Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/avilum/secimport
eBPF Python runtime sandbox with seccomp (Blocks RCE).
https://github.com/avilum/secimport
3rd-party bpftrace dtrace ebpf import linux profiling python rce sandbox seccomp security security-tools tracing
Last synced: about 5 hours ago
JSON representation
eBPF Python runtime sandbox with seccomp (Blocks RCE).
- Host: GitHub
- URL: https://github.com/avilum/secimport
- Owner: avilum
- License: mit
- Created: 2022-07-02T21:51:32.000Z (over 2 years ago)
- Default Branch: master
- Last Pushed: 2024-12-05T08:50:04.000Z (17 days ago)
- Last Synced: 2024-12-15T09:00:54.699Z (7 days ago)
- Topics: 3rd-party, bpftrace, dtrace, ebpf, import, linux, profiling, python, rce, sandbox, seccomp, security, security-tools, tracing
- Language: Python
- Homepage: https://avilum.github.io/secimport/
- Size: 374 KB
- Stars: 186
- Watchers: 6
- Forks: 13
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- Contributing: docs/CONTRIBUTING.md
- License: LICENSE
- Security: SECURITY.md
- Roadmap: docs/ROADMAP.md
Awesome Lists containing this project
README
# secimport
[![Upload Python Package](https://github.com/avilum/secimport/actions/workflows/python-publish.yml/badge.svg)](https://github.com/avilum/secimport/actions/workflows/python-publish.yml)
![](https://img.shields.io/badge/Test_Coverage-90%-blue)## Module-Level Sandboxing for Python Applications
secimport is an eBPF-based security toolkit that enforces syscall restrictions per Python module, providing granular control over your application's security profile. Think of it as seccomp-bpf for Linux, but operating at the Python module level.
[
](https://star-history.com/#avilum/secimport&Date)## Key Features
- **Module-Level Security**: Define and enforce syscall restrictions per Python module
- **Automated Profiling**: Traces your application to create tailored security profiles
- **Multiple Enforcement Modes**: Log, stop, or kill processes on policy violations
- **Production Ready**: Negligible performance impact thanks to eBPF
- **Supply Chain Protection**: Mitigate risks from vulnerable dependencies## Quick Start
### Using Docker (Recommended)
```bash
git clone https://github.com/avilum/secimport.git
cd secimport/docker
./build.sh && ./run.sh
```### Manual Installation
1. Install Python with USDT probes:
```bash
# Configure Python with --enable-dtrace
# See detailed instructions in our wiki
```2. Install a supported backend (eBPF or DTrace)
```bash
# Ubuntu/Debian
apt-get install bpftrace# For other platforms, see our Installation wiki
```3. Install secimport
```bash
pip install secimport
```## Creating Your First Sandbox
```bash
secimport interactive# In the Python shell that opens:
>>> secimport trace # Start tracing
>>> import requests # Perform actions you want to profile
>>> # Press CTRL+D to stop tracing>>> secimport build # Build sandbox from trace
>>> secimport run # Run with enforcement
```## Advanced Usage
### Command Line Options
```bash
secimport trace # Trace a new Python process
secimport trace_pid # Trace an existing process
secimport build # Build sandbox from trace
secimport run [options] # Run with enforcement
```### Enforcement Modes
```bash
# Stop on violation
secimport run --stop_on_violation=true# Kill on violation
secimport run --kill_on_violation=true
```### Python API
```python
import secimport# Replace standard import with secure import
requests = secimport.secure_import('requests', allowed_syscalls=['open', 'read', ...])
```## seccomp-bpf support using nsjail
Beside the sandbox that secimport builds,
The `secimport build` command creates an nsjail sandbox with seccomp profile for your traced code.
`nsjail` enables namespace sandboxing with seccomp on linux
`secimport` automatically generates seccomp profiles to use with `nsjail` as executable bash script.
It can be used to limit the syscalls of the entire python process, as another layer of defence.## Documentation
- [Installation Guide](https://github.com/avilum/secimport/wiki/Installation)
- [Command Line Usage](https://github.com/avilum/secimport/wiki/Command-Line-Usage)
- [API Reference](https://github.com/avilum/secimport/wiki/Python-API)
- [Example Sandboxes](https://github.com/avilum/secimport/wiki/Sandbox-Examples)## Learn More
### Technical Resources
- https://www.oligo.security/
- [Talk: secimport at BSides](https://youtu.be/nRV0ulYMsxU?t=1257)
- Blog Posts:
- [secimport + DTrace](https://infosecwriteups.com/sandboxing-python-modules-in-your-code-1e590d71fc26?source=friends_link&sk=5e9a2fa4d4921af0ec94f175f7ee49f9)
- [secimport + eBPF + PyTorch](https://infosecwriteups.com/securing-pytorch-models-with-ebpf-7f75732b842d?source=friends_link&sk=14d8db403aaf66724a8a69b4dea24e12)
- [secimport + eBPF + FastAPI](https://avi-lumelsky.medium.com/secure-fastapi-with-ebpf-724d4aef8d9e?source=friends_link&sk=b01a6b97ef09003b53cd52c479017b03)
## ContributingWe welcome contributions! See our [Contributing Guide](https://github.com/avilum/secimport/blob/master/docs/CONTRIBUTING.md) for details.
## License
This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.