I built KEIP as a PoC to experiment with "install-time enforcement". It uses BPF LSM hooks to monitor the pip process tree and strictly enforces a whitelist for connect() syscalls. Anything not destined for the package repo (PyPI) gets blocked.
It successfully stopped 100% of the active C2 exfiltration attempts in the dataset I tested.
Open source (GPL). The code is a bit rough but works on kernel 5.8+ with BTF. Repo: https://github.com/Otsmane-Ahmed/KEIP ,Write-up: https://medium.com/@rafik222dz/every-pip-install-you-run-is-a-bet-you-are-making-with-your-machine-9fce4526fc8e
Curious to hear thoughts on kernel-level enforcement vs user-space sandboxing for package managers.
jamiemallers•58m ago
Curious about a few things:
1. How does this handle legitimate post-install network calls? Some packages do license checks or fetch pre-built binaries (e.g. node-gyp downloading prebuilds, or packages that pull ONNX models). A strict PyPI-only whitelist would break those. Do you have a mechanism for user-defined allowlists per package?
2. Have you looked at the performance overhead of the BPF LSM hooks on large dependency trees? Something like a fresh pip install of a data science stack (numpy, pandas, scipy, etc.) can spawn hundreds of subprocesses. Would be interesting to see benchmarks.
3. The kernel 5.8+ BTF requirement is going to be the main adoption barrier. Most CI runners (GitHub Actions, GitLab CI) run on relatively recent kernels, but corporate Jenkins boxes are often pinned to ancient RHEL kernels. Have you considered a fallback mode using seccomp-bpf for older kernels, even if less granular?
The connect() syscall whitelist is elegant because it catches the exfiltration without needing to understand the malware payload. You are basically saying "I do not care what the code does, I care what it talks to." That is the right abstraction for this problem.