11 dépôts
Mechanisms for restricting resource access and ensuring secure separation between concurrent tasks.
Distinguishing note: Focuses on runtime security boundaries rather than general authentication.
Explore 11 awesome GitHub repositories matching security & cryptography · Execution Isolation. Refine with filters or upvote what's useful.
SurrealDB is a multi-model database engine designed to store and query document, graph, relational, and vector data within a single ACID-compliant platform. It functions as an AI-native data store, integrating vector search, graph traversal, and machine learning model execution directly into its query layer. By providing a unified declarative query language, the platform eliminates the need for external middleware to synchronize data across different storage models. The platform distinguishes itself through its ability to manage agent memory and complex workflows natively. It allows developer
Executes custom modules within isolated memory sandboxes to maintain system stability and security.
Kestra is a declarative workflow orchestrator designed to manage complex task dependencies and automated processes through versioned configuration files. It functions as a distributed platform that decouples task scheduling from execution by offloading computational workloads to a fleet of worker nodes. The system uses a reactive, event-driven engine to initiate workflows automatically in response to external signals, webhooks, schedules, or file system changes. The platform distinguishes itself through a modular plugin architecture that allows for the integration of custom tasks and external
Provides secure task execution isolation to prevent cross-tenant interference.
Niri is a Wayland compositor and tiling window manager designed for Linux systems. It functions as a display server that organizes application windows into a scrollable, column-based layout, providing a structured environment for managing graphical sessions, input routing, and hardware output. The project distinguishes itself through a declarative configuration engine that enables live-reloading of settings, allowing users to modify window rules, input bindings, and visual appearance without restarting the session. It features a physics-based animation system that uses spring-based curves to
Launches legacy applications within dedicated, ephemeral server instances to maintain system security and stability.
Quarkus is a Kubernetes-native Java framework designed for building high-performance, memory-efficient applications. It utilizes ahead-of-time native compilation to transform Java code into standalone, optimized binaries that eliminate the need for a virtual machine, enabling rapid startup and reduced memory consumption. By performing code augmentation during the build phase, it shifts heavy processing tasks away from runtime, ensuring that applications are optimized for cloud-native environments. The framework distinguishes itself through a unified approach to reactive and imperative program
Creates independent execution environments for reactive tasks to ensure data consistency across asynchronous continuations.
Firefox is a cross-platform web browser engine designed to render web content, execute JavaScript, and manage secure browsing sessions. It utilizes a multi-process isolation architecture that distributes browser tasks across independent operating system processes to ensure stability and prevent site-specific failures from impacting the entire application. The engine incorporates a sandboxed execution environment to restrict web content and untrusted scripts to isolated memory compartments, enforcing security policies that prevent unauthorized access to system resources. The project distinguis
Allocates separate memory compartments for global objects to ensure that code execution remains contained.
Bytebot is an LLM desktop automation framework and virtual Linux desktop environment. It enables AI agents to plan and execute mouse and keyboard actions on a virtual computer using natural language, allowing for autonomous desktop automation and the integration of legacy systems that lack native APIs. The system operates as an LLM API gateway and a Model Context Protocol server, routing requests across multiple language model providers with integrated load balancing and rate limiting. It provides isolated, containerized environments where agents use visual reasoning to interpret screenshots
Runs virtual desktops in isolated containers with restricted network access to protect the host system.
RoadRunner is a high-performance application server and process manager designed to serve PHP applications using a persistent worker model. It eliminates bootload overhead and initialization time by keeping application processes alive between requests, acting as a protocol-agnostic proxy that routes traffic to a pool of supervised workers. The server is built with a plugin-based modular architecture, allowing it to be extended with custom Go plugins and compiled into tailored binaries. It distinguishes itself by providing a unified execution model for a wide array of communication protocols,
Isolates worker processes by launching them under specific system users and groups.
CppGuide is a curated collection of educational resources and practical guides focused on C++ server development, Linux kernel internals, concurrent programming, network protocols, and security exploitation. It provides structured learning paths for backend developers, covering everything from interview preparation to building high-performance network servers and understanding operating system fundamentals. The guide distinguishes itself by offering in-depth, hands-on tutorials that walk through real-world implementations, including building a Redis-like server from scratch, designing custom
Explains kernel task execution isolation using virtual and mapped contexts.
Asterinas est un noyau de système d'exploitation sécurisé en mémoire conçu pour prévenir les data races et la corruption mémoire. Il fonctionne comme un noyau compatible Linux-ABI, permettant l'exécution de binaires Linux existants et de charges de travail conteneurisées tout en offrant un modèle de distribution de système d'exploitation déclaratif. Le projet se distingue en agissant comme un hôte de conteneurs pour machines virtuelles et un OS invité pour le confidential computing, lui permettant de s'exécuter au sein d'environnements d'exécution isolés matériellement comme Intel TDX. Il implémente une base de calcul de confiance minimale en isolant les opérations dangereuses de bas niveau et sépare les mécanismes fondamentaux du noyau des implémentations de politiques spécifiques. Le système couvre un large éventail de capacités, incluant la gestion de la mémoire physique et virtuelle, le multi-processing symétrique et l'abstraction matérielle pour diverses architectures CPU. Il inclut également le support pour les runtimes de conteneurs sécurisés, un ensemble complet de primitives réseau et socket, ainsi qu'une toolchain spécialisée pour la compilation et l'émulation du noyau. Le projet prend en charge le déploiement multi-architecture sur les plateformes x86-64, RISC-V 64 et LoongArch 64.
Creates isolated environments by disassociating processes from shared system resources.
Exegol is an offensive security platform and containerized tooling orchestrator designed to deploy and manage isolated security operations environments. It functions as a workspace manager that provisions pre-configured security images and toolkits within Docker containers to protect host systems from malicious payloads. The platform distinguishes itself by integrating AI security workflow orchestration, allowing AI assistants to discover and trigger security tools through a standardized communication protocol. It further provides remote desktop gateway capabilities, enabling GUI access via X
The product runs security commands inside a segmented container to maintain system safety and isolation.
Le sandbox-sdk est un kit de développement conçu pour construire des environnements d'exécution sécurisés et isolés sur un réseau global en périphérie (edge). Il fournit un framework pour créer des espaces de travail éphémères et conteneurisés qui permettent aux développeurs d'exécuter du code non fiable, de gérer des tâches de build et d'héberger des scripts automatisés sans compromettre la sécurité du système hôte. En tirant parti d'un runtime serverless, la plateforme permet le déploiement de ces environnements directement à la périphérie du réseau pour garantir des performances à faible latence. La plateforme se distingue par l'intégration de modèles de langage avec une exécution en sandbox, facilitant le développement d'agents IA autonomes capables d'effectuer des tâches dynamiques et de générer du code. Elle inclut des fonctionnalités spécialisées pour le développement distant interactif, telles que des sessions de terminal persistantes et le multiplexage de flux en temps réel, qui permettent un débogage actif et l'observation des processus. La sécurité est gérée par l'injection automatisée d'identifiants et des contrôles d'accès réseau, garantissant que les jetons d'authentification sensibles restent cachés du code s'exécutant dans la sandbox. Au-delà de ses capacités d'exécution de base, la plateforme prend en charge un large éventail de flux de travail, y compris l'hébergement d'applications web, les pipelines de build automatisés et la gestion de système de fichiers distant. Elle fournit des outils pour mapper les services de conteneurs internes vers des sous-domaines publics, permettant un accès distant sécurisé aux services hébergés. Le système inclut également des fonctionnalités d'observabilité pour capturer les diagnostics d'exécution et des mécanismes de mise en cache pour accélérer les cycles de développement en réutilisant les artefacts de build.
Runs automated scripts and long-running computational tasks within secure, isolated containers to maintain system stability.