7 रिपॉजिटरी
Restricted environments that isolate the execution of compiled binaries from the host system.
Distinct from Temporary Binary Execution: Existing candidates focus on temporary execution or remote execution; this is about a permanent isolation boundary.
Explore 7 awesome GitHub repositories matching security & cryptography · Binary Execution Sandboxes. Refine with filters or upvote what's useful.
Compiler Explorer is an online tool and analysis platform used to translate source code into assembly in real time. It functions as a cross-compiler analysis tool, allowing users to examine how various compilers and versions translate the same source code into machine code to analyze optimizations and generation patterns. The platform supports low-level language debugging and the comparison of assembly output across different compiler toolchains. It also provides a self-hosted environment option for users who need to run private deployments with custom binaries or operate within secure offlin
Runs untrusted compiler binaries inside restricted environments to prevent unauthorized system access.
Blink is a JIT-based instruction emulator and x86-64 Linux emulator designed to run Linux binaries and ELF files across different host operating systems and architectures. It functions as a binary execution sandbox and system call simulator, providing a controlled environment for running programs. The project distinguishes itself with a terminal user interface for monitoring execution, managing breakpoints, and visualizing JIT compilation paths. It supports self-modifying code through a cache-invalidating memory model and provides execution environment isolation using restricted directory ove
Provides a restricted environment that isolates binaries using directory overlays and mock filesystem interfaces.
Firejail is a Linux application sandbox and kernel security wrapper that isolates untrusted applications from the host system. It uses kernel namespaces and seccomp filters to restrict filesystem access, drop kernel capabilities, and limit the system attack surface. The project is distinguished by its use of predefined security profiles to automatically apply filesystem restrictions and syscall limits based on the executable being launched. It provides specialized isolation for portable packages such as AppImages and implements X11 display isolation via proxy servers to prevent keyboard loggi
Provides restricted binary execution sandboxes to isolate portable AppImage binaries from host resources.
capa is a binary capability scanner that identifies high-level behaviors and actions an executable can perform, such as network communication or file manipulation. It functions as a malware behavior analysis tool and a MITRE ATT&CK mapping framework, scanning PE, ELF, .NET, and shellcode files through both static analysis and dynamic sandbox report processing. The tool distinguishes itself through a YAML-based detection rule engine that defines detection logic in human-readable files, with conditions expressed as feature combinations and logical operators. It integrates with IDA Pro, Ghidra,
Processes execution reports from CAPE, DRAKVUF, and VMRay sandboxes to detect runtime capabilities.
capa is a static analysis tool that scans executable files to identify what a program can do, detecting capabilities such as API calls, byte sequences, and structural patterns without executing the code. It supports multiple file formats including PE, ELF, .NET, and shellcode, and can also process runtime behavior traces from sandbox reports generated by CAPE, DRAKVUF, or VMRay. The tool integrates directly with reverse engineering environments through plugins for IDA Pro and Ghidra, allowing analysts to view capability matches and author detection rules within their disassembler of choice. C
Processes sandbox-generated reports from CAPE, DRAKVUF, or VMRay to detect capabilities from runtime behavior.
A True Instrumentable Binary Emulation Framework
Runs executable files in a virtual environment that intercepts all system interactions.
Cuckoo is an open-source automated malware analysis system that executes suspicious files inside isolated virtual machines and produces structured behavioral reports. The platform captures system calls, file operations, and network activity during execution, compiling them into comprehensive analysis documents for programmatic consumption. The system operates through a modular analysis pipeline that processes behavioral data, applying YARA signature patterns against captured artifacts to identify known malware families. Each analysis run starts from a clean virtual machine snapshot to ensure
Compiles system calls, file operations, and network activity into comprehensive behavioral analysis reports.