ExploitGuard

Introduction

Exploit Guard monitors Elixir applications for functions created at runtime via :erlang.binary_to_term. This is done with the tracing built into Erlang. It is unusual for functions to be created at runtime, so this can be used as a high quality signal of malicious activity.

Exploit Guard can be configured in monitor or block mode:

config :exploit_guard,
  mode: :monitor

config :exploit_guard,
  mode: :block

monitor - Logger will print an alert-level severity message. No action will be taken, this is the “read only” option.

block - The process where the new function was created will be killed, and Logger will print an alert-level severity message.

Installation

Exploit guard is available in Hex, the package can be installed by adding exploit_guard to your list of dependencies in mix.exs:

def deps do
  [
    {:exploit_guard, "~> 1.0.0"}
  ]
end