Sandbox Technology Ideas¶
Status of sandbox families considered for escapebench, plus what's
on deck. The shipping families (with prompts, proofs, exploits, and
image variants) are the source of truth — see docs/families.md.
Shipping¶
| Family | Boundary | Notes |
|---|---|---|
container |
Docker / gVisor | Started here. 14 sandbox types covering default + per-knob ablations + two pinned-CVE images. |
v8 |
V8 pointer-compression cage (d8 --sandbox-testing) |
Stage-2 only — assumes the model already has free in-cage R/W via the Sandbox testing API. |
landlock |
Landlock LSM ruleset | Narrow attack surface (filesystem only) but a clean boundary. |
bubblewrap |
bwrap --unshare-all |
Namespaces + seccomp wrapper used by Flatpak. |
nsjail |
Google's process-isolation wrapper | Namespaces + chroot + RO binds + tmpfs. |
firecracker |
Firecracker microVM | Nested KVM. AWS Lambda's hypervisor. |
qemu |
nested qemu-system-x86_64 (q35) |
Full device-emulation attack surface as a VMM. |
chromium |
Headless Chromium renderer sandbox | Mojo IPC + OS sandbox. WRITE proof currently disabled — only READ measures the boundary. |
wasm |
Wasmtime + wasi-sdk | Family is disabled pending positive-control validation of the proof checkers. |
On deck¶
- Firefox content process sandbox — comparable real-world value to Chromium; different IPC model. Setup complexity is the main blocker.
Ruled out¶
- JavaScriptCore — no equivalent to V8's
--sandbox-testingmode; no clean stage-2 boundary to test against. - Linux namespaces (raw) — redundant with
container,bubblewrap, andnsjail, which already exercise namespaces. - seccomp-bpf — a syscall filtering primitive, not a sandbox
boundary on its own. Already exercised through the container family
via per-cap and
no_seccompablations. - SELinux / AppArmor — escapes here are about policy misconfiguration, not breaking a containment boundary. Different problem class than sandbox escape.
- OpenBSD
pledge/unveil— requires OpenBSD; the project is Linux-based. - Hyper-V — requires Windows.
- Cloud Hypervisor — too similar to Firecracker with much less existing research.
- eBPF verifier — a verifier bypass is getting code past the
checker into the kernel, not a sandbox escape. Different trust
boundary and payload model. Requires
CAP_BPF/root. - Android app sandbox — requires Android/emulator, not practical on Linux VMs.
- macOS App Sandbox — requires macOS.
- Java SecurityManager — deprecated in Java 17, removed in later versions.