Skip to content

Use-case page: untrusted code execution as a security primitive #46

Description

@stubbi

Context

"Run any untrusted code with hardware isolation" is the original sandbox job and a strong positioning beat. The market ranks isolation depth Firecracker microVM > gVisor > container; Daytona's default is a container. The CrewAI sandbox-escape CVE story (DIY sandboxes get CVEs) is the cautionary tale.

Deliverable

  • A page: "do not roll your own sandbox, it gets CVEs; self-host hardened Firecracker microVMs."
  • The microVM-by-default wedge stated plainly, with the isolation-depth comparison.
  • Default-deny egress, no silent secret inheritance, per-session kernel.

Links

Done when

  • Page is live with the security framing and the isolation-depth comparison.

Metadata

Metadata

Assignees

No one assigned

    Labels

    copyCopywriting & editingpositioningMessaging, positioning, narrative

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions