OPEN SOURCE β€’ KERNEL NATIVE β€’ EBPF

Absolute Zero Trust
For Docker Runtime.

Stop relying on static scanners. BattleChip is an eBPF firewall that forces your containers to adhere to a strict whitelist. If you didn't define it, the Kernel kills it.

Secure Your First Container View on GitHub
< 1% CPU Overhead
5.7+ Linux Kernel Support
100% Kernel Enforced
eBPF Technology

The "Runtime Gap" in Your Security

Why your WAF and Image Scanners aren't enough.

πŸ”

Build Time

Image Scanners & Linters

[SECURE]
⚠️

The Runtime Gap

RCE, Shells, File Access, 0-Days

[EXPOSED]
🌐

Network Edge

WAFs & API Gateways

[SECURE]

BattleChip vs. Common Exploits

See exactly how kernel-level enforcement breaks the attack chain.

CRITICAL

Log4Shell (CVE-2021-44228)

⇩

ATTACK VECTOR: Malicious JNDI string > Java Connects Outbound > Downloads Class > Executes Shell.

πŸ›‘οΈ BATTLECHIP DEFENSE PROTOCOL:

  • 1. Network Block (Lateral Movement): Java attempts connection on port 1389. Policy is restricted to LAN. Connection Dropped.
  • 2. Execution Block (Post-Exploitation): Payload attempts to spawn /bin/sh. Shell privileges revoked at runtime. SIGKILL SENT.
HIGH

Spring4Shell (CVE-2022-22965)

⇩

ATTACK VECTOR: Data Binding Exploit > Write JSP Webshell to Root > Execute Command.

πŸ›‘οΈ BATTLECHIP DEFENSE PROTOCOL:

  • 1. File Write Block (Path Whitelisting): tomcat binary restricted to specific log directories. Write attempt to webroot returns -EPERM.
  • 2. Command Injection Block: Webshell attempts whoami. Binary not in allowlist. EXECUTION DENIED.
SYSTEM

Dirty Pipe / Binary Tampering

⇩

ATTACK VECTOR: Kernel Exploit > Overwrite System Binary > Persistence.

πŸ›‘οΈ BATTLECHIP DEFENSE PROTOCOL:

  • 1. Immutable Infrastructure: Kernel-level write protection engaged on all system binaries. file_permission hook intercepts write attempt.
  • Outcome: Operation returns -EPERM. Attack Failed.

Enforcement at the Kernel Level

BattleChip installs eBPF hooks directly into the Linux Kernel to police container activity.

%%{init: { 'theme': 'dark', 'themeVariables': { 'fontSize': '18px', 'fontFamily': 'Rajdhani', 'lineWidth': '3px', 'primaryColor': '#2d2d2d', 'primaryTextColor': '#fff', 'lineColor': '#00e676' } }}%% graph TB subgraph UserSpace["USER SPACE"] direction TB Container["πŸ“¦ Container App"] Attacker["😈 Attacker Payload"] end subgraph KernelSpace["LINUX KERNEL SPACE (eBPF)"] direction TB Hooks["πŸ›‘οΈ BattleChip Hooks"] end %% Connections Container -->|1. Authorized Call| Hooks Attacker -->|1. Unauthorized Call| Hooks %% Logic Hooks -->|2. Check Allowlist| Policy{Allowed?} %% Outcomes Policy -->|Yes| Run["βœ… EXECUTE"] Policy -->|No| Block["β›” BLOCK / SIGKILL"] %% Styling classDef user fill:#1a1a1a,stroke:#555,stroke-width:2px,color:#fff; classDef kernel fill:#0a0a0a,stroke:#00e676,stroke-width:3px,color:#fff; classDef good fill:#003300,stroke:#00e676,color:#00e676,stroke-width:2px; classDef bad fill:#330000,stroke:#ff3d00,color:#ff3d00,stroke-width:2px; class Container,Attacker user; class Hooks kernel; class Run good; class Block bad;

Core Capabilities

πŸ›‘οΈ

Audit Mode: Zero Risk Trial

Afraid of breaking production? Run BattleChip in Audit Mode first. We log every violation without blocking traffic. See exactly what would have been blocked before you flip the switch.

$ battle-chip serve --audit-verbose
πŸ’€

Kill Mode

When you're ready, enable Kill Mode. If a container violates policy, we don't just block the syscallβ€”we terminate the entire container instantly. Fail secure.

πŸ•ΈοΈ

Per-Binary Networking

Prevent data exfiltration. Allow your `node` binary to talk to the internet, but block `curl`, `wget`, and `sh` from sending a single packet.

🧠

Automatic Policy Generation

Stop hand-writing JSON. Run BattleChip in Learn Mode. We watch your container, map its behavior, and generate a tight, least-privilege policy for you.

$ battle-chip learn --duration=10m --output=policy.json

Secure in 3 Commands

Drop-in protection for Docker Compose.

# 1. Add BattleChip to your stack
$ vim docker-compose.yml
# 2. Learn behavior (Auto-generate policy)
$ docker exec battle-chip battle-chip learn --time=5m
# 3. Enforce protection
$ docker exec battle-chip battle-chip serve

[INFO] BATTLECHIP ACTIVE. CONTAINER LOCKED.
Get Started on GitHub