avilum / secimport Goto Github PK

View Code? Open in Web Editor NEW

157.0 6.0 12.0 323 KB

eBPF Python runtime sandbox with seccomp (Blocks RCE).

Home Page: https://avilum.github.io/secimport/

License: MIT License

Python 76.02% Shell 3.76% Dockerfile 2.47% DTrace 16.33% D 1.39% Makefile 0.03%

ebpf python bpftrace linux security-tools sandbox import dtrace tracing profiling

secimport's People

Contributors

Stargazers

Watchers

Forkers

simrit1 frcln seanmcfeely katry0 gmh5225 timb-machine-mirrors yossicohn manuels timb-machine-mirrors webclinic017 santrancisco mouadk

secimport's Issues

ModuleNotFoundError: No module named 'numpy'

Describe the bug
ModuleNotFoundError: No module named 'numpy'

To Reproduce
Steps to reproduce the behavior:

>>> import secimport
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File ".venv/lib/python3.10/site-packages/secimport/__init__.py", line 1, in <module>
    from secimport.sandbox_helper import secure_import
  File ".venv/lib/python3.10/site-packages/secimport/sandbox_helper.py", line 13, in <module>
    from numpy import isin
ModuleNotFoundError: No module named 'numpy'

Desktop (please complete the following information):

OS: MacOS M1

Make destructive flag optional

Make the dtrace destructive attribute optional.

it can be done by crating a variable in the for “PRAGMA destructive” header in the template.

Usage on Debian based systems

Hello,

I don't understand the following since the documentation show that the attribute exists: https://docs.python.org/3.9/library/importlib.html

>>> os = secure_import('os', allow_shells=False)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/dev/secimport_testing/venv/lib/python3.9/site-packages/secimport/sandbox_helper.py", line 50, in secure_import
    assert run_dtrace_script_for_module(
  File "dev/secimport_testing/venv/lib/python3.9/site-packages/secimport/sandbox_helper.py", line 81, in run_dtrace_script_for_module
    module_file_path = create_dtrace_script_for_module(
  File "dev/secimport_testing/venv/lib/python3.9/site-packages/secimport/sandbox_helper.py", line 128, in create_dtrace_script_for_module
    module = importlib.machinery.PathFinder().find_spec(module_name)
AttributeError: module 'importlib' has no attribute 'machinery'

UPDATE: This is not the issue of concern, see comments.

Not working in ubuntu container

Describe the bug
`secimport interactive
Welcome to secimport!

A python code can be traced using "secimport trace" or using "secimport shell"
All the function calls and system calls will be recorded to ./trace.log.

Continue? (y): y

Tracing using ['/home/lukas/venv/lib/python3.10/site-packages/secimport/profiles/trace.bt', '-c', '/home/lukas/venv/bin/python', '-o', 'trace.log', '/home/lukas/venv/bin/python']
Press CTRL+D or CTRL+C to stop the trace gracefully.

ERROR: Unknown error -1: couldn't set RLIMIT_MEMLOCK for bpftrace. If your program is not loading, you can try "ulimit -l 8192" to fix the problem
/home/lukas/venv/lib/python3.10/site-packages/secimport/profiles/trace.bt:703-705: ERROR: tracepoint not found: raw_syscalls:sys_enter
The trace log is at ./trace.log

Running "secimport build"; it compiles ./trace.log which is the trace log to ./sandbox.bt

syscalls:
nsjail sandbox: nsjail -Ml -Mo --chroot / --port 8000 --user 99999 --group 99999 --seccomp_string 'ALLOW { } DEFAULT KILL' -- /home/lukas/venv/bin/python -i
Policy is ready: policy.yaml policy.json

[info] Creating profile for general_requirements
[debug] adding syscall vfork to blocklist for module general_requirements
[debug] adding syscall clone to blocklist for module general_requirements
[debug] adding syscall access to blocklist for module general_requirements
[debug] adding syscall chdir to blocklist for module general_requirements
[debug] adding syscall creat to blocklist for module general_requirements
[debug] adding syscall dup to blocklist for module general_requirements
[debug] adding syscall dup2 to blocklist for module general_requirements
[debug] adding syscall execve to blocklist for module general_requirements
[debug] adding syscall faccessat to blocklist for module general_requirements
[debug] adding syscall fcntl to blocklist for module general_requirements
[debug] adding syscall fdatasync to blocklist for module general_requirements
[debug] adding syscall fork to blocklist for module general_requirements
[debug] adding syscall fstat to blocklist for module general_requirements
[debug] adding syscall fsync to blocklist for module general_requirements
[debug] adding syscall getegid to blocklist for module general_requirements
[debug] adding syscall geteuid to blocklist for module general_requirements
[debug] adding syscall getgid to blocklist for module general_requirements
[debug] adding syscall getgroups to blocklist for module general_requirements
[debug] adding syscall getpid to blocklist for module general_requirements
[debug] adding syscall getppid to blocklist for module general_requirements
[debug] adding syscall getrlimit to blocklist for module general_requirements
[debug] adding syscall getsockname to blocklist for module general_requirements
[debug] adding syscall getsid to blocklist for module general_requirements
[debug] adding syscall getuid to blocklist for module general_requirements
[debug] adding syscall ioctl to blocklist for module general_requirements
[debug] adding syscall link to blocklist for module general_requirements
[debug] adding syscall lseek to blocklist for module general_requirements
[debug] adding syscall lstat to blocklist for module general_requirements
[debug] adding syscall mkdir to blocklist for module general_requirements
[debug] adding syscall mknod to blocklist for module general_requirements
[debug] adding syscall open to blocklist for module general_requirements
[debug] adding syscall openat to blocklist for module general_requirements
[debug] adding syscall pipe to blocklist for module general_requirements
[debug] adding syscall poll to blocklist for module general_requirements
[debug] adding syscall read to blocklist for module general_requirements
[debug] adding syscall readlink to blocklist for module general_requirements
[debug] adding syscall readv to blocklist for module general_requirements
[debug] adding syscall recvfrom to blocklist for module general_requirements
[debug] adding syscall recvmsg to blocklist for module general_requirements
[debug] adding syscall rename to blocklist for module general_requirements
[debug] adding syscall rmdir to blocklist for module general_requirements
[debug] adding syscall select to blocklist for module general_requirements
[debug] adding syscall sendmsg to blocklist for module general_requirements
[debug] adding syscall sendto to blocklist for module general_requirements
[debug] adding syscall setgid to blocklist for module general_requirements
[debug] adding syscall setgroups to blocklist for module general_requirements
[debug] adding syscall setpgid to blocklist for module general_requirements
[debug] adding syscall setpriority to blocklist for module general_requirements
[debug] adding syscall setregid to blocklist for module general_requirements
[debug] adding syscall setreuid to blocklist for module general_requirements
[debug] adding syscall setrlimit to blocklist for module general_requirements
[debug] adding syscall setsid to blocklist for module general_requirements
[debug] adding syscall setsockopt to blocklist for module general_requirements
[debug] adding syscall stat to blocklist for module general_requirements
[debug] adding syscall symlink to blocklist for module general_requirements
[debug] adding syscall truncate to blocklist for module general_requirements
[debug] adding syscall umask to blocklist for module general_requirements
[debug] adding syscall utime to blocklist for module general_requirements
[debug] adding syscall utimes to blocklist for module general_requirements
[debug] adding syscall write to blocklist for module general_requirements
[debug] adding syscall writev to blocklist for module general_requirements
The profile does not contain any modules: policy.yaml
Traceback (most recent call last):
File "/home/lukas/venv/bin/secimport", line 8, in
sys.exit(main())
File "/home/lukas/venv/lib/python3.10/site-packages/secimport/cli.py", line 424, in main
fire.Fire(SecImportCLI())
File "/home/lukas/venv/lib/python3.10/site-packages/fire/core.py", line 141, in Fire
component_trace = _Fire(component, args, parsed_flag_args, context, name)
File "/home/lukas/venv/lib/python3.10/site-packages/fire/core.py", line 475, in _Fire
component, remaining_args = _CallAndUpdateTrace(
File "/home/lukas/venv/lib/python3.10/site-packages/fire/core.py", line 691, in _CallAndUpdateTrace
component = fn(*varargs, **kwargs)
File "/home/lukas/venv/lib/python3.10/site-packages/secimport/cli.py", line 399, in interactive
SecImportCLI.build()
File "/home/lukas/venv/lib/python3.10/site-packages/secimport/cli.py", line 292, in build
bpftrace_sandbox_filename = SecImportCLI.compile_sandbox_from_profile(
File "/home/lukas/venv/lib/python3.10/site-packages/secimport/cli.py", line 165, in compile_sandbox_from_profile
raise AssertionError(
AssertionError: The trace file 'policy.yaml' has 0 modules. A valid policy should include at least 1 module.`

To Reproduce
Steps to reproduce the behavior:

build a docker container
`FROM ubuntu:latest

RUN apt update
&& apt -y upgrade

RUN apt -y install build-essential git bpftrace vim python3.10-venv`

in the container, as root, build and activate venv
python3 -m venv venv
source venv/bin/activate
install secimport
python -m pip install secimport
verify --with-dtrace, success
readelf -n $(which python) | grep -i function__entry
output: Name: function__entry
run secimport
secimport interactive

Allow/Block list configuration

DOD: Enable users to import modules with only specific syscalls.
e.g:

secure_import(..., allow_syscalls=['read', 'select', ...])
secure_import(..., disallow_syscalls=['forkexec', 'chroot', ...])
secure_import(..., allow_syscalls=[('read', '/tmp/'), ...]

Create a .yaml configuration per module in the code

Enable running out of band - without replacing the imports in the code.

Design the configuration file for modules in the code (firejail/nsjail/gvisor profiles are a good place to start with).
Use secimport to create a single dcript policy, based on that configuration file.
Run the application with that policy using dtrace, without using secure_import in the code.
Add poetry scripts for compilation on demand

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.