| # Jibril Runtime Security v2.4 ## Programmable JavaScript Reactions to OS Security Events We've just released Jibril v2.4 with a new "Reactions" system that
fundamentally changes how runtime security works. Instead of just detecting and
alerting, you can now write JavaScript code that automatically executes in
response to real-time OS security events. ## How it works Jibril monitors the OS (file access, process execution, network activity,
specific kernel logic) and when security events match detection rules, after
being printed to enabled printers, JavaScript reactions are triggered. They run
in isolated V8 contexts with direct access to system operations: ```javascript
function process(data) {
// Multi-stage response to crypto miner detection
if (data.file.basename.match(/^(xmrig|ethminer|cgminer)$/)) {
Error("Crypto miner detected: " + data.process.cmd); // Immediate containment
KillCurrent(); // Terminate process
NetBlockIp(); // Block network
// Evidence collection
let dir = CreateTempDir("miner-incident-*");
let evidence = {
timestamp: new Date().toISOString(),
process_ancestry: data.base.background.ancestry,
command_line: data.process.cmd
};
WriteFile(dir + "/evidence.json", JSON.stringify(evidence));
// Track incidents
let count = parseInt(DataGet("miners_terminated") || "0") + 1;
DataSet("miners_terminated", String(count));
Info("Miner #" + count + " terminated and blocked");
}
}
```## Technical capabilities Jibril provides a comprehensive API with 25+ helper functions: - Process management: `KillCurrent()`, `KillParent()`, `KillProcess(pid)` with safety controls
- Network policy: `NetBlockIp()`, `NetBlockDomain()`, `NetBlockIpTimer()` for real-time blocking
- File operations: `ReadFile()`, `WriteFile()`, `CreateTempDir()` with secure permissions
- Data persistence: Key-value store surviving across executions
- Emergency controls: `PowerOff()`, `Panic()` for critical threats Each reaction runs in isolated V8 context with error handling, executes in
milliseconds, handles concurrent execution automatically, and provides audit
trails. Check examples: https://github.com/garnet-org/jibril-wahy/tree/main/jibril/tests ## Beyond simple automation The programmability enables sophisticated logic: - Graduated responses: Start with logging, escalate to blocking, terminate as last resort
- Context-aware decisions: Block external IPs but whitelist internal infrastructure
- Cross-event correlation: Track patterns across multiple security events
- Custom evidence collection: Automatically gather exactly the forensic data you need Reactions are defined in YAML alongside detection rules, so response logic
stays coupled with detection logic. Start conservative and gradually increase
automation. ## Why this approach matters Traditional tools detect threats but still require human analysts to respond.
This creates a gap where threats continue running while humans investigate. By
making response programmable and immediate, you can stop threats in their
tracks while maintaining human oversight. The isolation model means reactions can safely perform powerful operations
(including system shutdown) without risking the host system if JavaScript code
has bugs. ## Full documentation: - https://jibril.garnet.ai/customization/reactions
- https://jibril.garnet.ai/customization/alchemies
- https://jibril.garnet.ai/customization/attenuator Have fun! |