12 repository-uri
Mechanisms for executing administrative tasks in isolated, secure processes to minimize system attack surfaces.
Distinguishing note: Focuses on process-level security isolation for administrative tasks, distinct from general-purpose authentication or encryption libraries.
Explore 12 awesome GitHub repositories matching security & cryptography · Privileged Process Isolation. Refine with filters or upvote what's useful.
FlClash is a cross-platform proxy client designed to manage network traffic through configurable rules and system-level tunnel integration. It functions as a native system orchestrator, coordinating application lifecycle events and background services across desktop and mobile environments. The application utilizes a modular architecture that enables extensibility through local plugins and foreign function interfaces, allowing for direct interaction with native system libraries. It maintains security by isolating restricted administrative tasks within a privileged helper process, which valida
Executes restricted administrative tasks in a separate secure process to safely manage system network tunnels and core services.
Shizuku is a framework that enables standard mobile applications to interact with restricted system-level interfaces and services. By acting as a bridge between the user space and protected system functions, it allows applications to perform privileged operations that are typically inaccessible due to standard operating system sandbox limitations. The project functions by routing requests through a persistent background service, which facilitates communication with internal system services and remote interfaces. This architecture allows for the execution of system-level tasks and the manageme
Routes restricted system requests through a high-privilege background process to bypass sandbox limitations.
This project serves as a comprehensive technical reference for the architecture and design of data-intensive applications. It provides a structured analysis of the fundamental principles required to build reliable, scalable, and maintainable software systems, covering the core trade-offs inherent in modern data infrastructure. The repository explores the mechanics of distributed data management, including strategies for replication, partitioning, and achieving consensus across multiple nodes. It details the design of storage engines, indexing techniques, and transaction management models, whi
Implements process-level security isolation to minimize system attack surfaces and manage authority.
TrollStore is an application installer for iOS that enables the deployment of unsigned software on restricted mobile devices. By bypassing standard code signature verification and security sandbox requirements, it allows users to install and execute applications that originate from outside official distribution channels. The utility functions as an entitlement injection tool, modifying application metadata during installation to grant elevated system permissions. It achieves this by injecting developer certificates into software bundles and utilizing kernel-level modifications to permit the e
Executes application binaries with elevated system credentials to bypass standard security sandboxes.
Gluetun is a containerized network utility designed to route traffic from multiple Docker containers through a secure virtual private network tunnel. It functions as a network gateway that encapsulates outgoing internet traffic to provide privacy and security for isolated application services. The project distinguishes itself by utilizing Linux network namespaces to isolate container traffic, ensuring that all outgoing packets are forced through a dedicated tunnel interface. It supports both OpenVPN and WireGuard protocols, managing the connection lifecycle and routing logic as a sidecar cont
Executes network configuration tasks in isolated, privileged processes to manage kernel routing tables securely.
Gunicorn is a production-grade WSGI HTTP server designed for deploying Python web applications. It functions as a process manager that utilizes a pre-fork worker model, where a master process initializes the application and spawns multiple child processes to handle incoming requests in parallel. This architecture ensures high performance and stability by isolating application execution within persistent worker processes. The server distinguishes itself through its flexible concurrency models and robust process lifecycle management. It supports interchangeable worker types, including synchrono
Executes worker processes under specific user and group identities to enforce security and minimize attack surfaces.
Win32-OpenSSH is a secure shell suite that provides an OpenSSH port for Windows operating systems. It consists of an SSH server for remote management and authentication, a secure shell client for establishing encrypted connections, and an SFTP server for managing files. The project enables secure remote administration of Windows servers and workstations via a command line interface. It supports encrypted file transfers using SFTP and SCP protocols and allows for cross-platform remote management of Windows systems from Linux or macOS environments. The implementation integrates with Windows se
Uses a privilege-separated process model to isolate the monitor from unprivileged child processes for increased security.
gosu este un comutator de identitate a utilizatorului bazat pe Go și un wrapper de proces conceput pentru a executa comenzi sub o identitate specifică de utilizator și grup. Acesta funcționează ca un binar ușor pentru comutarea identităților utilizatorului și redirecționarea semnalelor înainte de a executa un proces țintă. Instrumentul se concentrează pe optimizarea entrypoint-ului containerului și gestionarea utilizatorilor în containerele Docker. Acesta permite executarea proceselor ca utilizatori non-root, asigurându-se în același timp că semnalele sistemului de operare ajung la procesul copil și că comanda țintă este stabilită ca proces principal. Utilitarul gestionează comutarea identității procesului Linux și execuția proceselor privilegiate. Utilizează apeluri de sistem pentru comutarea identității și oferă moștenirea fluxului standard pentru a conecta procesul țintă la fluxurile de intrare și ieșire existente.
Executes binaries with specific user/group credentials while ensuring proper environment variable inheritance.
sudo-rs este un utilitar de sistem low-level și un executor de comenzi privilegiate scris în Rust. Acesta oferă o implementare sigură pentru memorie a sudo și su pentru rularea programelor cu permisiuni de superuser sau utilizator alternativ și comutarea privilegiilor de sesiune către alte identități de utilizator locale. Proiectul se integrează cu modulele de securitate ale kernel-ului pentru a funcționa ca un lansator de procese sandbox, restricționând resursele sistemului și capabilitățile procesului în timpul execuției. Utilitarul include suport pentru localizarea sistemului în mai multe limbi, utilizând cataloage de mesaje compilate pentru a oferi text de interfață tradus în funcție de setările regionale ale sistemului.
Provides mechanisms to spawn new system processes with elevated root-level credentials by altering user and group IDs.
This project is a containerized Linux desktop streamer that renders a full operating system interface in a web browser using encoded video streams. It allows for remote access to various Linux distributions and serves as a platform for browser-based application hosting. The system supports GPU acceleration via KVM and direct hardware passthrough to enable low-latency graphics rendering and video encoding. It also features volume mapping for home directory persistence, ensuring that user data and portable applications survive environment updates. Additional capabilities include the creation o
Creates a secure kiosk environment by disabling terminal and sudo access.
Kore is an event-driven web and WebSocket server framework designed for building high-performance web services and APIs in C or Python. It functions as a secure, concurrent application framework that utilizes non-blocking I/O and isolated worker processes to handle high-concurrency traffic. The project is distinguished by a security-first architecture that features OS-level process sandboxing, privilege separation, and the isolation of private encryption keys into dedicated processes. It enables zero-downtime deployments through dynamic module hot-reloading and provides automated TLS certific
Isolates private encryption keys into dedicated processes to prevent compromise of the primary worker processes.
TizenTubeCobalt is a third-party YouTube client and ad-blocking video player developed for the Tizen operating system. It functions as a Tizen OS application that bridges native C++ functions with JavaScript execution to provide a customized media experience on smart TVs. The application distinguishes itself through advanced content filtering and playback optimizations. It removes video advertisements and uses community-sourced data to automatically skip sponsored segments. Additionally, it includes a video content filter to remove clickbait titles and misleading thumbnails. The project cove
Utilizes operating system primitives to restrict process privileges and isolate sensitive operations from the main application.