SnakeBPF: Runtime Python Package Detection - An eBPF-based approach for Vulnerability Prioritization in Containerized Environments

dc.contributor.authorThornell, Alice
dc.contributor.authorLithell, Anna
dc.contributor.departmentChalmers tekniska högskola / Institutionen för data och informationstekniksv
dc.contributor.departmentChalmers University of Technology / Department of Computer Science and Engineeringen
dc.contributor.examinerSabelfeld, Andrei
dc.contributor.supervisorEriksson, Benjamin
dc.date.accessioned2026-06-30T09:19:19Z
dc.date.issued2026
dc.date.submitted
dc.description.abstractMaintaining awareness of software dependencies is essential for system security, as vulnerabilities in dependencies may introduce significant security risks. Static vulnerability scanning tools often identify large numbers of libraries and packages, making vulnerability prioritization challenging. To improve prioritization, it is valuable to determine which packages are actively used during runtime. This thesis presents SnakeBPF, a runtime Python package detection approach based on eBPF tracing of interactions with the Linux kernel. Several data collection sources and strategies are evaluated, and the proposed approach primarily leverages openat system calls to identify Python packages used during program execution. To establish an evaluation baseline, multiple alternatives are considered. Ultimately, results from the static analysis tool Trivy and Syft are used to evaluate the effective ness of the proposed approach. The detection technique is further evaluated using multiple containerized web applications as well as a 5G packet core Kubernetes cluster to assess its applicability in real-world containerized deployment scenarios. The results demonstrate that information obtained from the openat system call can be used to detect Python packages imported during runtime. However, the approach is sensitive to Python’s in-memory caching mechanisms, which may result in false negatives when tracing is not initiated during application startup or deployment. With correct initialization, the proposed runtime approach SnakeBPF may complement static vulnerability scanning, by providing contextual information about actively used dependencies.
dc.identifier.coursecodeDATX05
dc.identifier.urihttps://hdl.handle.net/20.500.12380/311655
dc.language.isoeng
dc.setspec.uppsokTechnology
dc.subjectVulnerability Scanning, Library Detection, Dynamic Analysis, eBPF, Python Package Detection.
dc.titleSnakeBPF: Runtime Python Package Detection - An eBPF-based approach for Vulnerability Prioritization in Containerized Environments
dc.type.degreeExamensarbete för masterexamensv
dc.type.degreeMaster's Thesisen
dc.type.uppsokH
local.programmeComputer systems and networks (MPCSN), MSc

Ladda ner

Original bundle

Visar 1 - 1 av 1
Hämtar...
Bild (thumbnail)
Namn:
CSE 26-42 AL AT.pdf
Size:
11.66 MB
Format:
Adobe Portable Document Format

License bundle

Visar 1 - 1 av 1
Hämtar...
Bild (thumbnail)
Namn:
license.txt
Size:
2.35 KB
Format:
Item-specific license agreed upon to submission
Description: