{"id":30411205,"url":"https://github.com/5gsec/xim","last_synced_at":"2025-08-22T00:55:44.527Z","repository":{"id":310891966,"uuid":"761475261","full_name":"5GSEC/xIM","owner":"5GSEC","description":"Cross-\u003cprocess/container/pod\u003e Isolation Monitor","archived":false,"fork":false,"pushed_at":"2025-08-20T20:04:25.000Z","size":23,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-08-20T22:10:53.425Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/5GSEC.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2024-02-21T22:38:29.000Z","updated_at":"2025-08-20T20:04:28.000Z","dependencies_parsed_at":"2025-08-20T22:10:55.914Z","dependency_job_id":"89432c64-364c-4465-83f5-deb4e6974658","html_url":"https://github.com/5GSEC/xIM","commit_stats":null,"previous_names":["5gsec/xim"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/5GSEC/xIM","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/5GSEC%2FxIM","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/5GSEC%2FxIM/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/5GSEC%2FxIM/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/5GSEC%2FxIM/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/5GSEC","download_url":"https://codeload.github.com/5GSEC/xIM/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/5GSEC%2FxIM/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":271569718,"owners_count":24782474,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-21T02:00:08.990Z","response_time":74,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-08-22T00:55:38.896Z","updated_at":"2025-08-22T00:55:44.305Z","avatar_url":"https://github.com/5GSEC.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# xIM\nCross process / container / pod Isolation Monitor\n\n---\n\nNote: Use the `python-3.6.9` branch for the NDSS '24 [5G-Spector Artifact](https://github.com/5GSEC/5G-Spector/wiki/5G%E2%80%90Spector-Artifact-in-a-Simulated-LTE-Network).\n\n---\n### Overview\n\nCode execution can be isolated at various granularities, including that of (Linux) processes, containers, or (Kubernetes) pods. Isolation is intended to prevent interaction, thereby limiting the scope of analysis when reliability or security concerns arise. Flows that cross isolation boundaries are of particular interest for detecting anomalous activity.\n\nxIM can be run in one of three modes: cross-process, cross-container, or cross-pod tracking:\n\n```\n\u003e ./xim.py --help\nusage: xim.py [-h] [-d] [-g GRANULARITY]\n\noptional arguments:\n  -h, --help            show this help message and exit\n  -d, --debug           Emit debug messages (if logging active)\n  -g GRANULARITY, --granularity GRANULARITY\n                        Isolation monitoring granularity (process / container / pod)\n```\n\n---\n\n### Setup\n\nxIM depends on Sysdig. This can be installed on Ubuntu with:\n\n```\n# Update software\nsudo apt update \u0026\u0026 sudo apt upgrade -y\nsudo apt install curl gnupg software-properties-common -y\n\n# Install Sysdig\nsudo curl -s https://s3.amazonaws.com/download.draios.com/stable/install-sysdig | sudo bash\n```\n\nxIM requires root privileges since it monitors system calls from all processes.\n\nxIM and its dependencies can generate system calls as well. To avoid monitoring these, the user that xIM runs as is noted. Calls from processes of this user are excluded.\n\nConsequently, it is advisable to create a `xim` user (and use it for running xIM):\n\n```\n# Setup xIM\nadduser --disabled-password --gecos 'xApp Isolation Monitor' xim\necho 'xim ALL=(ALL) NOPASSWD:ALL' \u003e /etc/sudoers.d/xim\nmkdir /home/xim/bin\nchown -R xim.xim /home/xim/bin/xim.py\n```\n\n(Above `xim.py` is assumed to be installed in `/home/xim/bin`.)\n\n---\n\n### Output\n\nBelow is sample output from xIM, run at cross-process granularity. \n\n(This was collected on the [5G-Spector Artifact](https://github.com/5GSEC/5G-Spector/wiki/5G%E2%80%90Spector-Artifact-in-a-Simulated-LTE-Network), after following the steps upto and including the creation of [Normal UE connections](https://github.com/5GSEC/5G-Spector/wiki/5G%E2%80%90Spector-Artifact-in-a-Simulated-LTE-Network#normal-ue-connections).)\n\n```\n\u003e ./xim.py -g process\n...\nWARNING: 2024-01-30 14:48:10 - Cross-process flow: systemd -\u003e /sys/fs/cgroup/memory/kubepods.slice/kubepods-besteffort.slice/memory.limit_in_bytes -\u003e kubelet\nWARNING: 2024-01-30 14:48:10 - Cross-process flow: systemd -\u003e /sys/fs/cgroup/pids/kubepods.slice/kubepods-besteffort.slice/pids.max -\u003e kubelet\nWARNING: 2024-01-30 14:48:11 - Cross-process flow: containerd-shim -\u003e /tmp/runc-process473358252 -\u003e runc\nWARNING: 2024-01-30 14:48:11 - Cross-process flow: 5 -\u003e /run/k3s/containerd/io.containerd.runtime.v2.task/k8s.io/b13cb2ca563b809bddb9729b23459b7ddfac84fe89d8426aacfd88040617b268/log.json -\u003e runc:[1:CHILD]\nWARNING: 2024-01-30 14:48:11 - Cross-process flow: containerd-shim -\u003e /tmp/runc-process2105527380 -\u003e runc\nWARNING: 2024-01-30 14:48:12 - Cross-process flow: calico-node -\u003e /etc/hosts -\u003e java\nWARNING: 2024-01-30 14:48:12 - Cross-process flow: containerd-shim -\u003e /tmp/runc-process239751121 -\u003e runc\nWARNING: 2024-01-30 14:48:19 - Cross-process flow: containerd-shim -\u003e /tmp/runc-process3591136423 -\u003e runc\nWARNING: 2024-01-30 14:48:24 - Cross-process flow: runc -\u003e /sys/fs/cgroup/cpu,cpuacct/kubepods.slice/kubepods-besteffort.slice/kubepods-besteffort-pod498f2655_4500_44d7_97db_47f37d5773a8.slice/cri-containerd-69ecec53e07f5c8b640f3ffab3a474c4833f3602bc1a72829e31ce0c6365ae18.scope/cgroup.procs -\u003e kubelet\nWARNING: 2024-01-30 14:48:24 - Cross-process flow: \u003cNA\u003e -\u003e /sys/fs/cgroup/cpu,cpuacct/kubepods.slice/kubepods-besteffort.slice/kubepods-besteffort-pod498f2655_4500_44d7_97db_47f37d5773a8.slice/cri-containerd-69ecec53e07f5c8b640f3ffab3a474c4833f3602bc1a72829e31ce0c6365ae18.scope/cgroup.procs -\u003e kubelet\nWARNING: 2024-01-30 14:48:28 - Cross-process flow: runc:[1:CHILD] -\u003e /proc/self/mountinfo -\u003e containerd-shim\n...\n```\n\n---\n\n### Internals\n\nxIM uses Sysdig to monitor I/O events -- that is, read(), write() etc. system calls -- of all processes on the host. Sysdig uses eBPF to only add instrumentation needed to track the required information. This makes the monitoring lightweight.\n\nWhen a write occurs from a process / container / pod, the path at which it occurred is noted. When a read occurs, a check is done to see if any process / container / pod has written to the path previously. If so, the triple of the writer, path, and reader are reported (if they have not previously been output).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F5gsec%2Fxim","html_url":"https://awesome.ecosyste.ms/projects/github.com%2F5gsec%2Fxim","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F5gsec%2Fxim/lists"}