Jibril 运行时安全 v2.4:对检测结果的响应
1 分•作者: rafaeldavidtin•5 个月前
# Jibril 运行时安全 v2.4
## 可编程的 JavaScript 响应操作系统安全事件
我们刚刚发布了 Jibril v2.4,它引入了一个全新的“反应”系统,从根本上改变了运行时安全的工作方式。现在,您不仅可以进行检测和警报,还可以编写 JavaScript 代码,以响应实时的操作系统安全事件自动执行。
## 工作原理
Jibril 监控操作系统(文件访问、进程执行、网络活动、特定的内核逻辑),当安全事件与检测规则匹配时,在打印到已启用的打印机后,将触发 JavaScript 反应。它们在隔离的 V8 上下文中运行,可以直接访问系统操作:
```javascript
function process(data) {
// 对加密货币矿工检测的多阶段响应
if (data.file.basename.match(/^(xmrig|ethminer|cgminer)$/)) {
Error("检测到加密货币矿工: " + data.process.cmd);
// 立即遏制
KillCurrent(); // 终止进程
NetBlockIp(); // 阻止网络
// 证据收集
let dir = CreateTempDir("miner-incident-*");
let evidence = {
timestamp: new Date().toISOString(),
process_ancestry: data.base.background.ancestry,
command_line: data.process.cmd
};
WriteFile(dir + "/evidence.json", JSON.stringify(evidence));
// 跟踪事件
let count = parseInt(DataGet("miners_terminated") || "0") + 1;
DataSet("miners_terminated", String(count));
Info("矿工 #" + count + " 已终止并被阻止");
}
}
```
## 技术能力
Jibril 提供了一个包含 25+ 个辅助函数的综合 API:
- 进程管理:`KillCurrent()`、`KillParent()`、`KillProcess(pid)`,带有安全控制
- 网络策略:`NetBlockIp()`、`NetBlockDomain()`、`NetBlockIpTimer()`,用于实时阻止
- 文件操作:`ReadFile()`、`WriteFile()`、`CreateTempDir()`,具有安全权限
- 数据持久性:跨执行的键值存储
- *紧急控制*:`PowerOff()`、`Panic()`,用于应对关键威胁
每个反应都在隔离的 V8 上下文中运行,具有错误处理功能,以毫秒为单位执行,自动处理并发执行,并提供审计跟踪。
查看示例:https://github.com/garnet-org/jibril-wahy/tree/main/jibril/tests
## 超越简单的自动化
可编程性实现了复杂的逻辑:
- 分级响应:从日志记录开始,升级到阻止,最后终止
- 上下文感知决策:阻止外部 IP,但将内部基础设施列入白名单
- 跨事件关联:跟踪多个安全事件中的模式
- 自定义证据收集:自动收集您所需的精确取证数据
反应在 YAML 中与检测规则一起定义,因此响应逻辑与检测逻辑保持耦合。从保守开始,逐渐增加自动化程度。
## 这种方法为何重要
传统的工具检测威胁,但仍然需要人工分析师来响应。这造成了一个差距,即在人类调查期间,威胁会持续运行。通过使响应可编程和即时,您可以在保持人工监督的同时阻止威胁。
隔离模型意味着反应可以安全地执行强大的操作(包括系统关闭),而不会在 JavaScript 代码出现错误时危及主机系统。
## 完整文档:
- https://jibril.garnet.ai/customization/reactions
- https://jibril.garnet.ai/customization/alchemies
- https://jibril.garnet.ai/customization/attenuator
玩得开心!
查看原文
# Jibril Runtime Security v2.4<p>## Programmable JavaScript Reactions to OS Security Events<p>We've just released Jibril v2.4 with a new "Reactions" system that fundamentally changes how runtime security works. Instead of just detecting and alerting, you can now write JavaScript code that automatically executes in response to real-time OS security events.<p>## How it works<p>Jibril monitors the OS (file access, process execution, network activity, specific kernel logic) and when security events match detection rules, after being printed to enabled printers, JavaScript reactions are triggered. They run in isolated V8 contexts with direct access to system operations:<p>```javascript
function process(data) {
// Multi-stage response to crypto miner detection
if (data.file.basename.match(/^(xmrig|ethminer|cgminer)$/)) {
Error("Crypto miner detected: " + data.process.cmd);<p><pre><code> // Immediate containment
KillCurrent(); // Terminate process
NetBlockIp(); // Block network
// Evidence collection
let dir = CreateTempDir("miner-incident-*");
let evidence = {
timestamp: new Date().toISOString(),
process_ancestry: data.base.background.ancestry,
command_line: data.process.cmd
};
WriteFile(dir + "/evidence.json", JSON.stringify(evidence));
// Track incidents
let count = parseInt(DataGet("miners_terminated") || "0") + 1;
DataSet("miners_terminated", String(count));
Info("Miner #" + count + " terminated and blocked");
}</code></pre>
}
```<p>## Technical capabilities<p>Jibril provides a comprehensive API with 25+ helper functions:<p>- Process management: `KillCurrent()`, `KillParent()`, `KillProcess(pid)` with safety controls
- Network policy: `NetBlockIp()`, `NetBlockDomain()`, `NetBlockIpTimer()` for real-time blocking
- File operations: `ReadFile()`, `WriteFile()`, `CreateTempDir()` with secure permissions
- Data persistence: Key-value store surviving across executions
- *Emergency controls*: `PowerOff()`, `Panic()` for critical threats<p>Each reaction runs in isolated V8 context with error handling, executes in milliseconds, handles concurrent execution automatically, and provides audit trails.<p>Check examples: https://github.com/garnet-org/jibril-wahy/tree/main/jibril/tests<p>## Beyond simple automation<p>The programmability enables sophisticated logic:<p>- Graduated responses: Start with logging, escalate to blocking, terminate as last resort
- Context-aware decisions: Block external IPs but whitelist internal infrastructure
- Cross-event correlation: Track patterns across multiple security events
- Custom evidence collection: Automatically gather exactly the forensic data you need<p>Reactions are defined in YAML alongside detection rules, so response logic stays coupled with detection logic. Start conservative and gradually increase automation.<p>## Why this approach matters<p>Traditional tools detect threats but still require human analysts to respond. This creates a gap where threats continue running while humans investigate. By making response programmable and immediate, you can stop threats in their tracks while maintaining human oversight.<p>The isolation model means reactions can safely perform powerful operations (including system shutdown) without risking the host system if JavaScript code has bugs.<p>## Full documentation:<p>- https://jibril.garnet.ai/customization/reactions
- https://jibril.garnet.ai/customization/alchemies
- https://jibril.garnet.ai/customization/attenuator<p>Have fun!