HN Showcase
Back to browse
GitHub Repository

WASM sandbox for untrusted plugins with syscall budgets

3 starsRust

Run untrusted WASM plugins with CPU/mem/network/file budgets

by akgitrepos·Feb 25, 2026·1 point·1 comment
Visit ProjectView on HN

AI Analysis

●●SolidWizardryNiche Gem

Deterministic budget enforcement on WASM syscalls—clean threat model, but early-stage tooling.

Strengths
  • Policy-driven syscall budgeting with structured allow/deny logs makes resource exhaustion attacks detectable
  • Comprehensive scope: CPU fuel, wall-clock timeout, memory ceiling, file/network quotas in one runtime
  • Benchmarks included (10ms median overhead) and architecture docs (threat-model.md) show rigor
Weaknesses
  • Appears early-stage: no published releases, minimal examples, scripts refer to 'Phase 5' suggesting incomplete
  • App-layer sandbox, not kernel isolation—fundamental limitation for true untrusted code scenarios
Target Audience

Platform teams running plugin systems or multi-tenant workloads with untrusted code

Similar To

WasmEdge · Wasmtime (upstream) · gVisor (for containers)

Similar Projects

Security●●●Banger

Pent – A sandbox for AI agents

Domain-allowlist network sandbox for any process—no VM, native Landlock and overlayfs.

WizardryNiche Gem
rad_val
203mo ago