11 repositorios
Mechanisms for restricting resource access and ensuring secure separation between concurrent tasks.
Distinguishing note: Focuses on runtime security boundaries rather than general authentication.
Explore 11 awesome GitHub repositories matching security & cryptography · Execution Isolation. Refine with filters or upvote what's useful.
SurrealDB is a multi-model database engine designed to store and query document, graph, relational, and vector data within a single ACID-compliant platform. It functions as an AI-native data store, integrating vector search, graph traversal, and machine learning model execution directly into its query layer. By providing a unified declarative query language, the platform eliminates the need for external middleware to synchronize data across different storage models. The platform distinguishes itself through its ability to manage agent memory and complex workflows natively. It allows developer
Executes custom modules within isolated memory sandboxes to maintain system stability and security.
Kestra is a declarative workflow orchestrator designed to manage complex task dependencies and automated processes through versioned configuration files. It functions as a distributed platform that decouples task scheduling from execution by offloading computational workloads to a fleet of worker nodes. The system uses a reactive, event-driven engine to initiate workflows automatically in response to external signals, webhooks, schedules, or file system changes. The platform distinguishes itself through a modular plugin architecture that allows for the integration of custom tasks and external
Provides secure task execution isolation to prevent cross-tenant interference.
Niri is a Wayland compositor and tiling window manager designed for Linux systems. It functions as a display server that organizes application windows into a scrollable, column-based layout, providing a structured environment for managing graphical sessions, input routing, and hardware output. The project distinguishes itself through a declarative configuration engine that enables live-reloading of settings, allowing users to modify window rules, input bindings, and visual appearance without restarting the session. It features a physics-based animation system that uses spring-based curves to
Launches legacy applications within dedicated, ephemeral server instances to maintain system security and stability.
Quarkus is a Kubernetes-native Java framework designed for building high-performance, memory-efficient applications. It utilizes ahead-of-time native compilation to transform Java code into standalone, optimized binaries that eliminate the need for a virtual machine, enabling rapid startup and reduced memory consumption. By performing code augmentation during the build phase, it shifts heavy processing tasks away from runtime, ensuring that applications are optimized for cloud-native environments. The framework distinguishes itself through a unified approach to reactive and imperative program
Creates independent execution environments for reactive tasks to ensure data consistency across asynchronous continuations.
Firefox is a cross-platform web browser engine designed to render web content, execute JavaScript, and manage secure browsing sessions. It utilizes a multi-process isolation architecture that distributes browser tasks across independent operating system processes to ensure stability and prevent site-specific failures from impacting the entire application. The engine incorporates a sandboxed execution environment to restrict web content and untrusted scripts to isolated memory compartments, enforcing security policies that prevent unauthorized access to system resources. The project distinguis
Allocates separate memory compartments for global objects to ensure that code execution remains contained.
Bytebot is an LLM desktop automation framework and virtual Linux desktop environment. It enables AI agents to plan and execute mouse and keyboard actions on a virtual computer using natural language, allowing for autonomous desktop automation and the integration of legacy systems that lack native APIs. The system operates as an LLM API gateway and a Model Context Protocol server, routing requests across multiple language model providers with integrated load balancing and rate limiting. It provides isolated, containerized environments where agents use visual reasoning to interpret screenshots
Runs virtual desktops in isolated containers with restricted network access to protect the host system.
RoadRunner is a high-performance application server and process manager designed to serve PHP applications using a persistent worker model. It eliminates bootload overhead and initialization time by keeping application processes alive between requests, acting as a protocol-agnostic proxy that routes traffic to a pool of supervised workers. The server is built with a plugin-based modular architecture, allowing it to be extended with custom Go plugins and compiled into tailored binaries. It distinguishes itself by providing a unified execution model for a wide array of communication protocols,
Isolates worker processes by launching them under specific system users and groups.
CppGuide is a curated collection of educational resources and practical guides focused on C++ server development, Linux kernel internals, concurrent programming, network protocols, and security exploitation. It provides structured learning paths for backend developers, covering everything from interview preparation to building high-performance network servers and understanding operating system fundamentals. The guide distinguishes itself by offering in-depth, hands-on tutorials that walk through real-world implementations, including building a Redis-like server from scratch, designing custom
Explains kernel task execution isolation using virtual and mapped contexts.
Asterinas es un kernel de sistema operativo con seguridad de memoria diseñado para prevenir condiciones de carrera (data races) y corrupción de memoria. Funciona como un kernel compatible con la ABI de Linux, permitiendo la ejecución de binarios de Linux existentes y cargas de trabajo en contenedores mientras proporciona un modelo de distribución de sistema operativo declarativo. El proyecto se distingue por actuar como host de contenedores de máquinas virtuales y como SO invitado de computación confidencial, permitiendo su ejecución dentro de entornos de ejecución confiables (TEE) aislados por hardware como Intel TDX. Implementa una base de computación confiable mínima al aislar operaciones inseguras de bajo nivel y separa los mecanismos centrales del kernel de las implementaciones de políticas específicas. El sistema cubre una amplia gama de capacidades, incluyendo gestión de memoria física y virtual, multiprocesamiento simétrico y abstracción de hardware para varias arquitecturas de CPU. También incluye soporte para runtimes de contenedores seguros, un conjunto completo de primitivas de red y sockets, y una cadena de herramientas especializada para la compilación y emulación del kernel. El proyecto admite el despliegue en múltiples arquitecturas en plataformas x86-64, RISC-V 64 y LoongArch 64.
Creates isolated environments by disassociating processes from shared system resources.
Exegol is an offensive security platform and containerized tooling orchestrator designed to deploy and manage isolated security operations environments. It functions as a workspace manager that provisions pre-configured security images and toolkits within Docker containers to protect host systems from malicious payloads. The platform distinguishes itself by integrating AI security workflow orchestration, allowing AI assistants to discover and trigger security tools through a standardized communication protocol. It further provides remote desktop gateway capabilities, enabling GUI access via X
The product runs security commands inside a segmented container to maintain system safety and isolation.
El sandbox-sdk es un kit de desarrollo diseñado para construir entornos de ejecución seguros y aislados en una red global de borde (edge network). Proporciona un framework para crear espacios de trabajo efímeros y contenerizados que permiten a los desarrolladores ejecutar código no confiable, gestionar tareas de compilación y alojar scripts automatizados sin comprometer la seguridad del sistema anfitrión. Al aprovechar un runtime serverless, la plataforma permite el despliegue de estos entornos directamente en el borde de la red para garantizar un rendimiento de baja latencia. La plataforma se distingue por integrar modelos de lenguaje con ejecución en sandbox, facilitando el desarrollo de agentes de IA autónomos que pueden realizar tareas dinámicas y generar código. Incluye funciones especializadas para el desarrollo remoto interactivo, como sesiones de terminal persistentes y multiplexación de flujos en tiempo real, que permiten la depuración activa y la observación de procesos. La seguridad se gestiona mediante la inyección automatizada de credenciales y controles de acceso a la red, asegurando que los tokens de autenticación sensibles permanezcan ocultos del código que se ejecuta dentro del sandbox. Más allá de sus capacidades principales de ejecución, la plataforma admite una amplia gama de flujos de trabajo, incluyendo alojamiento de aplicaciones web, pipelines de compilación automatizados y gestión remota del sistema de archivos. Proporciona herramientas para mapear servicios de contenedores internos a subdominios públicos, permitiendo el acceso remoto seguro a los servicios alojados. El sistema también incluye funciones de observabilidad para capturar diagnósticos en tiempo de ejecución y mecanismos de caché para acelerar los ciclos de desarrollo mediante la reutilización de artefactos de compilación.
Runs automated scripts and long-running computational tasks within secure, isolated containers to maintain system stability.