SnakeBPF: Runtime Python Package Detection - An eBPF-based approach for Vulnerability Prioritization in Containerized Environments
| dc.contributor.author | Thornell, Alice | |
| dc.contributor.author | Lithell, Anna | |
| dc.contributor.department | Chalmers tekniska högskola / Institutionen för data och informationsteknik | sv |
| dc.contributor.department | Chalmers University of Technology / Department of Computer Science and Engineering | en |
| dc.contributor.examiner | Sabelfeld, Andrei | |
| dc.contributor.supervisor | Eriksson, Benjamin | |
| dc.date.accessioned | 2026-06-30T09:19:19Z | |
| dc.date.issued | 2026 | |
| dc.date.submitted | ||
| dc.description.abstract | Maintaining awareness of software dependencies is essential for system security, as vulnerabilities in dependencies may introduce significant security risks. Static vulnerability scanning tools often identify large numbers of libraries and packages, making vulnerability prioritization challenging. To improve prioritization, it is valuable to determine which packages are actively used during runtime. This thesis presents SnakeBPF, a runtime Python package detection approach based on eBPF tracing of interactions with the Linux kernel. Several data collection sources and strategies are evaluated, and the proposed approach primarily leverages openat system calls to identify Python packages used during program execution. To establish an evaluation baseline, multiple alternatives are considered. Ultimately, results from the static analysis tool Trivy and Syft are used to evaluate the effective ness of the proposed approach. The detection technique is further evaluated using multiple containerized web applications as well as a 5G packet core Kubernetes cluster to assess its applicability in real-world containerized deployment scenarios. The results demonstrate that information obtained from the openat system call can be used to detect Python packages imported during runtime. However, the approach is sensitive to Python’s in-memory caching mechanisms, which may result in false negatives when tracing is not initiated during application startup or deployment. With correct initialization, the proposed runtime approach SnakeBPF may complement static vulnerability scanning, by providing contextual information about actively used dependencies. | |
| dc.identifier.coursecode | DATX05 | |
| dc.identifier.uri | https://hdl.handle.net/20.500.12380/311655 | |
| dc.language.iso | eng | |
| dc.setspec.uppsok | Technology | |
| dc.subject | Vulnerability Scanning, Library Detection, Dynamic Analysis, eBPF, Python Package Detection. | |
| dc.title | SnakeBPF: Runtime Python Package Detection - An eBPF-based approach for Vulnerability Prioritization in Containerized Environments | |
| dc.type.degree | Examensarbete för masterexamen | sv |
| dc.type.degree | Master's Thesis | en |
| dc.type.uppsok | H | |
| local.programme | Computer systems and networks (MPCSN), MSc |
