25 Repos
Security mechanisms for isolating processes to restrict system access.
Distinguishing note: Focuses on OS-level process isolation, distinct from general application security.
Explore 25 awesome GitHub repositories matching security & cryptography · Process Sandboxing. Refine with filters or upvote what's useful.
LocalAI is a local generative AI platform and inference engine designed to host large language, vision, and audio models on private hardware. It functions as an API compatible gateway that mimics proprietary service endpoints, allowing existing third-party software to integrate with a self-hosted backend. The platform distinguishes itself as a distributed AI model orchestrator, capable of scaling inference across machine clusters using VRAM-aware routing and hardware coordination. It provides a unified interface for diverse open-source backends and supports self-hosted RAG infrastructure thro
Manages system access and prevents resource exhaustion by tracking usage limits against unique authentication keys.
Servo is a high-performance, memory-safe web rendering engine designed for cross-platform embedding. It provides a modular framework that allows developers to integrate web content rendering into native applications across desktop, mobile, and embedded systems. By enforcing strict process isolation and memory safety, the engine creates a secure execution environment for processing web content. The engine distinguishes itself through a task-based, parallelized architecture that decouples layout, style, and rendering processes to maximize responsiveness. It utilizes a hardware-abstracted graphi
Isolates web content in separate processes using operating system sandboxing to restrict access to system resources.
This project is a terminal automation and recording tool that uses a custom declarative scripting language to execute command-line sequences. It functions as a framework for both generating animated media files and performing automated terminal output validation. By managing isolated pseudo-terminal sessions, it captures and renders terminal interactions into high-quality GIFs, videos, or static images. The tool distinguishes itself through its ability to treat terminal sessions as testable, repeatable artifacts. It supports golden-file testing, allowing users to verify command-line behavior
Enforces security by dropping user permissions during the execution of scripted terminal commands.
Sandboxie is an operating system-level virtualization tool designed to run Windows applications in isolated, secure environments. By intercepting system calls and redirecting file system and registry modifications to a separate, discardable storage area, it prevents untrusted software from making permanent changes to the host system. This containment ensures that browser history, temporary files, and potential malware remain trapped within the sandbox, protecting the integrity and privacy of the underlying host. The software distinguishes itself through granular control over the isolation env
Automatically redirects specified programs to run within a designated sandbox upon launch.
Redox is a POSIX-compliant, microkernel-based operating system written entirely in Rust. By utilizing a memory-safe language for the kernel and all system components, the project eliminates common vulnerabilities such as buffer overflows and use-after-free errors. Its architecture relies on a minimal kernel that manages only essential hardware and process isolation, delegating all other system services to unprivileged user-space processes. The system distinguishes itself through a modular design where hardware drivers and system services run as independent user-space daemons, allowing them to
Isolates applications using schemes and namespaces to restrict access to system resources and enhance security.
This repository provides a collection of interactive sample applications and reference implementations for the Electron framework. It serves as a library of API reference demos designed to help developers learn how to implement core desktop features. The project features visual demonstrations of cross-platform GUI management and practical examples of native operating system integration. It includes dedicated samples for handling native modules, crash reports, and the configuration of security implementations such as content security policies and process sandboxing. The codebase covers a broa
Utilizes operating system restrictions to isolate renderer processes and limit their system access.
This project is an AI-powered IDE extension and LLM coding assistant that provides a conversational interface for generating, refactoring, and debugging code. It functions as an AI agent framework and a Model Context Protocol client, connecting AI models to external data sources and tools to automate complex development tasks. The system is distinguished by its use of autonomous AI agents capable of multi-step task execution, including the ability to read files, modify code, and run terminal commands iteratively. It supports recursive agent orchestration through subagent delegation and employ
Isolates agent-executed processes and local servers using OS-level boundaries to restrict system access.
Universal Ctags is a multi-language symbol indexer and regex-based parsing engine used to extract and catalog functions, classes, and variables from source code. It functions as a source code indexer that scans files across diverse programming languages to create searchable catalogs of definitions and declarations. The project is distinguished by its extensible parser framework, which allows users to define new language rules using regular expressions and configuration files. It supports complex parsing scenarios through state-based parsing, stack-oriented scope tracking, and guest-parser del
Uses Seccomp BPF to restrict system calls during inline code processing for improved security.
This repository contains the comprehensive documentation for a code editor focused on AI-assisted software development and remote development workflows. It covers the implementation of AI agents and language models used for autonomous code generation, large-scale refactoring, and task iteration. The project is distinguished by its deep integration of autonomous AI agents capable of web navigation, application logic validation, and orchestrating multi-step development processes. It provides specialized frameworks for tailoring AI behavior through custom instructions, model context protocols, a
Isolates the execution of AI-generated terminal commands via OS-level sandboxing to restrict system access.
OnlineJudge is an automated platform for managing programming contests and evaluating submitted source code. It provides a complete online judge system that compiles, runs, and scores code submissions against predefined test cases within a sandboxed execution environment, ensuring the host system remains protected from untrusted user code. The platform supports both ACM-style penalty-based scoring and OI-style point-based scoring, with real-time leaderboard computation that dynamically updates participant rankings as submissions are judged. Contest organizers can create and schedule timed com
Runs untrusted user code in a restricted child process that intercepts system calls and enforces resource limits.
Firenvim ist eine Browser-Integration und ein Plugin, das Web-Textbereiche und Eingabefelder durch eine vollständige Neovim-Editor-Instanz ersetzt. Es fungiert als webbasierter Texteditor, der Neovim-Buffer mit Browser-DOM-Elementen synchronisiert, um fortgeschrittene Textmanipulation und das Erstellen von Webinhalten zu ermöglichen. Das System nutzt einen bidirektionalen Buffer-Synchronisierer, um Browser-Eingabefelder automatisch zu aktualisieren, während der Editor-Buffer modifiziert wird. Es enthält einen Browser-DOM-Manipulator zur Ausführung von JavaScript-Ausdrücken und zur Simulation von Tastaturereignissen auf Webseiten direkt aus der Editor-Umgebung heraus. Aus Sicherheitsgründen isoliert eine externe Prozess-Sandbox die Editor-Instanz vom Host-Betriebssystem. Das Projekt deckt kontextbezogenes Konfigurationsmanagement ab, wodurch Editor-Einstellungen und Dateinamen-Generierung durch URLs, Domains oder CSS-Selektoren bestimmt werden können. Es bietet zudem Kontrolle über Trigger für die Elementübernahme, Tastendruck-Filterung für native Browser-Shortcuts sowie Optionen zur Behandlung von Inhalten als reiner Text oder rohes HTML.
Uses security profiles to isolate the external editor process from the host operating system.
capa is a static analysis tool that scans executable files to identify what a program can do, detecting capabilities such as API calls, byte sequences, and structural patterns without executing the code. It supports multiple file formats including PE, ELF, .NET, and shellcode, and can also process runtime behavior traces from sandbox reports generated by CAPE, DRAKVUF, or VMRay. The tool integrates directly with reverse engineering environments through plugins for IDA Pro and Ghidra, allowing analysts to view capability matches and author detection rules within their disassembler of choice. C
Processes runtime behavior reports from CAPE, DRAKVUF, or VMRay to detect capabilities from execution logs.
CJDNS ist ein Peer-to-Peer-VPN und ein kryptografisches Netzwerk-Overlay, das ein verschlüsseltes IPv6-Mesh-Netzwerk implementiert. Es fungiert als Router für verteilte Hash-Tabellen und nutzt eine nicht-hierarchische XOR-Metrik, um Datenverkehr über Knoten hinweg zu leiten, ohne auf eine zentrale Instanz oder Registrierung angewiesen zu sein. Das Projekt zeichnet sich dadurch aus, dass es die Netzwerkidentität an kryptografisches Eigentum bindet und eindeutige IPv6-Adressen aus öffentlichen Schlüsseln ableitet. Es stellt sichere Peer-Verbindungen über NAT-Grenzen hinweg sicher, indem es Public-Key-Authentifizierung, Ende-zu-Ende-Paketverschlüsselung und ein Handshake-Protokoll mit Perfect Forward Secrecy verwendet. Die Software deckt ein breites Spektrum an Funktionen ab, darunter automatisierte Peer-Erkennung via DNS-Seeds und lokales Netzwerk-Beaconing sowie Netzwerk-Gateway-Operationen zum Tunneln von Datenverkehr in das öffentliche Internet. Sie enthält Sicherheitskontrollen für Paketintegrität und Replay-Schutz sowie eine administrative API für programmatische Überwachung und Routing-Management. Das System unterstützt die Automatisierung von Diensten beim Systemstart und die Initialisierung virtueller Netzwerktunnel-Geräte.
Restricts system access and reduces security risks by dropping user privileges and limiting the process's ability to open files.
Tsuru is an open-source platform as a service for automating the build, deployment, and scaling of containerized applications. It functions as a container-based deployment engine and a management layer for Kubernetes, transforming source code into container images and coordinating their lifecycles. The platform is designed for multi-cloud infrastructure management, allowing applications to be distributed across different cloud providers and regions to increase resilience. It features a flexible deployment model that supports multi-process containers, enabling a single repository to run differ
Implements and monitors resource quotas for teams to govern infrastructure unit usage.
Das Windows App SDK ist eine Reihe von APIs und UI-Frameworks für die Erstellung nativer Windows-Desktopanwendungen. Es bietet eine Windows-Runtime-API für den Zugriff auf Systemfunktionen und ein dediziertes UI-Framework für die Erstellung responsiver, barrierefreier Oberflächen. Das Projekt fungiert zudem als Deployment-Framework für Desktop-Apps und als lokale KI-Ausführungsumgebung für das Ausführen hardwarebeschleunigter Modelle auf CPUs, GPUs und NPUs. Das SDK zeichnet sich dadurch aus, dass es die Modernisierung von Legacy-Anwendungen ermöglicht, indem Entwickler moderne Steuerelemente und Plattformfunktionen in bestehende Projekte einbetten können, ohne eine vollständige Neuentwicklung. Es nutzt eine native C++-Projektion für performante Systeminteraktionen und verwendet NuGet-basierte Verteilung, um die Framework-Version vom Betriebssystem zu entkoppeln und Side-by-Side-Runtime-Ausführung zu unterstützen. Breite Funktionsbereiche umfassen umfassendes Application-Lifecycle-Management, hardwarebeschleunigtes visuelles Rendering und flexible Bereitstellungsoptionen für sowohl paketierte als auch nicht-paketierte Anwendungen. Es deckt zudem Ressourcenmanagement für lokalisierte Assets, prozessisolierte Sandboxing-Sicherheit sowie Integration für systemweite Benachrichtigungen und Widgets ab. Das Framework unterstützt strukturelle Muster wie die Model-View-ViewModel-Architektur, um Anwendungsdaten von der Benutzeroberfläche zu entkoppeln.
Restricts application access to system resources through a security boundary to protect the host operating system.
sudo-rs ist ein Low-Level-Systemdienstprogramm und ein privilegierter Befehlsausführer, der in Rust geschrieben wurde. Es bietet eine speichersichere Implementierung von sudo und su zum Ausführen von Programmen mit Superuser- oder alternativen Benutzerrechten und zum Wechseln von Sitzungsprivilegien zu anderen lokalen Benutzeridentitäten. Das Projekt integriert sich in Kernel-Sicherheitsmodule, um als sandboxed Prozess-Launcher zu fungieren, der Systemressourcen und Prozessfunktionen während der Ausführung einschränkt. Das Dienstprogramm umfasst Unterstützung für mehrsprachige Systemlokalisierung und nutzt kompilierte Message-Kataloge, um übersetzten UI-Text basierend auf dem System-Locale bereitzustellen.
Restricts system resources and process capabilities by isolating processes through kernel security module integration.
The Chromium Embedded Framework (CEF) is a framework for embedding a full Chromium web browser into native desktop applications, enabling them to render web content and execute JavaScript. It provides a multi-process browser runtime that manages isolated browser, renderer, and GPU processes to maintain application stability and security, along with a process sandboxing framework that restricts child process capabilities to prevent malicious web content from affecting the host system. CEF distinguishes itself through a comprehensive native JavaScript bridge library that bridges native applicat
Restricts child process capabilities to prevent malicious web content from affecting the host system.
gogcli is a single command-line binary that manages Gmail, Drive, Calendar, Docs, Sheets, Slides, Forms, Apps Script, Contacts, People, Tasks, Classroom, Chat, Groups, Keep, and Workspace Admin services through a predictable service resource method grammar. It authenticates across multiple Google accounts using OAuth, service accounts, access tokens, or application default credentials, storing credentials in the OS keyring for secure persistence. The tool also exposes a Model Context Protocol server over stdio that registers typed tools for agent clients, and can invoke any Google Discovery-
Skips confirmation prompts for destructive operations when explicitly enabled for automation.
Supermium is a Chromium-based web browser backported to run on legacy versions of Windows. It uses an abstraction layer to adapt modern engine requirements, enabling contemporary web browsing on older operating systems that lack native support for current Chromium versions. The project integrates content decryption modules to allow the playback of DRM-protected media streams on unsupported platforms. It also features the ability to disable machine-specific encryption, allowing user profiles to be portable across different hardware installations. The browser includes a functional sandbox to i
Isolates web processes within a functional sandbox to prevent malicious content from accessing the host operating system.
This project is a portable implementation of the secure shell toolset designed for deployment across diverse operating systems and platforms. It provides a suite of tools for secure remote login and command execution based on the secure shell protocol. The implementation includes a sandboxed server that isolates processes to limit the impact of potential vulnerabilities on the host operating system. It also functions as a cryptographic key manager for generating and storing security keys to replace or supplement password-based authentication. The project covers encrypted file transfer for mo
Implements secure process sandboxing to isolate server processes from the host operating system.