Skip to content

Commit 3e8ebe6

Browse files
EliFuzzEliFuzz
committed
comparison table
1 parent 724e7db commit 3e8ebe6

File tree

1 file changed

+19
-1
lines changed

1 file changed

+19
-1
lines changed

README.md

Lines changed: 19 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@ Lightweight, OS-native sandboxing solution on macOS (`sandbox-exec`) and Linux (
55
## Features
66

77
- agentic code execution (AI agents): with minimal risk of data leaks or system compromise
8-
- secure-by-default dual isolation: Untrusted code runs with strong restrictions - filesystem isolation prevents secret exfiltration (e.g. SSH keys), while network isolation blocks unrestricted outbound access
8+
- secure-by-default dual isolation: Untrusted code runs with strong restrictions - filesystem isolation prevents secret exfiltration (e.g., SSH keys), while network isolation blocks unrestricted outbound access
99
- minimal performance overhead: No containers / VMs required
1010
- blazingly fast startup times: milliseconds
1111
- cross-platform: macOS and Linux support
@@ -100,3 +100,21 @@ await SandboxManager.reset();
100100
| Filesystem - Read | Allowed everywhere | Deny-list only | `denyRead: ["~/.ssh"]` |
101101
| Filesystem - Write | Completely blocked | Allow-list + deny-list | `allowWrite: ["."]` + `denyWrite: []` |
102102
| Unix sockets (Linux) | Creation blocked (seccomp) | Explicit allow | `allowUnixSockets: [...]` |
103+
104+
## Comparison
105+
106+
| Aspect | SandBox (`sandbox-exec`, `bwrap`) | Node.js VM | Bun (Runtime/VM) | microVM (Firecracker, Cloud Hypervisor) | Docker Container |
107+
| --------------------------- | --------------------------------------------------------------------------- | ---------------------------------------------------- | ----------------------------------------------------- | ---------------------------------------------------------------------- | -------------------------------------------------------------- |
108+
| Definition | Sandbox that runs unprivileged processes in restrictive OS kernel sandboxes | Node.js module for isolated V8 JS contexts | JS/TS runtime with JSCore and Node.js-style vm module | Lightweight VMs for secure short-lived workloads with minimal guest OS | Container platform using OS virtualization sharing host kernel |
109+
| Platforms | macOS, Linux | Cross-platform | Cross-platform | Linux host (KVM); flexible guest OS | Linux native; Windows/macOS via layers/VMs |
110+
| Performance Overhead | Minimal; near-native speeds with kernel namespaces/seccomp | Negligible; in-process V8 isolation, minor GC pauses | Low; JSCore optimizations, up to 4x throughput | Moderate; <5% CPU penalty with KVM | Low; 5-10% I/O slowdown vs native |
111+
| Memory Overhead | Extremely low; <1MB per process | Minimal; shared process memory, small heap additions | Low; optimized JSCore memory management | Low; <5MB per microVM with minimal kernel | Moderate; 10-50MB per container |
112+
| Resource Efficiency | High; reuses host resources directly | Efficient for JS; shares CPU/memory, no quotas | Superior to Node.js; better CPU utilization | Strong density; 1000s per server | Excellent sharing; high density with cgroups |
113+
| Startup Time | Near-instant; milliseconds | Instant; sub-millisecond contexts | Fast; microseconds for VM creation | Fast; 100-150ms boot | Quick; 100ms-1s |
114+
| Security for Untrusted Code | Robust kernel isolation; vulnerable to kernel bugs | Inadequate; context escapes possible | Similar to Node.js; V8 vulnerabilities | Excellent hardware isolation | Strong with namespaces; kernel-sharing risks |
115+
| Supported Languages | Any executable on host OS | JS only | JS/TS | Any supported by guest OS | Any via container images |
116+
| Privilege Requirements | Unprivileged; no root needed | Inherits host privileges | Runtime permissions; granular control | Requires root/KVM for hypervisor | Docker needs root; Podman rootless |
117+
| Network Access Control | Fine-grained flags; allow/deny | Limited; no native controls | Permission-based; default deny | Complete isolation with virtual NICs | Advanced namespaces/bridges |
118+
| Filesystem Access Control | Precise bind-mounts/read-only | Weak; shares host FS | Permission-based grants | Full guest FS isolation | Volumes/binds with permissions |
119+
| Limitations | OS-specific; complex profiles | Not secure; JS-only, easy escapes | Immature; shares JS flaws | Hardware-dependent; higher overhead | Kernel-sharing risks; daemon vulns |
120+
| Use Cases | Sandboxing AI scripts/binaries locally | Evaluating AI JS snippets | Running AI JS/TS | Secure untrusted AI code execution in serverless | Containerizing AI agents |

0 commit comments

Comments
 (0)