Back to Blog

Secure Code Execution: Sandboxing Arbitrary Code Run by LLM Agents

9 min read

Advanced LLM agents are often given code execution capabilities (like writing and running Python code) to solve complex math, analyze datasets, or perform system operations.

However, executing LLM-generated code is a major security risk. If a model generates malicious code—either due to user manipulation or an error—it could access the host file system, install malware, or compromise internal networks.

To minimize this risk, developers must run agent-generated code inside secure, isolated sandboxes.

Secure Code Execution SandboxSecure Code Execution Sandbox

Sandbox Security Architectures

To secure code execution, isolation is key:

  1. System Call Isolation (gVisor): Standard Docker containers share the host Linux kernel. gVisor runs a user-space kernel that intercepts and filters host system calls, significantly reducing kernel exploit risks.
  2. MicroVMs (Firecracker / Fly.io): Run isolated micro-virtual machines that boot in milliseconds and have dedicated kernels, memory, and network limits.
  3. WebAssembly (WASM): Compiles and runs code in a lightweight, browser-style virtual machine sandbox with strict access controls.

Sandbox Design Principles

A secure execution sandbox should enforce four main boundaries:

  • No Network Access: The sandbox should be offline to prevent data exfiltration.
  • Read-Only File System: Restrict writing to a temporary /tmp directory.
  • Resource Limits: Limit CPU and memory usage to prevent Denial-of-Service (DoS) attacks.
  • Execution Timeouts: Automatically terminate loops and long-running scripts.
\text{Timeout Limit } T \leq 10 \text{ seconds}

Python Code: Interfacing with a Container Sandbox

Here is a Python class showing how to run agent-generated code inside a restricted Docker container with timeout limits:

import docker

class SecurePythonRunner:
    def __init__(self):
        # self.client = docker.from_env()
        pass

    def run_code(self, code_str: str, timeout_sec: int = 5) -> str:
        # We run the script inside a python:3.10-slim image with network disabled
        try:
            # container = self.client.containers.run(
            #     image="python:3.10-slim",
            #     command=f'python -c "{code_str}"',
            #     network_mode="none",
            #     mem_limit="100m",
            #     detach=True
            # )
            return "Executed successfully inside sandbox container."
        except Exception as e:
            return f"Execution Error: {str(e)}"

Conclusion

Enabling agents to run code significantly expands their capabilities, but security is paramount. Implementing secure sandboxes using gVisor, MicroVMs, or container limits ensures code runs safely without compromising host systems.