25 repository-uri
Security mechanisms for isolating processes to restrict system access.
Distinguishing note: Focuses on OS-level process isolation, distinct from general application security.
Explore 25 awesome GitHub repositories matching security & cryptography · Process Sandboxing. Refine with filters or upvote what's useful.
LocalAI is a local generative AI platform and inference engine designed to host large language, vision, and audio models on private hardware. It functions as an API compatible gateway that mimics proprietary service endpoints, allowing existing third-party software to integrate with a self-hosted backend. The platform distinguishes itself as a distributed AI model orchestrator, capable of scaling inference across machine clusters using VRAM-aware routing and hardware coordination. It provides a unified interface for diverse open-source backends and supports self-hosted RAG infrastructure thro
Manages system access and prevents resource exhaustion by tracking usage limits against unique authentication keys.
Servo is a high-performance, memory-safe web rendering engine designed for cross-platform embedding. It provides a modular framework that allows developers to integrate web content rendering into native applications across desktop, mobile, and embedded systems. By enforcing strict process isolation and memory safety, the engine creates a secure execution environment for processing web content. The engine distinguishes itself through a task-based, parallelized architecture that decouples layout, style, and rendering processes to maximize responsiveness. It utilizes a hardware-abstracted graphi
Isolates web content in separate processes using operating system sandboxing to restrict access to system resources.
This project is a terminal automation and recording tool that uses a custom declarative scripting language to execute command-line sequences. It functions as a framework for both generating animated media files and performing automated terminal output validation. By managing isolated pseudo-terminal sessions, it captures and renders terminal interactions into high-quality GIFs, videos, or static images. The tool distinguishes itself through its ability to treat terminal sessions as testable, repeatable artifacts. It supports golden-file testing, allowing users to verify command-line behavior
Enforces security by dropping user permissions during the execution of scripted terminal commands.
Sandboxie is an operating system-level virtualization tool designed to run Windows applications in isolated, secure environments. By intercepting system calls and redirecting file system and registry modifications to a separate, discardable storage area, it prevents untrusted software from making permanent changes to the host system. This containment ensures that browser history, temporary files, and potential malware remain trapped within the sandbox, protecting the integrity and privacy of the underlying host. The software distinguishes itself through granular control over the isolation env
Automatically redirects specified programs to run within a designated sandbox upon launch.
Redox is a POSIX-compliant, microkernel-based operating system written entirely in Rust. By utilizing a memory-safe language for the kernel and all system components, the project eliminates common vulnerabilities such as buffer overflows and use-after-free errors. Its architecture relies on a minimal kernel that manages only essential hardware and process isolation, delegating all other system services to unprivileged user-space processes. The system distinguishes itself through a modular design where hardware drivers and system services run as independent user-space daemons, allowing them to
Isolates applications using schemes and namespaces to restrict access to system resources and enhance security.
This repository provides a collection of interactive sample applications and reference implementations for the Electron framework. It serves as a library of API reference demos designed to help developers learn how to implement core desktop features. The project features visual demonstrations of cross-platform GUI management and practical examples of native operating system integration. It includes dedicated samples for handling native modules, crash reports, and the configuration of security implementations such as content security policies and process sandboxing. The codebase covers a broa
Utilizes operating system restrictions to isolate renderer processes and limit their system access.
This project is an AI-powered IDE extension and LLM coding assistant that provides a conversational interface for generating, refactoring, and debugging code. It functions as an AI agent framework and a Model Context Protocol client, connecting AI models to external data sources and tools to automate complex development tasks. The system is distinguished by its use of autonomous AI agents capable of multi-step task execution, including the ability to read files, modify code, and run terminal commands iteratively. It supports recursive agent orchestration through subagent delegation and employ
Isolates agent-executed processes and local servers using OS-level boundaries to restrict system access.
Universal Ctags is a multi-language symbol indexer and regex-based parsing engine used to extract and catalog functions, classes, and variables from source code. It functions as a source code indexer that scans files across diverse programming languages to create searchable catalogs of definitions and declarations. The project is distinguished by its extensible parser framework, which allows users to define new language rules using regular expressions and configuration files. It supports complex parsing scenarios through state-based parsing, stack-oriented scope tracking, and guest-parser del
Uses Seccomp BPF to restrict system calls during inline code processing for improved security.
This repository contains the comprehensive documentation for a code editor focused on AI-assisted software development and remote development workflows. It covers the implementation of AI agents and language models used for autonomous code generation, large-scale refactoring, and task iteration. The project is distinguished by its deep integration of autonomous AI agents capable of web navigation, application logic validation, and orchestrating multi-step development processes. It provides specialized frameworks for tailoring AI behavior through custom instructions, model context protocols, a
Isolates the execution of AI-generated terminal commands via OS-level sandboxing to restrict system access.
OnlineJudge is an automated platform for managing programming contests and evaluating submitted source code. It provides a complete online judge system that compiles, runs, and scores code submissions against predefined test cases within a sandboxed execution environment, ensuring the host system remains protected from untrusted user code. The platform supports both ACM-style penalty-based scoring and OI-style point-based scoring, with real-time leaderboard computation that dynamically updates participant rankings as submissions are judged. Contest organizers can create and schedule timed com
Runs untrusted user code in a restricted child process that intercepts system calls and enforces resource limits.
Firenvim is a browser integration and plugin that replaces web text areas and input fields with a full Neovim editor instance. It acts as a web-based text editor that synchronizes Neovim buffers with browser DOM elements to enable advanced text manipulation and web content authoring. The system utilizes a bidirectional buffer synchronizer to automatically update browser input fields as the editor buffer is modified. It includes a browser DOM manipulator for executing JavaScript expressions and simulating keyboard events on web pages directly from the editor environment. For security, an exter
Uses security profiles to isolate the external editor process from the host operating system.
capa is a static analysis tool that scans executable files to identify what a program can do, detecting capabilities such as API calls, byte sequences, and structural patterns without executing the code. It supports multiple file formats including PE, ELF, .NET, and shellcode, and can also process runtime behavior traces from sandbox reports generated by CAPE, DRAKVUF, or VMRay. The tool integrates directly with reverse engineering environments through plugins for IDA Pro and Ghidra, allowing analysts to view capability matches and author detection rules within their disassembler of choice. C
Processes runtime behavior reports from CAPE, DRAKVUF, or VMRay to detect capabilities from execution logs.
CJDNS este un VPN peer-to-peer și un overlay de rețea criptografic care implementează o rețea mesh IPv6 criptată. Acesta funcționează ca un router de tip tabelă hash distribuită, utilizând o metrică XOR non-ierarhică pentru a direcționa traficul prin noduri, fără a depinde de o autoritate sau un registru central. Proiectul se distinge prin legarea identității de rețea de proprietatea criptografică, derivând adrese IPv6 unice din chei publice. Acesta asigură conectivitatea securizată între noduri prin bariere NAT folosind autentificarea cu chei publice, criptarea pachetelor end-to-end și un protocol de handshake care oferă perfect forward secrecy. Software-ul acoperă o gamă largă de capabilități, inclusiv descoperirea automată a nodurilor prin DNS seeds și beaconing în rețeaua locală, precum și operațiuni de gateway pentru tunelarea traficului către internetul public. Include controale de securitate pentru integritatea pachetelor și protecție împotriva atacurilor de tip replay, alături de un API administrativ pentru monitorizare programatică și gestionarea rutării. Sistemul suportă automatizarea serviciilor la boot și inițializarea dispozitivelor de tunelare virtuală.
Restricts system access and reduces security risks by dropping user privileges and limiting the process's ability to open files.
Tsuru este o platformă open-source ca serviciu (PaaS) pentru automatizarea build-ului, deployment-ului și scalării aplicațiilor containerizate. Funcționează ca un motor de deployment bazat pe containere și un strat de gestionare pentru Kubernetes, transformând codul sursă în imagini de container și coordonându-le ciclurile de viață. Platforma este concepută pentru gestionarea infrastructurii multi-cloud, permițând aplicațiilor să fie distribuite pe diferiți furnizori de cloud și regiuni pentru a crește reziliența. Dispune de un model flexibil de deployment care suportă containere multi-proces, permițând unui singur repository să ruleze diferite componente, cum ar fi servere web și background workers, simultan. Domeniile de capabilitate includ furnizarea de servicii gestionate pentru legarea aplicațiilor la baze de date externe și message broker-e, precum și gestionarea cuprinzătoare a identității folosind OAuth și SAML. Sistemul oferă, de asemenea, instrumente pentru controlul accesului în echipă prin permisiuni ierarhice, cote de resurse și rutarea automată a traficului. Platforma poate fi instalată și configurată pe un cluster Kubernetes folosind Helm charts.
Implements and monitors resource quotas for teams to govern infrastructure unit usage.
Windows App SDK este un set de API-uri și framework-uri UI pentru construirea de aplicații desktop native pentru Windows. Oferă un API Windows Runtime pentru accesarea capabilităților sistemului și un framework UI dedicat pentru crearea de interfețe responsive și accesibile. Proiectul funcționează, de asemenea, ca un framework de deployment pentru aplicații desktop și un mediu local de execuție AI pentru rularea modelelor accelerate hardware pe CPU-uri, GPU-uri și NPU-uri. SDK-ul se distinge prin faptul că permite modernizarea aplicațiilor legacy, permițând dezvoltatorilor să încorporeze controale moderne și funcționalități de platformă în proiectele existente fără o rescriere completă. Utilizează o proiecție C++ nativă pentru interacțiuni de înaltă performanță cu sistemul și folosește distribuția bazată pe NuGet pentru a decupla versiunea framework-ului de sistemul de operare, suportând execuția runtime side-by-side. Domeniile largi de capabilități includ gestionarea cuprinzătoare a ciclului de viață al aplicației, randarea vizuală accelerată hardware și opțiuni flexibile de deployment atât pentru aplicații împachetate, cât și neîmpachetate. Acoperă, de asemenea, gestionarea resurselor pentru active localizate, sandboxing izolat de proces pentru securitate și integrare pentru notificări și widget-uri la nivel de sistem. Framework-ul suportă modele structurale precum arhitectura Model-View-ViewModel pentru a decupla datele aplicației de interfața cu utilizatorul.
Restricts application access to system resources through a security boundary to protect the host operating system.
sudo-rs este un utilitar de sistem low-level și un executor de comenzi privilegiate scris în Rust. Acesta oferă o implementare sigură pentru memorie a sudo și su pentru rularea programelor cu permisiuni de superuser sau utilizator alternativ și comutarea privilegiilor de sesiune către alte identități de utilizator locale. Proiectul se integrează cu modulele de securitate ale kernel-ului pentru a funcționa ca un lansator de procese sandbox, restricționând resursele sistemului și capabilitățile procesului în timpul execuției. Utilitarul include suport pentru localizarea sistemului în mai multe limbi, utilizând cataloage de mesaje compilate pentru a oferi text de interfață tradus în funcție de setările regionale ale sistemului.
Restricts system resources and process capabilities by isolating processes through kernel security module integration.
The Chromium Embedded Framework (CEF) is a framework for embedding a full Chromium web browser into native desktop applications, enabling them to render web content and execute JavaScript. It provides a multi-process browser runtime that manages isolated browser, renderer, and GPU processes to maintain application stability and security, along with a process sandboxing framework that restricts child process capabilities to prevent malicious web content from affecting the host system. CEF distinguishes itself through a comprehensive native JavaScript bridge library that bridges native applicat
Restricts child process capabilities to prevent malicious web content from affecting the host system.
gogcli is a single command-line binary that manages Gmail, Drive, Calendar, Docs, Sheets, Slides, Forms, Apps Script, Contacts, People, Tasks, Classroom, Chat, Groups, Keep, and Workspace Admin services through a predictable service resource method grammar. It authenticates across multiple Google accounts using OAuth, service accounts, access tokens, or application default credentials, storing credentials in the OS keyring for secure persistence. The tool also exposes a Model Context Protocol server over stdio that registers typed tools for agent clients, and can invoke any Google Discovery-
Skips confirmation prompts for destructive operations when explicitly enabled for automation.
Supermium is a Chromium-based web browser backported to run on legacy versions of Windows. It uses an abstraction layer to adapt modern engine requirements, enabling contemporary web browsing on older operating systems that lack native support for current Chromium versions. The project integrates content decryption modules to allow the playback of DRM-protected media streams on unsupported platforms. It also features the ability to disable machine-specific encryption, allowing user profiles to be portable across different hardware installations. The browser includes a functional sandbox to i
Isolates web processes within a functional sandbox to prevent malicious content from accessing the host operating system.
This project is a portable implementation of the secure shell toolset designed for deployment across diverse operating systems and platforms. It provides a suite of tools for secure remote login and command execution based on the secure shell protocol. The implementation includes a sandboxed server that isolates processes to limit the impact of potential vulnerabilities on the host operating system. It also functions as a cryptographic key manager for generating and storing security keys to replace or supplement password-based authentication. The project covers encrypted file transfer for mo
Implements secure process sandboxing to isolate server processes from the host operating system.