11 Repos
Mechanisms for restricting resource access and ensuring secure separation between concurrent tasks.
Distinguishing note: Focuses on runtime security boundaries rather than general authentication.
Explore 11 awesome GitHub repositories matching security & cryptography · Execution Isolation. Refine with filters or upvote what's useful.
SurrealDB is a multi-model database engine designed to store and query document, graph, relational, and vector data within a single ACID-compliant platform. It functions as an AI-native data store, integrating vector search, graph traversal, and machine learning model execution directly into its query layer. By providing a unified declarative query language, the platform eliminates the need for external middleware to synchronize data across different storage models. The platform distinguishes itself through its ability to manage agent memory and complex workflows natively. It allows developer
Executes custom modules within isolated memory sandboxes to maintain system stability and security.
Kestra is a declarative workflow orchestrator designed to manage complex task dependencies and automated processes through versioned configuration files. It functions as a distributed platform that decouples task scheduling from execution by offloading computational workloads to a fleet of worker nodes. The system uses a reactive, event-driven engine to initiate workflows automatically in response to external signals, webhooks, schedules, or file system changes. The platform distinguishes itself through a modular plugin architecture that allows for the integration of custom tasks and external
Provides secure task execution isolation to prevent cross-tenant interference.
Niri is a Wayland compositor and tiling window manager designed for Linux systems. It functions as a display server that organizes application windows into a scrollable, column-based layout, providing a structured environment for managing graphical sessions, input routing, and hardware output. The project distinguishes itself through a declarative configuration engine that enables live-reloading of settings, allowing users to modify window rules, input bindings, and visual appearance without restarting the session. It features a physics-based animation system that uses spring-based curves to
Launches legacy applications within dedicated, ephemeral server instances to maintain system security and stability.
Quarkus is a Kubernetes-native Java framework designed for building high-performance, memory-efficient applications. It utilizes ahead-of-time native compilation to transform Java code into standalone, optimized binaries that eliminate the need for a virtual machine, enabling rapid startup and reduced memory consumption. By performing code augmentation during the build phase, it shifts heavy processing tasks away from runtime, ensuring that applications are optimized for cloud-native environments. The framework distinguishes itself through a unified approach to reactive and imperative program
Creates independent execution environments for reactive tasks to ensure data consistency across asynchronous continuations.
Firefox is a cross-platform web browser engine designed to render web content, execute JavaScript, and manage secure browsing sessions. It utilizes a multi-process isolation architecture that distributes browser tasks across independent operating system processes to ensure stability and prevent site-specific failures from impacting the entire application. The engine incorporates a sandboxed execution environment to restrict web content and untrusted scripts to isolated memory compartments, enforcing security policies that prevent unauthorized access to system resources. The project distinguis
Allocates separate memory compartments for global objects to ensure that code execution remains contained.
Bytebot is an LLM desktop automation framework and virtual Linux desktop environment. It enables AI agents to plan and execute mouse and keyboard actions on a virtual computer using natural language, allowing for autonomous desktop automation and the integration of legacy systems that lack native APIs. The system operates as an LLM API gateway and a Model Context Protocol server, routing requests across multiple language model providers with integrated load balancing and rate limiting. It provides isolated, containerized environments where agents use visual reasoning to interpret screenshots
Runs virtual desktops in isolated containers with restricted network access to protect the host system.
RoadRunner is a high-performance application server and process manager designed to serve PHP applications using a persistent worker model. It eliminates bootload overhead and initialization time by keeping application processes alive between requests, acting as a protocol-agnostic proxy that routes traffic to a pool of supervised workers. The server is built with a plugin-based modular architecture, allowing it to be extended with custom Go plugins and compiled into tailored binaries. It distinguishes itself by providing a unified execution model for a wide array of communication protocols,
Isolates worker processes by launching them under specific system users and groups.
CppGuide is a curated collection of educational resources and practical guides focused on C++ server development, Linux kernel internals, concurrent programming, network protocols, and security exploitation. It provides structured learning paths for backend developers, covering everything from interview preparation to building high-performance network servers and understanding operating system fundamentals. The guide distinguishes itself by offering in-depth, hands-on tutorials that walk through real-world implementations, including building a Redis-like server from scratch, designing custom
Explains kernel task execution isolation using virtual and mapped contexts.
Asterinas is a memory-safe operating system kernel designed to prevent data races and memory corruption. It functions as a Linux-ABI compatible kernel, enabling the execution of existing Linux binaries and container workloads while providing a declarative operating system distribution model. The project distinguishes itself by acting as a virtual machine container host and a confidential computing guest OS, allowing it to run within hardware-isolated Trusted Execution Environments such as Intel TDX. It implements a minimal trusted computing base by isolating unsafe low-level operations and se
Creates isolated environments by disassociating processes from shared system resources.
Exegol is an offensive security platform and containerized tooling orchestrator designed to deploy and manage isolated security operations environments. It functions as a workspace manager that provisions pre-configured security images and toolkits within Docker containers to protect host systems from malicious payloads. The platform distinguishes itself by integrating AI security workflow orchestration, allowing AI assistants to discover and trigger security tools through a standardized communication protocol. It further provides remote desktop gateway capabilities, enabling GUI access via X
The product runs security commands inside a segmented container to maintain system safety and isolation.
Das sandbox-sdk ist ein Development Kit für den Aufbau sicherer, isolierter Ausführungsumgebungen in einem globalen Edge-Netzwerk. Es bietet ein Framework zur Erstellung ephemerer, containerisierter Arbeitsbereiche, die es Entwicklern ermöglichen, nicht vertrauenswürdigen Code auszuführen, Build-Aufgaben zu verwalten und automatisierte Skripte zu hosten, ohne die Sicherheit des Host-Systems zu gefährden. Durch die Nutzung einer serverlosen Laufzeitumgebung ermöglicht die Plattform das Deployment dieser Umgebungen direkt an der Netzwerk-Edge, um eine niedrige Latenz zu gewährleisten. Die Plattform zeichnet sich durch die Integration von Sprachmodellen mit Sandbox-Ausführung aus, was die Entwicklung autonomer KI-Agenten erleichtert, die dynamische Aufgaben ausführen und Code generieren können. Sie enthält spezialisierte Funktionen für interaktives Remote-Development, wie persistente Terminal-Sitzungen und Echtzeit-Stream-Multiplexing, die aktives Debugging und die Beobachtung von Prozessen ermöglichen. Sicherheit wird durch automatisierte Credential-Injection und Netzwerkzugriffskontrollen verwaltet, wodurch sichergestellt wird, dass sensible Authentifizierungstoken vor dem in der Sandbox laufenden Code verborgen bleiben. Über ihre Kernfunktionen hinaus unterstützt die Plattform eine breite Palette von Workflows, einschließlich Web-App-Hosting, automatisierter Build-Pipelines und Remote-Dateisystemverwaltung. Sie bietet Tools zum Mapping interner Container-Dienste auf öffentliche Subdomains, was einen sicheren Remote-Zugriff auf gehostete Dienste ermöglicht. Das System enthält zudem Observability-Funktionen zur Erfassung von Laufzeitdiagnosen sowie Caching-Mechanismen, um Entwicklungszyklen durch die Wiederverwendung von Build-Artefakten zu beschleunigen.
Runs automated scripts and long-running computational tasks within secure, isolated containers to maintain system stability.