The Meltdown and Spectre have been the topic of security for a while. The reason is the category of these vulnerabilities – hardware issues. Can you imagine that almost all the processors since 1995 are affected? For getting rid of all them, the best solution is to change hardware – a very costly solution that a lot can’t afford. We’re having software patches to mitigate the damage possibility. Fortunately, SentinelOne has released a free tool for Linux that allows system admins to prevent Meltdown attacks before they take root.
The new tool developed by SentinelOne is named Blacksmith. It’s a free tool for everyone. Get Blacksmith from SentinelOne. However, Blacksmith tool isn’t open-source. SentinelOne decided to save time by expediting its development in-house, according to Raj Rajamani, vice president of project management at SentinelOne. He also informed that the tool is free for everyone in hope of securing Linux systems while devs create reliable system patches.
Why use Blacksmith
At the end of 2017, security researchers identified the horrible & terrible bug in most of the modern processors. All these processors used a method called “speculative execution” that allowed these 2 heinous bugs to be possible. Intel, AMD, and ARM – all are affected by them, mostly Intel. The Meltdown flaw is a design flaw of all the Intel chips. The flaw was in the kernel that controlled the chip performance. It’s possible to defend using software patches. However, the Spectre is a lot more difficult to defend against. Learn more about the Meltdown and Spectre.
With the help of SentinelOne’s Blacksmith, Linux users now will be defending Meltdown attacks successfully. The company is working on a similar tool for defense against Spectre as well.
The tool works beyond all the other tools offer today. Some tools only tell you whether you’re exposed or not. Security researcher Dor Danker at SentinelOne used behavioral detection methods to develop Blacksmith that’s capable of catching any Meltdown exploit & attempts. Danker and his fellow researchers took several weeks to prepare the tool. The process required gathering data from industry partners, chip makers, and Microsoft.
Why on Linux
The reason this tool is made for Linux is pretty obvious. First of all, Linux is more susceptible to Meltdown attacks with no extensive available solution. An important note, the top computers – servers, supercomputers etc. all use Linux as their OS. These 2 reasons are very lucrative for hackers to target Linux as an easy, valuable hunt.
According to Migo Kedem, SentinelOne’s director of product management said that the reasons make it clear why Linux needs effective protection as quickly as possible.
The currently available patches slow down the system. It’s not so much visible for home users. However, the influence is huge when we talk about enterprises. It’s the main reason why IT organizations may decide to resist the patches or wait for further patches. That’s where this tool will be really handy without any performance changes.
How Blacksmith works
The tool influences the feature of performance counting on modern chipsets. Using this method, Blacksmith can monitor malicious caching behavior. According to Danker, the Meltdown creates different patterns during exploitation.
Here’s the official demonstration of Blacksmith.
On modern chipsets, Blacksmith uses the built-in Linux mechanism “perf evennts”. It collects info about running processes. Kedem said that in case of virtual environments and older processors, Blacksmith looks for a specific type of page fault, indicating Meltdown exploitation attempts.
When the tool identifies any attempt, Blacksmith reports to “Syslog” locally. If the “Syslog” is on a remote server, Blacksmith sends the report via email. Checking on that, system admins can take necessary measures to clean up the exploitation.
