Threat Model Isolation Layers Attack Surface Analysis Seccomp Profiles Jailer Configuration Network Isolation Resource Limits Secrets Management Hardening Checklist
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β THREAT MODEL β
β β
β Adversary: Malicious LLM-generated code β
β β
β Assumptions: β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β - Code is UNTRUSTED and potentially malicious β β
β β - Adversary has arbitrary code execution in guest β β
β β - Adversary knows the sandbox architecture β β
β β - Adversary may attempt multi-stage attacks β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β Goals: β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β - Prevent escape from guest to host β β
β β - Prevent access to other guests' data β β
β β - Prevent persistent compromise β β
β β - Prevent resource exhaustion (DoS) β β
β β - Prevent data exfiltration β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β ATTACK SCENARIOS β
β β
β 1. GUEST-TO-HOST ESCAPE β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Attack Vector: β β
β β - Exploit bug in Firecracker VMM β β
β β - Exploit bug in virtio device emulation β β
β β - Exploit KVM vulnerability β β
β β β β
β β Mitigations: β β
β β - Firecracker written in Rust (memory safe) β β
β β - Minimal device model (small attack surface) β β
β β - Seccomp filtering in VMM β β
β β - Jailer drops privileges β β
β β - Regular security updates β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β 2. LATERAL MOVEMENT (Guest-to-Guest) β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Attack Vector: β β
β β - Side-channel attacks (Spectre, Meltdown) β β
β β - Shared resource timing attacks β β
β β - Covert channels via cache/memory β β
β β β β
β β Mitigations: β β
β β - Each job in separate VM (full isolation) β β
β β - VMs destroyed after execution β β
β β - No shared state between executions β β
β β - CPU microcode patches β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β 3. DATA EXFILTRATION β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Attack Vector: β β
β β - Network access to external servers β β
β β - DNS tunneling β β
β β - Covert timing channels β β
β β - Large stdout/stderr output β β
β β β β
β β Mitigations: β β
β β - No network interface by default β β
β β - Output size limits β β
β β - Execution time limits β β
β β - No persistent storage β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β 4. DENIAL OF SERVICE β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Attack Vector: β β
β β - CPU exhaustion (infinite loops) β β
β β - Memory exhaustion (allocation bombs) β β
β β - Disk exhaustion (write loops) β β
β β - Fork bombs β β
β β β β
β β Mitigations: β β
β β - Hard execution timeout β β
β β - Memory limit (512 MiB) β β
β β - Disk is tmpfs (limited size) β β
β β - No fork capability in guest β β
β β - Rate limiting at control plane β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β 5. CRYPTOMINING / RESOURCE ABUSE β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Attack Vector: β β
β β - Use allocated CPU for mining β β
β β - Long-running background processes β β
β β β β
β β Mitigations: β β
β β - Short execution timeout (10s default) β β
β β - VM destroyed after each job β β
β β - No network (can't submit mining results) β β
β β - CPU accounting/billing β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β ISOLATION LAYERS β
β β
β Layer 5: APPLICATION SANDBOX β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β - Temp directory per execution β β
β β - Limited file system access β β
β β - No access to guest-runner internals β β
β β - Process killed after timeout β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β β
β βΌ β
β Layer 4: GUEST USERSPACE β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β - Minimal rootfs (no extra tools) β β
β β - No setuid binaries β β
β β - No sudo/su β β
β β - Read-only rootfs (optional) β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β β
β βΌ β
β Layer 3: GUEST KERNEL β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β - Minimal kernel config β β
β β - No kernel modules loading β β
β β - No network stack (optional) β β
β β - Hardened kernel options β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β β
β βΌ β
β Layer 2: FIRECRACKER VMM β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β - Rust (memory safety) β β
β β - Minimal device model β β
β β - Seccomp-bpf filtering β β
β β - No legacy devices β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β β
β βΌ β
β Layer 1: JAILER β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β - chroot isolation β β
β β - User namespace (unprivileged) β β
β β - Dropped capabilities β β
β β - Cgroup resource limits β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β β
β βΌ β
β Layer 0: KVM / HARDWARE β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β - Hardware virtualization (VT-x/AMD-V) β β
β β - EPT/NPT memory isolation β β
β β - Separate address spaces β β
β β - Privileged instruction trapping β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Firecracker Attack Surface βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β ATTACK SURFACE β
β β
β GUEST β VMM INTERFACES β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Interface β Attack Surface β Risk Level β β
β βββββββββββββββββββββββΌβββββββββββββββββΌβββββββββββββββ€ β
β β virtio-blk β Low β Medium β β
β β virtio-net β Medium β High β β
β β virtio-vsock β Low β Low β β
β β Serial console β Very Low β Low β β
β β RTC β Very Low β Very Low β β
β β KVM ioctls β High β Critical β β
β βββββββββββββββββββββββ΄βββββββββββββββββ΄βββββββββββββββ β
β β
β Recommendation: β
β - Disable virtio-net if not needed (we do this) β
β - Minimize virtio-blk operations β
β - Use read-only rootfs where possible β
β β
β HOST β VMM INTERFACES β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Interface β Attack Surface β Risk Level β β
β βββββββββββββββββββββββΌβββββββββββββββββΌβββββββββββββββ€ β
β β API socket β Low β Medium β β
β β vsock UDS β Low β Low β β
β β File paths β Medium β Medium β β
β βββββββββββββββββββββββ΄βββββββββββββββββ΄βββββββββββββββ β
β β
β Recommendation: β
β - API socket only accessible by host-agent β
β - Validate all file paths β
β - Use jailer chroot β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Comparison: Firecracker vs Containers βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β FIRECRACKER vs CONTAINERS β
β β
β ββββββββββββββββββββββββ¬ββββββββββββββ¬ββββββββββββββββββ β
β β Aspect β Firecracker β Containers β β
β ββββββββββββββββββββββββΌββββββββββββββΌββββββββββββββββββ€ β
β β Kernel β Separate β Shared β β
β β Syscall exposure β ~50 VMM β ~300+ host β β
β β Device drivers β VMM only β All host β β
β β Memory isolation β Hardware β Software β β
β β Escape complexity β Very High β Medium β β
β β CVE impact scope β Guest only β All containers β β
β β Startup time β ~150ms β ~50ms β β
β β Memory overhead β ~5 MiB VMM β ~0 (shared) β β
β ββββββββββββββββββββββββ΄ββββββββββββββ΄ββββββββββββββββββ β
β β
β Verdict: Firecracker provides stronger isolation at β
β the cost of slightly higher resource usage and latency. β
β For untrusted code execution, this tradeoff is worthwhile. β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Firecracker Seccomp (Default) βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β FIRECRACKER SECCOMP β
β β
β Allowed Syscalls (~50): β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β File I/O: β β
β β read, write, close, fstat, lseek, pread64, β β
β β pwrite64, readv, writev, fsync, fdatasync β β
β β β β
β β Memory: β β
β β mmap, mprotect, munmap, brk, mremap β β
β β β β
β β Process: β β
β β exit, exit_group, rt_sigaction, rt_sigprocmask, β β
β β rt_sigreturn, getpid, gettid β β
β β β β
β β Synchronization: β β
β β futex, nanosleep, clock_gettime, clock_nanosleep β β
β β β β
β β Event/Timer: β β
β β epoll_create1, epoll_ctl, epoll_wait, epoll_pwaitβ β
β β eventfd2, timerfd_create, timerfd_settime β β
β β β β
β β Socket (for API): β β
β β socket, bind, listen, accept4, recvfrom, sendto β β
β β β β
β β KVM: β β
β β ioctl (filtered to KVM_* only) β β
β β β β
β β Misc: β β
β β fcntl, dup, pipe2, getrandom β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β Blocked (High Risk): β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Process creation: fork, clone, execve, vfork β β
β β Privilege: setuid, setgid, capset, personality β β
β β Mount: mount, umount2, pivot_root, chroot β β
β β Modules: init_module, delete_module, finit_module β β
β β Debug: ptrace, process_vm_readv, process_vm_writev β β
β β Network config: socket(AF_NETLINK), sethostname β β
β β Namespaces: unshare, setns β β
β β Keyring: keyctl, add_key, request_key β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β Action on violation: SCMP_ACT_TRAP (SIGSYS β kill) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Custom Seccomp for Guest-Runner // Additional seccomp for guest-runner (inside VM)
// Applied after fork, before exec of interpreter
#include <seccomp.h>
int apply_seccomp () {
scmp_filter_ctx ctx = seccomp_init (SCMP_ACT_KILL );
// Allow basic I/O
seccomp_rule_add (ctx , SCMP_ACT_ALLOW , SCMP_SYS (read ), 0 );
seccomp_rule_add (ctx , SCMP_ACT_ALLOW , SCMP_SYS (write ), 0 );
seccomp_rule_add (ctx , SCMP_ACT_ALLOW , SCMP_SYS (close ), 0 );
seccomp_rule_add (ctx , SCMP_ACT_ALLOW , SCMP_SYS (fstat ), 0 );
seccomp_rule_add (ctx , SCMP_ACT_ALLOW , SCMP_SYS (lseek ), 0 );
// Allow memory management
seccomp_rule_add (ctx , SCMP_ACT_ALLOW , SCMP_SYS (mmap ), 0 );
seccomp_rule_add (ctx , SCMP_ACT_ALLOW , SCMP_SYS (mprotect ), 0 );
seccomp_rule_add (ctx , SCMP_ACT_ALLOW , SCMP_SYS (munmap ), 0 );
seccomp_rule_add (ctx , SCMP_ACT_ALLOW , SCMP_SYS (brk ), 0 );
// Allow process exit
seccomp_rule_add (ctx , SCMP_ACT_ALLOW , SCMP_SYS (exit ), 0 );
seccomp_rule_add (ctx , SCMP_ACT_ALLOW , SCMP_SYS (exit_group ), 0 );
// Block dangerous syscalls explicitly
// (Already blocked by default action, but explicit is clearer)
// NO: fork, clone, execve (except initial exec)
// NO: socket (no network)
// NO: ptrace
// NO: mount, chroot
// NO: setuid, setgid
return seccomp_load (ctx );
}#! /bin/bash# jailer-setup.sh# Variables" /srv/jailer" " /usr/local/bin/firecracker" " vm-$( uuidgen) " # nobody# nogroup# Create jailer directory structure" ${JAIL_DIR} /${INSTANCE_ID} /root" # Run with jailer" ${INSTANCE_ID} " " ${EXEC_FILE} " " ${UID} " " ${GID} " " ${JAIL_DIR} " ${INSTANCE_ID} \
--daemonize \
--new-pid-ns \
--cgroup cpuset.cpus=0 \
--cgroup cpuset.mems=0 \
--cgroup cpu.max=" 100000 100000" # Jail directory structure after jailer runs:# # /srv/jailer/vm-xxx/root/# βββ dev/# β βββ kvm (bind mount from /dev/kvm)# β βββ urandom (bind mount from /dev/urandom)# β βββ null (bind mount from /dev/null)# βββ firecracker (hardlink to /usr/local/bin/firecracker)# βββ kernel.bin (hardlink)# βββ rootfs.ext4 (hardlink, cow if needed)# βββ config.json (copied)# βββ run/# βββ firecracker.socketβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β JAILER SECURITY β
β β
β 1. CHROOT ISOLATION β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β - Firecracker sees only its jail directory β β
β β - Cannot access /etc, /home, or other host paths β β
β β - Minimal /dev with only required devices β β
β β - No /proc, /sys access β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β 2. USER/GROUP MAPPING β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β --uid 65534 (nobody) β β
β β --gid 65534 (nogroup) β β
β β β β
β β Even if Firecracker is compromised, attacker has β β
β β no privileges on the host system. β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β 3. CGROUP LIMITS β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β cpu.max = "100000 100000" β β
β β β Max 100% of 1 CPU (100ms per 100ms period) β β
β β β β
β β memory.max = 536870912 (512 MiB) β β
β β β Hard memory limit, OOM kill if exceeded β β
β β β β
β β pids.max = 100 β β
β β β Max 100 processes (prevent fork bombs) β β
β β β β
β β cpuset.cpus = "0" β β
β β β Pin to specific CPU (cache isolation) β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β 4. NETWORK NAMESPACE β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β --netns /var/run/netns/fc-net-xxx β β
β β β β
β β Isolate network stack. For no-network mode: β β
β β ip netns add fc-net-xxx β β
β β (empty namespace with no interfaces) β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β 5. PID NAMESPACE β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β --new-pid-ns β β
β β β β
β β Firecracker is PID 1 in its namespace. β β
β β Cannot see or signal other host processes. β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
No-Network Configuration (Default) βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β NETWORK ISOLATION β
β β
β Default: NO NETWORK β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β - No virtio-net device attached β β
β β - Guest has no network interfaces (except lo) β β
β β - No IP address, no routing β β
β β - DNS resolution fails β β
β β - Cannot connect to external servers β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β Guest /etc/hosts (minimal): β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β 127.0.0.1 localhost β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β Why no network? β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β - Prevents C2 (command & control) communication β β
β β - Prevents data exfiltration β β
β β - Prevents cryptocurrency mining submission β β
β β - Prevents attack amplification (DDoS) β β
β β - Prevents lateral movement β β
β β - Reduces attack surface (no virtio-net) β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β Communication Channel: β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Only vsock (host-controlled, no external access) β β
β β β β
β β Host βββββ vsock βββββΊ Guest β β
β β β² β β
β β β β β
β β βββ Control Plane (API, rate limiting, auth) β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Optional: Limited Network (if needed) # Only if network access is required (e.g., package downloads)# Use host-side firewall to restrict# Create network namespace with outbound-only rules${ID}
# Add veth pairtype veth peer name veth-guest
ip link set veth-guest netns fc-net-${ID}
# Configure IP addressesexec fc-net-${ID} ip addr add 172.16.0.2/30 dev veth-guest
# Enable NAT for outbound# BLOCK ALL INBOUND# Allow only specific outbound (e.g., PyPI)# Block everything elseβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β RESOURCE LIMITS β
β β
β VM Configuration: β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β vcpu_count: 1 # Single vCPU β β
β β mem_size_mib: 512 # 512 MiB RAM β β
β β ht_enabled: false # No hyperthreading β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β Execution Limits: β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Timeout: 10 seconds (configurable) β β
β β Max stdout: 1 MiB β β
β β Max stderr: 1 MiB β β
β β Max code size: 64 KiB β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β Cgroup Limits (via Jailer): β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β cpu.max: "100000 100000" # 100% of 1 CPU β β
β β memory.max: 536870912 # 512 MiB β β
β β memory.swap.max: 0 # No swap β β
β β pids.max: 100 # Max processes β β
β β io.max: "8:0 riops=1000" # I/O rate limit β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β Rate Limiters (Firecracker): β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Block device: β β
β β bandwidth: 100 MiB/s β β
β β ops: 1000 IOPS β β
β β β β
β β Network (if enabled): β β
β β bandwidth: 10 Mbit/s β β
β β ops: 1000 packets/s β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
// Timeout enforcement in guest-runner
func (e * Executor ) Execute (job Job ) Result {
timeout := time .Duration (job .Timeout ) * time .Second
if timeout <= 0 || timeout > 60 * time .Second {
timeout = 10 * time .Second // Default/max
}
ctx , cancel := context .WithTimeout (context .Background (), timeout )
defer cancel ()
cmd := exec .CommandContext (ctx , interpreter , scriptPath )
// Set process group for reliable killing
cmd .SysProcAttr = & syscall.SysProcAttr {
Setpgid : true ,
}
err := cmd .Run ()
if ctx .Err () == context .DeadlineExceeded {
// Kill process group
syscall .Kill (- cmd .Process .Pid , syscall .SIGKILL )
return Result {ExitCode : 124 , Stderr : "Execution timed out" }
}
// ...
}Ephemeral Secrets Pattern βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β SECRETS MANAGEMENT β
β β
β Principle: NO SECRETS IN GUEST β
β β
β Default State: β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β - Guest has no access to host secrets β β
β β - No environment variables with secrets β β
β β - No mounted secret volumes β β
β β - Code executes without credentials β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β If Secrets Needed (Future): β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β 1. Host-agent requests ephemeral credentials β β
β β from Vault/AWS STS/GCP IAM β β
β β β β
β β 2. Credentials have: β β
β β - Short TTL (< execution timeout) β β
β β - Minimal permissions β β
β β - Single-use if possible β β
β β β β
β β 3. Credentials injected via vsock (not env/file) β β
β β β β
β β 4. Credentials revoked after execution β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β Secret Flow: β
β β
β ββββββββββββ βββββββββββββ βββββββββββββββββββββ β
β β Vault βββββΊβ Host-AgentβββββΊβ Guest (vsock) β β
β β β β β β β β
β β TTL=30s β β Encrypt β β Use immediately β β
β β scope=X β β in memory β β Clear from memory β β
β ββββββββββββ βββββββββββββ βββββββββββββββββββββ β
β β β
β ββββΊ Revoke after execution β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Production Deployment Checklist βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β HARDENING CHECKLIST β
β β
β HOST SYSTEM β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β [ ] Kernel up-to-date with security patches β β
β β [ ] Spectre/Meltdown mitigations enabled β β
β β [ ] SELinux/AppArmor configured β β
β β [ ] Firewall configured (no unnecessary ports) β β
β β [ ] SSH hardened (keys only, no root) β β
β β [ ] Audit logging enabled β β
β β [ ] /dev/kvm permissions restricted β β
β β [ ] Host-agent runs as non-root (if possible) β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β FIRECRACKER β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β [ ] Latest Firecracker version β β
β β [ ] Jailer enabled in production β β
β β [ ] Seccomp filtering enabled β β
β β [ ] API socket permissions restricted β β
β β [ ] No virtio-net unless required β β
β β [ ] Rate limiters configured β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β GUEST β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β [ ] Minimal kernel config β β
β β [ ] Minimal rootfs (no extra tools) β β
β β [ ] No setuid binaries β β
β β [ ] Read-only rootfs (if possible) β β
β β [ ] No persistent storage β β
β β [ ] Guest-runner drops privileges β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β OPERATIONAL β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β [ ] VM destroyed after each execution β β
β β [ ] Execution timeout enforced β β
β β [ ] Output size limits enforced β β
β β [ ] Rate limiting at control plane β β
β β [ ] Monitoring and alerting configured β β
β β [ ] Incident response plan documented β β
β β [ ] Regular security audits scheduled β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β LOGGING & MONITORING β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β [ ] All executions logged with trace_id β β
β β [ ] Failed executions alerted β β
β β [ ] Resource usage monitored β β
β β [ ] Anomaly detection enabled β β
β β [ ] Logs shipped to secure storage β β
β β [ ] Log retention policy defined β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ