Exploit Guard monitors Elixir applications for functions created at runtime via :erlang.binary_to_term. This is done with the tracing built into Erlang. It is unusual for functions to be created at runtime, so this can be used as a high quality signal of malicious activity. Exploit Guard provides runtime application self protection (RASP) against remote code execution (RCE) exploits in Elixir.

This is an open source component of Paraxial.io Application Secure. For more details, see the blog post, Exploit Guard: Open Source Runtime Application Self Protection for Elixir.

Exploit Guard can be configured in monitor or block mode:

config :exploit_guard,
  mode: :monitor

config :exploit_guard,
  mode: :block

monitor - Logger will print an alert-level severity message. No action will be taken, this is the "read only" option.

block - The process where the new function was created will be killed, and Logger will print an alert-level severity message.

Exploit guard is available in Hex, the package can be installed by adding exploit_guard to your list of dependencies in mix.exs:

def deps do
  [
    {:exploit_guard, "~> 1.0.0"}
  ]
end

Exploit Guard is sponsored by Paraxial.io, an application security platform for Elixir and Phoenix. If you require enterprise support, please contact us.