Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/avilum/secimport

eBPF Python runtime sandbox with seccomp (Blocks RCE).
https://github.com/avilum/secimport

3rd-party bpftrace dtrace ebpf import linux profiling python rce sandbox seccomp security security-tools tracing

Last synced: 7 days ago
JSON representation

eBPF Python runtime sandbox with seccomp (Blocks RCE).

Host: GitHub
URL: https://github.com/avilum/secimport
Owner: avilum
License: mit
Created: 2022-07-02T21:51:32.000Z (over 2 years ago)
Default Branch: master
Last Pushed: 2024-10-07T09:47:02.000Z (29 days ago)
Last Synced: 2024-10-12T11:42:28.613Z (24 days ago)
Topics: 3rd-party, bpftrace, dtrace, ebpf, import, linux, profiling, python, rce, sandbox, seccomp, security, security-tools, tracing
Language: Python
Homepage: https://avilum.github.io/secimport/
Size: 371 KB
Stars: 181
Watchers: 6
Forks: 12
Open Issues: 1
Metadata Files:
- Readme: README.md
- Contributing: docs/CONTRIBUTING.md
- License: LICENSE
- Security: SECURITY.md
- Roadmap: docs/ROADMAP.md

Awesome Lists containing this project

README

# secimport

[![Upload Python Package](https://github.com/avilum/secimport/actions/workflows/python-publish.yml/badge.svg)](https://github.com/avilum/secimport/actions/workflows/python-publish.yml)
![](https://img.shields.io/badge/Test_Coverage-90%-blue)

## Module-Level Sandboxing for Python Applications

secimport is an eBPF-based security toolkit that enforces syscall restrictions per Python module, providing granular control over your application's security profile. Think of it as seccomp-bpf for Linux, but operating at the Python module level.

## Key Features

- **Module-Level Security**: Define and enforce syscall restrictions per Python module
- **Automated Profiling**: Traces your application to create tailored security profiles
- **Multiple Enforcement Modes**: Log, stop, or kill processes on policy violations
- **Production Ready**: Negligible performance impact thanks to eBPF
- **Supply Chain Protection**: Mitigate risks from vulnerable dependencies

## Quick Start

### Using Docker (Recommended)

```bash
git clone https://github.com/avilum/secimport.git
cd secimport/docker
./build.sh && ./run.sh
```

### Manual Installation

1. Install Python with USDT probes:
```bash
# Configure Python with --enable-dtrace
# See detailed instructions in our wiki
```

2. Install a supported backend (eBPF or DTrace)
```bash
# Ubuntu/Debian
apt-get install bpftrace

# For other platforms, see our Installation wiki
```

3. Install secimport
```bash
pip install secimport
```

## Creating Your First Sandbox

```bash
secimport interactive

# In the Python shell that opens:
>>> secimport trace # Start tracing
>>> import requests # Perform actions you want to profile
>>> # Press CTRL+D to stop tracing

>>> secimport build # Build sandbox from trace
>>> secimport run # Run with enforcement
```

## Advanced Usage

### Command Line Options

```bash
secimport trace # Trace a new Python process
secimport trace_pid # Trace an existing process
secimport build # Build sandbox from trace
secimport run [options] # Run with enforcement
```

### Enforcement Modes

```bash
# Stop on violation
secimport run --stop_on_violation=true

# Kill on violation
secimport run --kill_on_violation=true
```

### Python API

```python
import secimport

# Replace standard import with secure import
requests = secimport.secure_import('requests', allowed_syscalls=['open', 'read', ...])
```

## seccomp-bpf support using nsjail

Beside the sandbox that secimport builds,

The `secimport build` command creates an nsjail sandbox with seccomp profile for your traced code.
`nsjail` enables namespace sandboxing with seccomp on linux

`secimport` automatically generates seccomp profiles to use with `nsjail` as executable bash script.
It can be used to limit the syscalls of the entire python process, as another layer of defence.

## Documentation

- [Installation Guide](https://github.com/avilum/secimport/wiki/Installation)
- [Command Line Usage](https://github.com/avilum/secimport/wiki/Command-Line-Usage)
- [API Reference](https://github.com/avilum/secimport/wiki/Python-API)
- [Example Sandboxes](https://github.com/avilum/secimport/wiki/Sandbox-Examples)

## Learn More

### Technical Resources
- https://www.oligo.security/
- [Talk: secimport at BSides](https://youtu.be/nRV0ulYMsxU?t=1257)
- Blog Posts:
- [secimport + DTrace](https://infosecwriteups.com/sandboxing-python-modules-in-your-code-1e590d71fc26?source=friends_link&sk=5e9a2fa4d4921af0ec94f175f7ee49f9)
- [secimport + eBPF + PyTorch](https://infosecwriteups.com/securing-pytorch-models-with-ebpf-7f75732b842d?source=friends_link&sk=14d8db403aaf66724a8a69b4dea24e12)
- [secimport + eBPF + FastAPI](https://avi-lumelsky.medium.com/secure-fastapi-with-ebpf-724d4aef8d9e?source=friends_link&sk=b01a6b97ef09003b53cd52c479017b03)

## Contributing

We welcome contributions! See our [Contributing Guide](https://github.com/avilum/secimport/blob/master/docs/CONTRIBUTING.md) for details.

## License

This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.