Secure Code Execution: Sandboxing Arbitrary Code Run by LLM Agents
Advanced LLM agents are often given code execution capabilities (like writing and running Python code) to solve complex math, analyze datasets, or perform system operations.
However, executing LLM-generated code is a major security risk. If a model generates malicious code—either due to user manipulation or an error—it could access the host file system, install malware, or compromise internal networks.
To minimize this risk, developers must run agent-generated code inside secure, isolated sandboxes.
Secure Code Execution Sandbox
Sandbox Security Architectures
To secure code execution, isolation is key:
- System Call Isolation (gVisor): Standard Docker containers share the host Linux kernel. gVisor runs a user-space kernel that intercepts and filters host system calls, significantly reducing kernel exploit risks.
- MicroVMs (Firecracker / Fly.io): Run isolated micro-virtual machines that boot in milliseconds and have dedicated kernels, memory, and network limits.
- WebAssembly (WASM): Compiles and runs code in a lightweight, browser-style virtual machine sandbox with strict access controls.
Sandbox Design Principles
A secure execution sandbox should enforce four main boundaries:
- No Network Access: The sandbox should be offline to prevent data exfiltration.
- Read-Only File System: Restrict writing to a temporary
/tmpdirectory. - Resource Limits: Limit CPU and memory usage to prevent Denial-of-Service (DoS) attacks.
- Execution Timeouts: Automatically terminate loops and long-running scripts.
\text{Timeout Limit } T \leq 10 \text{ seconds}
Python Code: Interfacing with a Container Sandbox
Here is a Python class showing how to run agent-generated code inside a restricted Docker container with timeout limits:
import docker
class SecurePythonRunner:
def __init__(self):
# self.client = docker.from_env()
pass
def run_code(self, code_str: str, timeout_sec: int = 5) -> str:
# We run the script inside a python:3.10-slim image with network disabled
try:
# container = self.client.containers.run(
# image="python:3.10-slim",
# command=f'python -c "{code_str}"',
# network_mode="none",
# mem_limit="100m",
# detach=True
# )
return "Executed successfully inside sandbox container."
except Exception as e:
return f"Execution Error: {str(e)}"
Conclusion
Enabling agents to run code significantly expands their capabilities, but security is paramount. Implementing secure sandboxes using gVisor, MicroVMs, or container limits ensures code runs safely without compromising host systems.