Skip to content

Home

Jump to bottom
Avi Lumelsky edited this page Apr 10, 2023 · 4 revisions

secimport

Upload Python Package

Build Scure, Tailor-Made Sandboxes for Your Applications

secimport is a cross-platform sandbox toolkit that traces your Python application and enforces privileges per module in your code in runtime. It uses backends like bpftrace (eBPF) and dtrace under the hood.

  • Trace which syscalls are called by each module in your code.
    • secimport uses USDT (Userland Statically Defined Tracing) probes in the runtime using eBPF or dtrace instrumentation scripts.
  • Reduces the risk of supply chain attacks
    • Gives you the ability to trust 3rd party and open-source packages
      • Trace the syscalls flow of your application at user-space/os/kernel and per module.
      • Enforce syscalls per module in production
  • Negligible performance impact thanks to eBPF Performance.
  • Does not change your code.

Quick Start

Follow these steps to run an interactive example:

  1. Build and run the Docker container with a custom kernel that matches your existing OS kernel version:
$ cd docker/ && ./build.sh && ./run.sh

A temporary container will be created, and you will be logged in as the root user.

  1. Use the CLI to create your first tailor-made sandbox:
$ secimport interactive

Let's create our first tailor-made sandbox with secimport!
- A python shell will be opened
- The behavior will be recorded.

...

To sandbox your program using the CLI, start a bpftrace program that logs all the syscalls for all the modules in your application into a file with the secimport trace command. Once you have covered the logic you would like to sandbox, hit CTRL+C or CTRL+D, or wait for the program to finish. Then, build a sandbox from the trace using the secimport build command, and run the sandbox with the secimport run command.

For more detailed usage instructions, see the Command-Line Usage page.

Python API

You can also use secimport by replacing import with secimport.secure_import for selected modules. See the Python Imports example for more details.

Installation

For evaluation, we highly recommend using our Docker image instead of self-installing.
If you are not using Docker, follow Installation to install eBPF or DTrace.

  • To install secimport from git clone, install poetry and run poetry install
  • To install secimport from pypi (latest stable release): python3 -m pip install secimport

Docker

The quickest way to evaluate secimport is to use our Docker container, which includes bpftrace (ebpf) and other plug-and-play examples.

Examples

The Sandbox Examples page contains basic and advanced real-world examples.

Contributing

For information on how to contribute to secimport, see the Contributing guide.

Roadmap

See the Roadmap for the planned features and development milestones.

Changelog

See the Changelog for development progress and existing features.

Clone this wiki locally