60 minutes · The sandbox is the last line of defense — assume it will be escaped and design so escape does not matter
Injection will succeed (ASI07). The agent will be coerced into running code. The sandbox is what decides whether that means a confused log line or a reverse shell on your jump host.
Pillar 3 — Controls
Course 1 — honest agent
Threat: a misbehaving-but-honest agent. An over-long loop. A mis-scoped write. The sandbox contains accidents.
Course 2B — coerced agent
Threat: an agent under prompt-injection coercion, induced to run attacker-chosen code inside your sandbox. The controls must be stronger, the threat model is adversarial, and the design philosophy inverts.
Every sandbox is software; every sandbox has CVEs; every sandbox will, eventually, be escaped. The value of escape is what you can reach after escaping. Design so the answer is "nothing."
Isolation strength vs. overhead, and the four attack vectors
| Level | Boundary | Escape surface |
|---|---|---|
| OS process | UID/gid + kernel | The whole user account |
| Container (Docker) | namespaces + cgroups | The Linux kernel (CVE-rich) |
| Hardened container | gVisor (userspace kernel) / Kata (lightweight VM) | runsc / hypervisor |
| MicroVM (Firecracker) | stripped KVM hypervisor | small, audited hypervisor |
| WASM / V8 isolate | linear memory + capability exports | the runtime + your exports |
| Full VM | KVM / Hyper-V | hypervisor (rarely the right answer) |
| Vector | What it does | Control |
|---|---|---|
| 1. Escape | Exploit a bug in the provider (V8, kernel, gVisor) to reach the host | Blast-radius principle (assume it) |
| 2. Network egress | Exfiltrate, C2, lateral move, SSRF metadata | Default-deny egress (most under-applied) |
| 3. Resource exhaustion (ASI09) | Run forever, fill disk, OOM, fork-bomb | Hard resource caps (cgroups) |
| 4. Sidecar compromise | Suborn a privileged helper (root installer) | Privilege minimization on helpers |
What code may run, and what the sandbox may reach
curl, then wget, then python -c, then perl, then git clone with a hook. The space of "things that fetch a URL or run code" is unbounded.
ls, cat, grep, git status, pytest. The attacker's job becomes: make an allowed command do harm (argument injection) — a bounded, auditable surface.
The stronger pattern: per-tool execution scopes. The run_tests tool may invoke pytest; the install_deps tool may not. The sandbox enforces "command matches the calling tool's scope" before exec.
SANDBOX network namespace
│ default state: DENY ALL
▼
EGRESS GATE (network-layer: iptables / proxy / microVM NIC)
│
├─ 169.254.169.254 → ALWAYS BLOCKED (hands out cloud creds)
├─ public internet → default blocked
│
└─ per-task allowlist:
web_search → search.example-corp.net
fetch_docs → docs.spec.host
install_deps → validating registry ONLY
Detection, and the design discipline that makes escape survivable
A process that observes the sandbox from outside its trust boundary — the contained code cannot reach it to disable it. It detects; the controls in B7.2 prevent.
| Signal class | What it catches |
|---|---|
| Resource | CPU/mem/disk/proc spikes → ASI09 or escape in progress |
| Syscall (eBPF, seccomp, gVisor log) | grep issuing socket()+connect()+fork() |
| Network | Denied-connection bursts → C2 attempt signature |
| Behavioral | git invoked from inside the pytest tool |
| Project | Contribution to B7 |
|---|---|
| OpenShell (DD-09, NemoClaw) | The reference sandbox: the agent never touches the sandbox directly — execution goes through the governed API. |
| CrabTrap (DD-19, Brex) | LLM-as-judge egress proxy. The semantic egress layer; complements (does not replace) network-layer default-deny. |
| IronCurtain (DD-20, Provos) | Deterministic enforcement + credential quarantine. The reference defense architecture: zero LLM at runtime, agent never holds real keys. |
Lab (07): build the Sandbox Policy Enforcer — (a) allowlist command gate with per-tool scopes, (b) cgroup-enforced resource caps, (c) default-deny egress gate with per-task allowlisting. Then attempt to reach the network from inside and watch the gate deny it.