Secure Sandbox Execution — Mikoshi AI Turbo

The Need

Why Sandboxing Is Critical

Turbo's verification system requires executing AI-generated code. This is inherently dangerous — the AI might generate code that:

Reads sensitive files from the server
Makes network requests to exfiltrate data
Spawns processes or runs system commands
Enters infinite loops, consuming all CPU
Allocates unbounded memory, crashing the server

The sandbox ensures that none of this is possible. Verification code runs in a completely isolated environment with strict resource limits.

🔐 Defence in Depth

The sandbox implements multiple layers of protection: code analysis before execution, a restricted VM context, resource limits, and timeout enforcement. Even if one layer is bypassed, the others still contain the threat.

Architecture

Sandbox Architecture

📝

AI Code

Verification JavaScript from the LLM

→

🔍

Static Analysis

Check for forbidden patterns

→

⚡

Isolated VM

Strict context, timeout, memory cap

→

📤

Result

Boolean + execution metadata

The red dashed lines represent the security boundary. Code enters the sandbox through a narrow, controlled interface and only a simple result exits. No references to the host environment leak through.

Permissions

Allowed vs Blocked

✅ Allowed Inside Sandbox

🔢 Math operations (arithmetic, trig, etc.)
🔤 String manipulation (split, join, regex)
📋 Array & Object operations
🔁 Loops and conditionals
📐 JSON parse/stringify
⏱️ Date operations
🧮 Pure function definitions

🚫 Blocked Inside Sandbox

📁 File system access (fs, path)
🌐 Network requests (fetch, http, net)
⚙️ Process spawning (child_process)
📦 Module imports (require, import)
🔧 eval() and Function() constructor
🖥️ Global objects (process, global)
⏰ setTimeout / setInterval

Limits

Resource Constraints

Every sandbox execution is constrained by hard limits to prevent resource abuse:

Resource	Description	Limit
⏱️ Execution Time	Maximum time before the script is killed	5,000ms
💾 Memory	Maximum heap allocation	32MB
📏 Code Size	Maximum source code length	10KB
🔄 Stack Depth	Maximum recursion depth	100 frames
📊 Output Size	Maximum return value size	1KB

// The CodeSandbox implementation
class CodeSandbox {
  execute(code, timeoutMs = 5000) {
    // 1. Static analysis — reject dangerous patterns
    if (this.hasForbiddenPatterns(code)) {
      return { passed: false, error: 'Forbidden code pattern' };
    }

    // 2. Create isolated context (no globals)
    const context = {
      Math, JSON, parseInt, parseFloat,
      String, Number, Array, Object, Boolean,
      Date, RegExp, Map, Set, isNaN, isFinite,
      // That's it — nothing else!
    };

    // 3. Execute with timeout
    try {
      const script = new vm.Script(code, { timeout: timeoutMs });
      const result = script.runInNewContext(context);
      return { passed: result === true, output: result };
    } catch (e) {
      return { passed: false, error: e.message };
    }
  }
}
      

Edge Cases

Timeout & Error Handling

The sandbox handles several failure modes gracefully:

Timeout: Scripts exceeding 5 seconds are killed immediately. The candidate is marked as failed with TIMEOUT status
Runtime Error: Exceptions (TypeError, ReferenceError, etc.) cause a fail — the error message is captured for debugging
Non-boolean Return: If the code returns something other than true, it's treated as a failure — there's no ambiguity
Static Analysis Rejection: Code containing forbidden patterns (require, import, fetch, eval) is rejected before execution

// Forbidden pattern detection
const FORBIDDEN = [
  /\brequire\s*\(/,        // Node.js imports
  /\bimport\s+/,           // ES module imports
  /\bfetch\s*\(/,          // Network requests
  /\beval\s*\(/,           // Dynamic code execution
  /\bFunction\s*\(/,       // Function constructor
  /\bprocess\b/,           // Node.js process object
  /\bglobal\b/,            // Global scope access
  /\b__dirname\b/,         // File path access
  /\bchild_process\b/,     // Process spawning
  /\bsetTimeout\b/,        // Async timing
  /\bsetInterval\b/,       // Repeated execution
];
      

⚡ Performance Note

Most verification code executes in under 10ms. The 5-second timeout is generous — if code takes that long, it's almost certainly stuck in an infinite loop or inefficient recursion. Fast execution is itself a signal of good verification code.