Memory Protection Module
The Memory Protection Module prevents malicious processes from harvesting secrets out of memory during CI builds, such as in the tj-actions/changed-files incident, where attackers leveraged scripts (such as this) to read GitHub Actions runner memory and exfiltrate CI secrets.
How It Works
On Linux systems, processes can read another process’s memory by accessing the /proc/<pid>/mem file. While there are legitimate debugging use cases for this behavior, attackers often abuse this mechanism to capture credentials and environment variables directly from memory.
The Memory Protection Module continuously monitors for any unauthorized process attempting to read memory through /proc/<pid>/mem. When such an attempt is detected, the module immediately terminates the offending process, stopping the leak of sensitive data.
GitHub Actions Integration
To enable Memory Protection in your GitHub Actions workflow, set the memory-protection flag to true when using our Cimon GitHub Action:
- name: Run Cimon
uses: cycodelabs/cimon-action@v0
with:
client-id: ${{ secrets.CIMON_CLIENT_ID }}
secret: ${{ secrets.CIMON_SECRET }}
memory-protection: true
This configuration ensures that Cimon immediately terminates any suspicious process reading from /proc/<pid>/mem during the build.
Limitations and Future Enhancements
- False Positives: Some debugging or profiling tools legitimately read process memory. If you rely on such tools in your CI pipeline, you may need to disable or carefully scope Memory Protection.
- Security Coverage: Reading process memory through
/proc/<pid>/memis just one method attackers may use. Other techniques, such asptraceormmap, are not monitored by this module at the moment.