A eBPF runtime sandbox for python that prevents RCE.
Project description
secimport
Module-Level Sandboxing for Python Applications
secimport is an eBPF-based security toolkit that enforces syscall restrictions per Python module, providing granular control over your application's security profile. Think of it as seccomp-bpf for Linux, but operating at the Python module level.
Key Features
- Module-Level Security: Define and enforce syscall restrictions per Python module
- Automated Profiling: Traces your application to create tailored security profiles
- Multiple Enforcement Modes: Log, stop, or kill processes on policy violations
- Production Ready: Negligible performance impact thanks to eBPF
- Supply Chain Protection: Mitigate risks from vulnerable dependencies
Quick Start
Using Docker (Recommended)
git clone https://github.com/avilum/secimport.git
cd secimport/docker
./build.sh && ./run.sh
Command line:
secimport --help
Usage: python -m secimport.cli [OPTIONS] COMMAND [ARGS]...
secimport is a comprehensive toolkit designed to enable the tracing, construction, and execution of secure Python runtimes. It leverages USDT probes and eBPF/DTrace technologies to enhance overall security measures.
WORKFLOW: 1. secimport trace / secimport shell 2. secimport build 3. secimport run
QUICKSTART: $ secimport interactive
For more details, please see https://github.com/avilum/secimport/wiki/Command-Line-Usage
╭─ Options ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ --install-completion Install completion for the current shell. │
│ --show-completion Show completion for the current shell, to copy it or customize the installation. │
│ --help Show this message and exit. │
╰────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
╭─ Commands ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ trace Trace a Python process using an entrypoint or interactive shell. │
│ shell Alias for 'trace'. │
│ trace-pid Trace a running process by PID. │
│ build Build a sandbox profile from a trace log. │
│ run Run a Python process inside the sandbox. │
│ interactive Run secimport in interactive mode. │
╰────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
Creating Your First Sandbox
secimport interactive
# In the Python shell that opens:
>>> secimport trace # Start tracing
>>> import requests # Perform actions you want to profile
>>> # Press CTRL+D to stop tracing
>>> secimport build # Build sandbox from trace
>>> secimport run # Run with enforcement
Advanced Usage
Command Line Options
secimport trace # Trace a new Python process
secimport trace_pid <PID> # Trace an existing process
secimport build # Build sandbox from trace
secimport run [options] # Run with enforcement
Enforcement Modes
# Stop on violation
secimport run --stop_on_violation=true
# Kill on violation
secimport run --kill_on_violation=true
Python API
import secimport
# Replace standard import with secure import
requests = secimport.secure_import('requests', allowed_syscalls=['open', 'read', ...])
Manual Installation
-
Install Python with USDT probes:
# Configure Python with --enable-dtrace # See detailed instructions in our wiki
-
Install a supported backend (eBPF or DTrace)
# Ubuntu/Debian apt-get install bpftrace # For other platforms, see our Installation wiki
-
Install secimport
pip install secimport
seccomp-bpf support using nsjail
Beside the sandbox that secimport builds,
The secimport build command creates an nsjail sandbox with seccomp profile for your traced code.
nsjail enables namespace sandboxing with seccomp on linux
secimport automatically generates seccomp profiles to use with nsjail as executable bash script.
It can be used to limit the syscalls of the entire python process, as another layer of defence.
Documentation
Learn More
Technical Resources
- https://www.oligo.security/
- Talk: secimport at BSides
- Blog Posts:
Contributing
We welcome contributions! See our Contributing Guide for details.
License
This project is licensed under the MIT License - see the LICENSE file for details.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file secimport-0.11.0.tar.gz.
File metadata
- Download URL: secimport-0.11.0.tar.gz
- Upload date:
- Size: 38.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.9.21
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
775b92c6217e32267121539911ca3f0119c99e32b0bd35a92a8d683ebc4e1a7a
|
|
| MD5 |
a32f43169e67e1e103cc5609f4bb371f
|
|
| BLAKE2b-256 |
9e0f5edc875eaae8b5d8336709a7b30cf4c55589b45d6d7bbddcd4b921503f58
|
File details
Details for the file secimport-0.11.0-py3-none-any.whl.
File metadata
- Download URL: secimport-0.11.0-py3-none-any.whl
- Upload date:
- Size: 56.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.9.21
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
78ba3c2ad7f3a6aa0b23c9a388358a7ca03e10b00991ee51c9d1d361a3eb741a
|
|
| MD5 |
696c07327fd2da64951ddc7a2adfb9bd
|
|
| BLAKE2b-256 |
d686537bd22e7a273e6c7d94cea099b52abc000d39c7415caf39512416277c12
|
