11 个仓库
Mechanisms for restricting resource access and ensuring secure separation between concurrent tasks.
Distinguishing note: Focuses on runtime security boundaries rather than general authentication.
Explore 11 awesome GitHub repositories matching security & cryptography · Execution Isolation. Refine with filters or upvote what's useful.
SurrealDB is a multi-model database engine designed to store and query document, graph, relational, and vector data within a single ACID-compliant platform. It functions as an AI-native data store, integrating vector search, graph traversal, and machine learning model execution directly into its query layer. By providing a unified declarative query language, the platform eliminates the need for external middleware to synchronize data across different storage models. The platform distinguishes itself through its ability to manage agent memory and complex workflows natively. It allows developer
Executes custom modules within isolated memory sandboxes to maintain system stability and security.
Kestra is a declarative workflow orchestrator designed to manage complex task dependencies and automated processes through versioned configuration files. It functions as a distributed platform that decouples task scheduling from execution by offloading computational workloads to a fleet of worker nodes. The system uses a reactive, event-driven engine to initiate workflows automatically in response to external signals, webhooks, schedules, or file system changes. The platform distinguishes itself through a modular plugin architecture that allows for the integration of custom tasks and external
Provides secure task execution isolation to prevent cross-tenant interference.
Niri is a Wayland compositor and tiling window manager designed for Linux systems. It functions as a display server that organizes application windows into a scrollable, column-based layout, providing a structured environment for managing graphical sessions, input routing, and hardware output. The project distinguishes itself through a declarative configuration engine that enables live-reloading of settings, allowing users to modify window rules, input bindings, and visual appearance without restarting the session. It features a physics-based animation system that uses spring-based curves to
Launches legacy applications within dedicated, ephemeral server instances to maintain system security and stability.
Quarkus is a Kubernetes-native Java framework designed for building high-performance, memory-efficient applications. It utilizes ahead-of-time native compilation to transform Java code into standalone, optimized binaries that eliminate the need for a virtual machine, enabling rapid startup and reduced memory consumption. By performing code augmentation during the build phase, it shifts heavy processing tasks away from runtime, ensuring that applications are optimized for cloud-native environments. The framework distinguishes itself through a unified approach to reactive and imperative program
Creates independent execution environments for reactive tasks to ensure data consistency across asynchronous continuations.
Firefox is a cross-platform web browser engine designed to render web content, execute JavaScript, and manage secure browsing sessions. It utilizes a multi-process isolation architecture that distributes browser tasks across independent operating system processes to ensure stability and prevent site-specific failures from impacting the entire application. The engine incorporates a sandboxed execution environment to restrict web content and untrusted scripts to isolated memory compartments, enforcing security policies that prevent unauthorized access to system resources. The project distinguis
Allocates separate memory compartments for global objects to ensure that code execution remains contained.
Bytebot is an LLM desktop automation framework and virtual Linux desktop environment. It enables AI agents to plan and execute mouse and keyboard actions on a virtual computer using natural language, allowing for autonomous desktop automation and the integration of legacy systems that lack native APIs. The system operates as an LLM API gateway and a Model Context Protocol server, routing requests across multiple language model providers with integrated load balancing and rate limiting. It provides isolated, containerized environments where agents use visual reasoning to interpret screenshots
Runs virtual desktops in isolated containers with restricted network access to protect the host system.
RoadRunner is a high-performance application server and process manager designed to serve PHP applications using a persistent worker model. It eliminates bootload overhead and initialization time by keeping application processes alive between requests, acting as a protocol-agnostic proxy that routes traffic to a pool of supervised workers. The server is built with a plugin-based modular architecture, allowing it to be extended with custom Go plugins and compiled into tailored binaries. It distinguishes itself by providing a unified execution model for a wide array of communication protocols,
Isolates worker processes by launching them under specific system users and groups.
CppGuide is a curated collection of educational resources and practical guides focused on C++ server development, Linux kernel internals, concurrent programming, network protocols, and security exploitation. It provides structured learning paths for backend developers, covering everything from interview preparation to building high-performance network servers and understanding operating system fundamentals. The guide distinguishes itself by offering in-depth, hands-on tutorials that walk through real-world implementations, including building a Redis-like server from scratch, designing custom
Explains kernel task execution isolation using virtual and mapped contexts.
Asterinas 是一个内存安全的操作系统内核,旨在防止数据竞争和内存损坏。它作为一个兼容 Linux-ABI 的内核,能够运行现有的 Linux 二进制文件和容器工作负载,同时提供声明式的操作系统分发模型。 该项目的特色在于充当虚拟机容器宿主机和机密计算客户机操作系统,使其能够在 Intel TDX 等硬件隔离的可信执行环境(TEE)中运行。它通过隔离不安全底层操作实现了最小化的可信计算基(TCB),并将核心内核机制与特定策略实现分离开来。 该系统涵盖了广泛的能力,包括物理和虚拟内存管理、对称多处理(SMP),以及针对各种 CPU 架构的硬件抽象。它还包括对安全容器运行时的支持、一套全面的网络和 Socket 原语,以及用于内核编译和仿真的专用工具链。 该项目支持在 x86-64、RISC-V 64 和 LoongArch 64 平台上进行多架构部署。
Creates isolated environments by disassociating processes from shared system resources.
Exegol is an offensive security platform and containerized tooling orchestrator designed to deploy and manage isolated security operations environments. It functions as a workspace manager that provisions pre-configured security images and toolkits within Docker containers to protect host systems from malicious payloads. The platform distinguishes itself by integrating AI security workflow orchestration, allowing AI assistants to discover and trigger security tools through a standardized communication protocol. It further provides remote desktop gateway capabilities, enabling GUI access via X
The product runs security commands inside a segmented container to maintain system safety and isolation.
The sandbox-sdk is a development kit designed for building secure, isolated execution environments on a global edge network. It provides a framework for creating ephemeral, containerized workspaces that allow developers to run untrusted code, manage build tasks, and host automated scripts without compromising host system security. By leveraging a serverless runtime, the platform enables the deployment of these environments directly at the network edge to ensure low-latency performance. The platform distinguishes itself by integrating language models with sandboxed execution, facilitating the
Runs automated scripts and long-running computational tasks within secure, isolated containers to maintain system stability.