Exploit Guard monitors Elixir applications for functions created at runtime via :erlang.binary_to_term. This is done with the tracing built into Erlang. It is unusual for functions to be created at runtime, so this can be used as a high quality signal of malicious activity. Exploit Guard provides runtime application self protection (RASP) against remote code execution (RCE) exploits in Elixir.
This is an open source component of Paraxial.io Application Secure. For more details, see the blog post, Exploit Guard: Open Source Runtime Application Self Protection for Elixir.
Exploit Guard can be configured in monitor or block mode:
config :exploit_guard,
mode: :monitorconfig :exploit_guard,
mode: :blockmonitor - Logger will print an alert-level severity message. No action will be taken, this is the "read only" option.
block - The process where the new function was created will be killed, and Logger will print an alert-level severity message.
Custom exploit handling is done by creating a module that implements the ExploitGuard.ExploitHandler behaviour and passing it to the handler configuration option:
config :exploit_guard,
handler: MyApp.ExploitHandlerExploit guard is available in Hex, the package can be installed
by adding exploit_guard to your list of dependencies in mix.exs:
def deps do
[
{:exploit_guard, "~> 1.0.0"}
]
end
Exploit Guard is sponsored by Paraxial.io, an application security platform for Elixir and Phoenix. If you require enterprise support, please contact us.