71 dépôts
Security techniques that restrict process access to system resources by running them in isolated execution environments.
Explore 71 awesome GitHub repositories matching operating systems & systems programming · Process Isolation. Refine with filters or upvote what's useful.
ECC est un framework d'orchestration d'agents LLM et une suite d'outils IA multiplateforme conçue pour coordonner les flux de travail multi-modèles. Il fournit un système pour gérer les rôles d'agents spécialisés, les compétences réutilisables et la planification structurée pour exécuter des tâches de développement logiciel complexes à travers différents éditeurs de code alimentés par l'IA. Le projet se distingue en tant que gestionnaire de protocole de contexte de modèle, fournissant une couche de configuration pour intégrer des serveurs externes et auditer l'exécution des outils. Il implémente en outre un bac à sable de sécurité agentique qui restreint l'accès aux fichiers sensibles et recherche les fuites de secrets pour sécuriser les flux de travail autonomes. Le framework couvre de larges domaines de capacités, notamment l'automatisation du flux de travail de codage IA avec des garde-fous de développement piloté par les tests, l'optimisation des coûts des modèles par routage intelligent et la gestion de la mémoire isolée par état. Il inclut également des outils pour appliquer des normes de codage spécifiques au langage et gérer les comportements des agents à travers divers environnements de développement intégrés. Le système est géré via une interface en ligne de commande qui gère l'installation des outils, la réparation de la configuration et le déploiement des préréglages d'outils.
Isolates agent session memory into project-specific directories to prevent cross-project data pollution.
The Model Context Protocol is a standardized communication framework designed to connect language models to external data sources, functional tools, and interactive user interfaces. It provides a vendor-neutral interface layer that enables AI hosts to discover and execute capabilities across heterogeneous service environments, using a JSON-RPC based messaging standard to facilitate bidirectional communication between clients and servers. The protocol distinguishes itself through a robust capability-based handshake that negotiates feature sets during session initialization, ensuring compatibil
Executes service instances as independent host-managed processes to enforce security boundaries and resource management.
Docker is an OCI container engine and runtime orchestrator used to build, run, and manage isolated applications. It functions as a container image builder for creating portable snapshots of applications and a registry manager for storing, versioning, and distributing those images across environments. The platform provides a centralized daemon to control the creation, execution, and termination of containerized workloads. It allows for the assembly of modular container systems by combining build tools, registries, and runtimes. Its core capabilities cover container image creation, registry ad
Creates isolated environments by wrapping processes in kernel namespaces for network, mount, and PID views.
Moby is an OCI container engine and runtime manager designed for building, running, and managing isolated containers based on Open Container Initiative standards. It functions as a container daemon and image builder, providing a core engine to orchestrate the full lifecycle of containers and the packaging of source code into portable images. The project provides a standardized HTTP interface that allows for programmatic container management, enabling external clients to control daemon settings and container operations. It supports a rootless security model, allowing the engine daemon to execu
Provides the core ability to execute binaries and scripts in isolated environments using namespaces and cgroups.
Mempalace is a long-term memory management system for large language models that orchestrates the storage and retrieval of conversation history and entity relationships. It functions as a memory orchestrator and Model Context Protocol server, providing AI clients with read and write access to structured knowledge. The system utilizes a temporal knowledge graph to track evolving entity relationships and timelines with validity windows. It employs a hierarchical memory partitioning strategy, organizing data into wings and rooms to isolate specialist agent contexts and restrict semantic searches
Provides logical memory isolation by assigning dedicated data silos to individual specialist agents.
This project is a Docker educational resource and a collection of practical examples designed for learning containerization technologies. It serves as a guide for understanding container fundamentals, including the creation and management of custom images and the use of registries. The repository provides specialized references for container security hardening, such as managing kernel privileges and implementing supply chain security. It also includes tutorials for multi-container orchestration and a DevOps guide focused on CI/CD automation and image optimization. The material covers a broad
Explains the use of kernel namespaces to separate system resources and prevent process interference.
Homebridge is a Node.js home automation server that acts as a bridge to expose non-native smart home devices to Apple HomeKit. It functions as a plugin-based framework that maps proprietary device APIs to standardized home automation services and protocols. The system utilizes a modular plugin architecture and a protocol emulation layer to make third-party hardware appear as native accessories. It further supports cross-platform compatibility by acting as a Matter device bridge, allowing Matter-standard hardware to connect to various home automation controllers. The software includes a web i
Isolates plugins into separate child processes to prevent individual failures from crashing the entire server.
Chromium is an open-source browser platform that provides the foundational codebase for building cross-platform web browsers. At its core, it functions as a web browser engine that interprets standard web technologies to render interactive content and manage the complex lifecycle of web page navigation. The project utilizes a multi-process architecture that separates the browser interface from rendering engines into distinct operating system processes. This design ensures application stability by preventing a single tab crash from affecting the entire browser. Security is maintained through s
Isolates browser interfaces and rendering engines into separate processes to prevent application-wide crashes.
Letta is a framework for building, deploying, and managing autonomous AI agents that maintain persistent state across long-term interactions. It provides a comprehensive suite of primitives for defining agents with configurable personas, modular memory blocks, and tool-use capabilities, enabling them to retain user preferences and conversation history over extended sessions. The platform distinguishes itself through its advanced memory management and orchestration capabilities. It allows agents to autonomously update their own memory, perform retrieval-augmented generation, and coordinate com
Partitions agent memory spaces to ensure data boundaries are maintained during tool execution.
Wasmer is a high-performance runtime engine designed to execute sandboxed WebAssembly modules across server-side, edge, and browser environments. It functions as a comprehensive platform for building, distributing, and running isolated applications, providing a secure and portable execution layer that maintains consistency across diverse hardware architectures and operating systems. The platform distinguishes itself through a robust toolchain that enables cross-language interoperability and the transformation of code into portable binary packages. It supports ahead-of-time binary generation t
Enables secure inter-process communication and process spawning within an isolated environment using dedicated pipes.
Gotty is a web-based terminal emulator that functions as a secure remote shell gateway. It exposes command-line processes as interactive web applications, allowing users to access and manage terminal sessions directly through a standard browser without requiring local terminal software. The system distinguishes itself by integrating with terminal multiplexers to enable shared, real-time collaboration among multiple remote clients. It enforces security through a combination of TLS-encrypted network transport and configurable access control mechanisms, including basic authentication and client
Spawns individual command-line processes in isolated execution environments to ensure user sessions remain sandboxed and independent.
This project is a secure container runtime that provides strong isolation for application workloads by implementing a userspace kernel. By intercepting system calls and executing them within a memory-safe, restricted environment, it minimizes the attack surface exposed to the host kernel. It functions as a drop-in engine for standard container orchestration platforms, ensuring compatibility with industry-standard runtime specifications while maintaining a hardened execution boundary. The runtime distinguishes itself through its ability to virtualize core system resources, including an indepen
Encapsulates application processes within an opaque sandbox that hides them from the host and restricts interaction methods.
Redox is a POSIX-compliant, microkernel-based operating system written entirely in Rust. By utilizing a memory-safe language for the kernel and all system components, the project eliminates common vulnerabilities such as buffer overflows and use-after-free errors. Its architecture relies on a minimal kernel that manages only essential hardware and process isolation, delegating all other system services to unprivileged user-space processes. The system distinguishes itself through a modular design where hardware drivers and system services run as independent user-space daemons, allowing them to
Runs hardware drivers as isolated user-space processes to prevent system-wide corruption and unauthorized memory access.
Memori is an AI agent memory middleware platform designed to provide persistent, context-aware recall for language models. It functions as a non-intrusive layer that intercepts outbound model requests to automatically capture interaction history and execution traces, ensuring that agents maintain continuity across sessions without requiring modifications to existing application logic. The platform distinguishes itself through a dual-model storage architecture that maintains information as both structured relational primitives for precise fact retrieval and rolling narrative summaries for situ
Creates distinct memory spaces for different users by attributing data to specific entity identifiers for secure context retrieval.
systemd is a comprehensive system and service manager for Linux that orchestrates the entire operating system lifecycle. It functions as the primary init system, managing the transition from firmware to a fully initialized user space while providing a unified framework for service orchestration, hardware management, and resource control. The project distinguishes itself through its declarative, unit-based configuration model and dynamic dependency resolution, which allow for efficient, on-demand service activation and socket-based process management. It integrates deep system observability th
Executes background processes in restricted contexts without inheriting user session variables to improve stability.
Planning with files is an enterprise knowledge graph platform designed to transform unstructured organizational data into a searchable, interconnected network. By utilizing a graph-based retrieval-augmented generation engine, the system grounds language model outputs in verified internal data, ensuring that responses are explainable, traceable, and free from hallucinations. The platform distinguishes itself through a focus on data sovereignty and secure, private infrastructure deployment. It enables organizations to maintain full control over sensitive information by processing data locally o
Uses isolation techniques to ensure proprietary information remains confined to specific organizational workflows.
This project is a bare-metal operating system developed for ARM64 architecture. It serves as a low-level implementation of kernel engineering, focusing on the fundamental construction of an OS from the hardware level up. The system is distinguished by its comprehensive approach to ARM64 processor control, featuring a red-black tree task scheduler and a hierarchical page table system for virtual memory management. It implements a sophisticated privilege model that handles transitions between kernel and user modes, ensuring process isolation through address space splitting and exception level m
Ensures process isolation by running programs at the least privileged exception level.
PictureSelector is an Android media selection library and toolkit for browsing and picking images, videos, and audio files from a device album. It provides a comprehensive framework for capturing new photos and videos via system hardware, extracting media metadata, and managing the resulting files. The library features a modular architecture that allows for custom media engine implementations to replace default image loading, file compression, and video playback logic. It offers extensive UI customization, enabling the replacement of default layout resources and theme configurations to modify
Transforms restricted sandbox URIs into accessible local file paths by copying assets to a dedicated internal directory.
Mimalloc is a general purpose dynamic memory allocator for C and C++ designed to increase execution speed and reduce fragmentation. It functions as a scalable heap manager that replaces standard library allocation functions to improve performance and memory efficiency across applications. The project distinguishes itself as both a heap security hardener and a memory corruption detector. It employs randomized allocation, encrypted free lists, and sampled guard pages to mitigate heap exploits and identify buffer overflows or use-after-free errors during runtime. The allocator provides capabili
Creates independent memory regions allowing the bulk destruction of related objects without individual deallocation.
runc is a command-line utility for spawning and running containers on Linux systems according to the Open Container Initiative specification. It serves as a low-level container execution engine that interfaces directly with the host operating system to manage the lifecycle of isolated processes. The tool functions as a Linux process containerizer, utilizing kernel features such as namespaces for process isolation and control groups for resource governance. It enforces security by restricting processes to specific directory trees and dropping unnecessary kernel privileges to minimize the attac
Uses Linux kernel namespaces to create isolated environments where processes have their own view of system resources.