secimport

Module-Level Sandboxing for Python Applications

secimport is an eBPF-based security toolkit that enforces syscall restrictions per Python module, providing granular control over your application's security profile. Think of it as seccomp-bpf for Linux, but operating at the Python module level.

Key Features

• Module-Level Security: Define and enforce syscall restrictions per Python module
• Automated Profiling: Traces your application to create tailored security profiles
• Multiple Enforcement Modes: Log, stop, or kill processes on policy violations
• Production Ready: Negligible performance impact thanks to eBPF
• Supply Chain Protection: Mitigate risks from vulnerable dependencies

Quick Start

Using Docker (Recommended)

git clone https://github.com/avilum/secimport.git
cd secimport/docker
./build.sh && ./run.sh

Manual Installation

1. Install Python with USDT probes:

   # Configure Python with --enable-dtrace
   # See detailed instructions in our wiki
   

2. Install a supported backend (eBPF or DTrace)

   # Ubuntu/Debian
   apt-get install bpftrace
   
   # For other platforms, see our Installation wiki
   

3. Install secimport

   pip install secimport
   

Creating Your First Sandbox

secimport interactive

# In the Python shell that opens:
>>> secimport trace   # Start tracing
>>> import requests   # Perform actions you want to profile
>>> # Press CTRL+D to stop tracing

>>> secimport build   # Build sandbox from trace
>>> secimport run     # Run with enforcement

Advanced Usage

Command Line Options

secimport trace              # Trace a new Python process
secimport trace_pid <PID>    # Trace an existing process
secimport build              # Build sandbox from trace
secimport run [options]      # Run with enforcement

Enforcement Modes

# Stop on violation
secimport run --stop_on_violation=true

# Kill on violation
secimport run --kill_on_violation=true

Python API

import secimport

# Replace standard import with secure import
requests = secimport.secure_import('requests', allowed_syscalls=['open', 'read', ...])

seccomp-bpf support using nsjail

Beside the sandbox that secimport builds, The secimport build command creates an nsjail sandbox with seccomp profile for your traced code. nsjail enables namespace sandboxing with seccomp on linux secimport automatically generates seccomp profiles to use with nsjail as executable bash script. It can be used to limit the syscalls of the entire python process, as another layer of defence.

Documentation

• Installation Guide
• Command Line Usage
• API Reference
• Example Sandboxes

Learn More

Technical Resources

• https://www.oligo.security/
• Talk: secimport at BSides
• Blog Posts:
  • secimport + DTrace
  • secimport + eBPF + PyTorch
  • secimport + eBPF + FastAPI

Contributing

We welcome contributions! See our Contributing Guide for details.

License

This project is licensed under the MIT License - see the LICENSE file for details.