Open Source Initiatives

The Capsule8 OSS Sensor is the Open Core of Capsule8 Workload Protection Platform and serves as the basis for many detections within it. The Sensor is designed to collect security and performance data with minimal impact to your containerized and non-containerized servers. It enables you to understand what your production processes are doing in real-time. The Capsule8 OSS Sensor allows you to trust that Capsule8 is safe and viable in your own environment.

HOW IT WORKS The Capsule8 OSS Sensor is exposed via a gRPC API. Unlike other solutions, it doesn’t require a kernel module, so you no longer have the burden of having to instrument Linux tracing in perf. The Sensor provides this monitoring via access to Linux tracing and perf. Because we’re tapped into traditional security data (such as fopen, syscalls, network), and performance data, we were able to rapidly prototype solutions to Spectre and Meltdown.

To download the Capsule8 Open Source Sensor, visit:

Using the OSS Sensor against Meltdown and Spectre

Meltdown Detection

The Capsule8 Open Source Sensor can be used to detect an attack exploiting Meltdown. The Meltdown vulnerability is the result of speculative execution, specifically the impact speculative execution can have on reading memory contents — not just caching of addresses where instructions are, but also the memory which those instructions access during execution. This impact on the cache can be timed, and by measuring many successive repetitions of speculative execution, it is possible to conduct a side-channel attack to determine the contents of kernel memory from userland. Read More...

Since the Capsule8 Open Source Sensor uses Linux Tracing to produce behavioral system security telemetry, a lower-level EventMonitor interface can be used to easily tap into a Linux tracepoint that indicates an attempted exploitation of Meltdown. The detection works by tracking page faults for kernel memory addresses by process ID (PID) and alerts with low, medium, or high severity when a process generates numbers of events that cross defined event count thresholds. These thresholds are all triggered by published proof-of-concept exploits for Meltdown and are exceedingly unlikely to be triggered otherwise. The Meltdown Detector then emits alerts to server logs and can also easily be packaged in a container and run as a Kubernetes DaemonSet to quickly deploy it across an entire cluster.

Spectre Detection

The Capsule8 Open Source Sensor can be used to detect an attack exploiting Spectre. A common element to all of the current published attacks for all three vulnerability variants of both Spectre and Meltdown is the use of cache timing attacks to leak the read speculatively read data to the attacker. Cache side channel attacks work by putting the cache into a known state and then measuring time of operations to determine the change in cache’s state. Read More...

Some exploitations of Spectre cause significant amounts of cache misses by not accessing memory linearly and these Last-Level Cache (LLC) misses provide a strong signal that a cache side channel was being used to leak the data. Using the Capsule8 Open Source Attack Detection Sensor, users can set up LLC Loads and LLC Load Misses hardware cache counters on each logical CPU and configure Perf to record a sample every 10,000 LLC loads. Each sample includes the logical CPU number, active process ID and thread ID, sample time, and cumulative count of LLC Loads and LLC Load Misses. This is a very low-impact way to continuously calculate and monitor the cache miss rate on an entire system, and easily detect the Spectre proof-of-concept published in the original paper.