulnerability so they can take action to stop attacks in their tracks. Unfortunately, the tool doesn't address the Spectre vulnerability, but half a loaf is better than none.

System administrators are in a bit of a conundrum dealing with the double whammy being posed by the hardware vulnerabilities Meltdown and Spectre. Although patches are available, their effectiveness is less than clear and computers deploying them take a performance hit that varies by workload, making performance issues difficult to gauge until patches are applied.

This makes operators understandably reluctant to rush to patch, fearful that patches might have an unacceptable systemwide effect. On the other hand, taking time to thoroughly test available options leaves systems open to attack. It's a definitive rock-and-hard-place situation.

If you haven't been keeping up with the news, Meltdown is a hardware design flaw that affects nearly all Intel chips produced over the last several decades, in addition to some ARM chips and possibly IBM Power processors. It is operating system-agnostic, putting machines running Linux, Windows and MacOS at risk. The vulnerability can be exploited to read data from any address mapped to the current process's memory space.

Although a successful Meltdown exploitation can be difficult to discover after the fact, the exploit does generate some patterns that can be monitored during an attack. The Blacksmith monitoring tool utilizes Linux's built-in perf events tool to leverage the performance counting feature on modern chipsets to monitor processes for malicious caching behavior. For older processors and virtual environments, Blacksmith identifies a specific type of page fault, which indicates a Meltdown exploitation attempt.

In a blog entry posted Wednesday, SentinelOne's director of product management, Migo Kedem, said that when the Blacksmith monitoring tool detects an exploitation attempt, it reports it to Syslog, which can then be saved locally, sent by email or sent to remote Syslog server functions.

"This allows each admin to clean up the exploitation as they see fit," he said.

So why does Blacksmith focus on Linux instead of Windows or MacOS? According to Kedem, there are two reasons.

"[The first is] because Linux is very susceptible to such attacks [since] there is no comprehensive solution available," he said. "And second, Linux is the preferred OS of the world’s top supercomputers and, therefore, is a high-value target for attackers."

The first reason is arguable. I've seen no evidence to suggest Linux is any more susceptible to Meltdown attacks than the other two name-brand operating systems, and Linux patches for the flaw have been available for commercial distros for nearly a month. Also, Sunday saw the release of Linux Kernel 4.15, which includes Meltdown and Spectre patches for distributions that weren't equipped to push hand-rolled patches out the door.

The truth is, neither chipmakers nor operating system developers are through with Meltdown and Spectre and won't be for years to come. During Thursday's quarterly report, Intel CEO Brian Krzanich said the company plans to release updated chips later this year that will fix the problem. This is good news, since a hardware fix might be the only acceptable alternative for servers with sensitive or critical data.

If it turns out that data centers end up opting for something akin to a wholesale swapping of chips, which I suspect is where this is all going, then tools such as Blacksmith might be the stopgap measure the doctor ordered. That also makes reports that SentinelOne is working on a similar monitoring tool to detect Spectre vulnerability attacks more good news.

Blacksmith is available for download on SentinelOne's website and has been tested on Ubuntu 17.04 and17.10.

About the Author(s)

Christine Hall

Freelance author

Christine Hall has been a journalist since 1971. In 2001 she began writing a weekly consumer computer column and began covering IT full time in 2002, focusing on Linux and open source software. Since 2010 she's published and edited the website FOSS Force. Follow her on Twitter: @BrideOfLinux.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like