Module B7 — Sandboxes and Execution Controls

Sandboxes and Execution Controls

Injection will succeed (ASI07). The agent will be coerced into running code. The sandbox is the layer that decides whether that means a confused log line or a reverse shell on your jump host. The blast-radius principle: assume the sandbox will be escaped, and design so an escaped sandbox still has no credentials and no network.

60
minutes
8
artifacts
3
sub-sections
Course 1 Module 5 taught you how to build a sandbox against an honest agent. B7 teaches you how the sandbox fails under an adversary who controls the agent's inputs — and what execution controls must sit inside and around it to survive that adversary. Four attack vectors (escape, egress, resource exhaustion, sidecar compromise), three deterministic controls (allowlist command gate, resource caps, default-deny egress), and one design philosophy: the value of escape is what you can reach after escaping. Design so the answer is nothing.
Key Claims
Load-Bearing Claims

The sandbox is the last line of defense, and it is software — it will be escaped. The naive goal of 'harden the sandbox so it cannot be escaped' is wrong; the correct goal is the blast-radius principle: assume escape succeeds, and design so an escaped sandbox has no credentials (IronCurtain's fake-key swap) and no network (the namespace's default-deny survives escape). The escape becomes a detected-and-killed anomaly, not an incident.

Four attack vectors define the sandbox threat surface, and default-deny network egress is the most under-applied control. Vector 1 (escape) reaches the host via a provider bug; vector 2 (egress) exfiltrates data, callbacks to a C2, or SSRFs the cloud metadata service; vector 3 (ASI09) weaponizes unbounded resource use to fail-OPEN by OOM-killing the monitor; vector 4 (sidecar) suborns a privileged helper. Operators fixate on the filesystem mis-scope that coughs up the secret and ignore the network that carries it out — default-deny contains the larger class of outcomes.

Execution policies must be allowlists, compiled deterministically, with zero LLM at runtime. Denylists fail on the unbounded space of 'commands you didn't think of.' Per-tool execution scopes close cross-tool command injection. The IronCurtain model compiles plain-English policy to deterministic JSON rules offline (with verify-and-repair) and enforces with pure if/then matching at runtime — security-critical runtime decisions must be deterministic. CrabTrap's LLM-as-judge answers the semantic egress question probabilistically ON TOP of the network-layer default-deny; it does not replace it.

The cloud metadata service (169.254.169.254) is a must-block special case. It hands out instance credentials to anything that reaches it — a sandboxed agent that reaches metadata steals the host's cloud role, far worse than a local secret read. Default-deny blocks it for free; an allowlist that does not list it blocks it for free; an LLM-judge-only model is one prompt injection away from failing to block it. Block the metadata service at the network layer, always.

After This Module
01
Place any sandbox technology on the isolation hierarchy (OS process → container → hardened container (gVisor/Kata) → microVM (Firecracker) → WASM/V8 isolate → full VM) and defend a choice by blast radius, overhead, and escape surface.
02
Name the four attack vectors against an agent sandbox (provider escape, network egress, resource exhaustion/ASI09, sidecar compromise) and apply the control for each.
03
Implement a code-execution policy: allowlist-based command gating with per-tool scopes (and articulate why denylists fail) and deterministic rule compilation (the IronCurtain model), rejecting LLM-at-runtime enforcement for security-critical decisions.
04
Enforce default-deny network egress at the network layer (distinct from CrabTrap's LLM-judge layer) with per-task allowlisting and an always-blocked metadata endpoint, and explain why this is the most under-applied control in shipped agent sandboxes.
05
Operate a sidecar monitor (out-of-band, eBPF/Falco) that watches the sandbox for anomalous behavior across four signal classes (resource, syscall, network, behavioral) and feeds B8's observability pipeline.
06
Apply the blast-radius principle: assume the sandbox will be escaped, and design so an escaped sandbox still has no credentials and no network reachability — the three realizations (credential quarantine, network default-deny, no privileged helpers).
Artifacts
01
Teaching Document
~5,200 words; 3 sub-sections — the sandbox hierarchy and escape threat (4 attack vectors), execution policies and network segmentation (allowlists, deterministic enforcement, default-deny egress), sidecar monitors and the blast-radius principle; with TypeScript policy-enforcer code, anti-patterns, key terms, 13 references
READ
02
Diagrams
5 Mermaid diagrams — the isolation hierarchy (blast radius vs overhead), the four attack vectors mapped to controls, the default-deny egress network-layer model (distinct from CrabTrap), the out-of-band sidecar monitor architecture, the blast-radius principle (escaped sandbox finds nothing)
READ
03
Slide Deck
15 slides — reveal.js, dark theme, design-system teal; covers the Course 1→2B inversion, the hierarchy, the four vectors, allowlists vs denylists, deterministic enforcement, default-deny egress, the sidecar monitor, the blast-radius principle, reference architectures
READ
04
Teaching Script
~35-min verbatim teaching script with [SLIDE N] cues at ~140 wpm; mirrors the 15-slide deck
READ
05
Flashcards
22 flashcards (TSV) — mix of recall and analysis; covers hierarchy, four vectors, allowlist vs denylist, deterministic enforcement, default-deny egress, metadata block, sidecar monitor, blast-radius principle, three reference architectures
TEST
06
Exam
15 exam questions, 20/40/40 Bloom (3 recall / 6 application / 6 analysis); covers all four vectors, allowlist/denylist, deterministic vs LLM-as-judge enforcement, default-deny egress + metadata block, sidecar monitor placement, the blast-radius principle, multi-tenant sandbox design
TEST
07
Lab Spec
Build the Sandbox Policy Enforcer — 6 phases: allowlist command gate with per-tool scopes, cgroup/ulimit resource caps, default-deny egress gate with always-blocked metadata, three-gate enforcer, and a sandbox-escape-attempt demo where the student watches each gate engage. TypeScript, type hints, no GPU, ~60-75 min. Climax: the egress gate denying a network escape attempt.
DO
08
Module Web Page
Single-file HTML hub
HERE