--- id: wiki-2026-0508-execution-environment-sandbox title: Execution Environment (Sandbox) category: 10_Wiki/Topics status: verified canonical_id: self aliases: [sandbox, code execution sandbox, container, gVisor, Firecracker, WASM, code interpreter] duplicate_of: none source_trust_level: A confidence_score: 0.94 verification_status: applied tags: [security, sandbox, isolation, container, wasm, llm-tool, execution] raw_sources: [] last_reinforced: 2026-05-10 github_commit: pending tech_stack: language: Universal framework: Docker / Firecracker / gVisor / WASM / E2B --- # Execution Environment (Sandbox) ## 매 한 줄 > **"매 untrusted code 의 isolated 의 run"**. 매 LLM 의 generate code → 매 host 의 보호. 매 levels: process → container → microVM → WASM. 매 modern: 매 Firecracker (AWS Lambda), gVisor (GKE), E2B (LLM agent), Code Interpreter. ## 매 핵심 ### 매 isolation level 1. **Process** (chroot, seccomp): 매 weak. 2. **Container** (Docker): 매 namespace + cgroup. 3. **MicroVM** (Firecracker, gVisor): 매 hypervisor / user-space kernel. 4. **VM**: 매 strongest, 매 slow. 5. **WASM**: 매 capability-based, 매 portable. ### 매 응용 1. **LLM code interpreter** (OpenAI, Claude, Anthropic). 2. **Serverless** (Lambda Firecracker). 3. **CI/CD** (GitHub Actions runner). 4. **Browser** (V8 isolate). 5. **Plugin sandbox** (Figma plugin = WASM). 6. **Agent tool** (E2B). ### 매 modern tool - **Firecracker**: 매 microVM, 125ms startup. - **gVisor**: 매 user-space kernel. - **WASM**: 매 wasi, 매 capability. - **E2B**: 매 LLM-targeted SDK. - **Daytona**: 매 dev sandbox. ## 💻 패턴 ### Docker (basic) ```bash docker run --rm \ --user 1000:1000 \ --read-only \ --tmpfs /tmp \ --network none \ --memory 256m --cpus 0.5 \ --cap-drop ALL \ --security-opt no-new-privileges \ python:3.12-slim python -c "$CODE" ``` ### gVisor (runsc) ```bash docker run --runtime=runsc python:3.12 python -c "$CODE" ``` ### Firecracker (programmatic) ```python import requests def boot_microvm(rootfs, kernel): sock = '/tmp/firecracker.socket' requests.put(f'http+unix://{sock}/boot-source', json={'kernel_image_path': kernel}) requests.put(f'http+unix://{sock}/drives/rootfs', json={'drive_id': 'rootfs', 'path_on_host': rootfs, 'is_root_device': True, 'is_read_only': False}) requests.put(f'http+unix://{sock}/actions', json={'action_type': 'InstanceStart'}) ``` ### WASM (Wasmer / Wasmtime) ```rust use wasmer::{Store, Module, Instance, imports}; let mut store = Store::default(); let module = Module::from_file(&store, "guest.wasm")?; let imports = imports! {}; // 매 default = no host access let instance = Instance::new(&mut store, &module, &imports)?; let func = instance.exports.get_function("run")?; func.call(&mut store, &[])?; ``` ### WASI capability (file) ```rust // 매 explicit 매 path 의 grant 만 let wasi = WasiState::new("agent") .preopen_dir("/sandbox-fs")? .build()?; ``` ### E2B (LLM-targeted) ```python from e2b_code_interpreter import Sandbox with Sandbox() as sb: result = sb.run_code('import pandas; print(pandas.__version__)') print(result.stdout) sb.files.write('/data/output.csv', csv_content) sb.files.read('/data/output.csv') ``` ### Resource limit (cgroups, Linux) ```bash cgcreate -g cpu,memory:sandbox cgset -r memory.max=256M sandbox cgset -r cpu.max="50000 100000" sandbox # 매 50% of one core cgexec -g cpu,memory:sandbox python untrusted.py ``` ### Seccomp (syscall filter) ```python import seccomp filter = seccomp.SyscallFilter(seccomp.KILL) for sc in ['read', 'write', 'open', 'close', 'mmap', 'brk', 'exit', 'exit_group']: filter.add_rule(seccomp.ALLOW, sc) filter.load() ``` ### Time-out enforcement ```python import resource, signal def run_sandboxed(code, time_limit_s=30, mem_limit_mb=512): def sandbox_init(): resource.setrlimit(resource.RLIMIT_AS, (mem_limit_mb * 1024 * 1024,) * 2) resource.setrlimit(resource.RLIMIT_CPU, (time_limit_s,) * 2) proc = subprocess.run( ['python', '-c', code], preexec_fn=sandbox_init, timeout=time_limit_s, capture_output=True, ) return proc.stdout ``` ### Network egress block ```bash docker run --network none ... # 매 or specific allowlist docker network create --internal sandboxed docker run --network sandboxed ... ``` ### Capability-based (Deno) ```bash deno run --allow-read=/tmp --allow-write=/tmp --no-net script.ts ``` ### LLM tool integration ```python def llm_python_tool(code): with Sandbox(timeout=60, mem_mb=512) as sb: try: result = sb.run_code(code) return {'stdout': result.stdout, 'stderr': result.stderr} except TimeoutError: return {'error': 'execution timed out'} ``` ### Snapshot for fast warmup ```python # 매 Firecracker snapshot def restore_microvm_from_snapshot(snapshot_path): requests.put('/snapshot/load', json={'snapshot_path': snapshot_path}) # 매 < 100ms cold start ``` ## 매 결정 기준 | 상황 | Sandbox | |---|---| | LLM code agent | E2B / Firecracker | | Plugin (browser) | V8 Isolate / WASM | | Serverless | Firecracker | | CI runner | Container + ephemeral | | Dev environment | Daytona / Codespaces | | Strict isolation | MicroVM (Firecracker) | | Lightweight | WASM | **기본값**: 매 LLM agent = E2B 또는 Firecracker + 매 read-only fs + 매 no network + 매 cgroup limit + 매 timeout. ## 🔗 Graph - 부모: [[Security]] · [[Isolation]] - 변형: [[MicroVM]] · [[Container]] · [[WASM]] - 응용: [[Serverless]] - Adjacent: [[Excessive Agency]] · [[gVisor]] · [[Firecracker]] ## 🤖 LLM 활용 **언제**: 매 code-executing agent. 매 user code. 매 plugin. **언제 X**: 매 trusted internal-only. ## ❌ 안티패턴 - **chroot only**: 매 escape easy. - **--privileged**: 매 isolation 의 lose. - **Network on**: 매 exfil. - **No timeout**: 매 fork bomb. - **Shared volume**: 매 host file 의 leak. ## 🧪 검증 / 중복 - Verified (Firecracker paper, gVisor docs, WASM/WASI spec). - 신뢰도 A. ## 🕓 Changelog | 날짜 | 변경 | |---|---| | 2026-05-08 | Phase 1 | | 2026-05-10 | Manual cleanup — sandbox + 매 Docker / Firecracker / WASM / E2B / cgroup code |