Documentation

Security

Security is a fundamental aspect of AI Computer's design. Our platform provides multiple layers of protection to ensure safe code execution, especially when running untrusted code.

Isolation Mechanisms

Process Isolation

Each sandbox runs in its own isolated container with:

  • Separate process namespace
  • Isolated memory space
  • Controlled system access
  • Resource limitations

Filesystem Isolation

Each sandbox has its own isolated filesystem:

  • Read-only system files
  • Temporary workspace
  • No access to host system
  • Automatic cleanup

Network Security

Network access is carefully controlled to prevent unauthorized access:

  • No direct access to internal networks
  • Configurable outbound access controls
  • Rate limiting on network requests
  • Blocked access to sensitive ports
1# Example: Configuring network access
2client = SandboxClient(
3    allow_network=True,           # Enable network access
4    allowed_hosts=["api.example.com"],  # Only allow specific hosts
5    network_timeout=30            # Set network timeout
6)

Resource Controls

Resource usage is strictly controlled to prevent abuse:

Memory Limits

  • Per-sandbox memory caps
  • Protection against memory leaks
  • Automatic cleanup on overflow

CPU Limits

  • CPU usage quotas
  • Execution time limits
  • Process count restrictions
1# Example: Setting resource limits
2client = SandboxClient(
3    memory_limit="512M",    # 512MB memory limit
4    cpu_limit=1,            # Single CPU core
5    execution_timeout=60,   # 60 second timeout
6    max_processes=5         # Limit to 5 processes
7)

Best Practices

Code Execution

  • Never execute untrusted code without proper validation
  • Always set appropriate resource limits
  • Use timeouts for all operations
  • Implement proper error handling

Data Handling

  • Don't store sensitive data in sandboxes
  • Clean up temporary files after use
  • Validate and sanitize all inputs
  • Use secure methods for data transfer

Example: Secure Code Execution

1import asyncio
2from ai_computer import SandboxClient
3
4async def execute_untrusted_code(code: str):
5    client = SandboxClient(
6        memory_limit="256M",
7        cpu_limit=1,
8        allow_network=False,  # Disable network access
9        timeout=30
10    )
11    
12    await client.setup()
13    
14    try:
15        # Validate code length
16        if len(code) > 10000:
17            raise ValueError("Code too long")
18            
19        # Execute in sandbox
20        response = await client.execute_code(code)
21        
22        if not response.success:
23            print(f"Execution failed: {response.error}")
24            return None
25            
26        return response.data['output']
27        
28    except Exception as e:
29        print(f"Error: {str(e)}")
30        return None
31        
32    finally:
33        # Always clean up
34        await client.cleanup()

Security Checklist

  • ✓ Configure Resource Limits: Always set appropriate memory, CPU, and execution time limits.
  • ✓ Validate Input: Check and sanitize all code and data before execution.
  • ✓ Handle Errors: Implement comprehensive error handling for all operations.
  • ✓ Clean Up Resources: Always use try/finally blocks to ensure proper cleanup.
  • ✓ Control Network Access: Restrict network access unless specifically required.
  • ✓ Monitor Usage: Implement logging and monitoring for security events.