Comment by 0xbadcafebee

1 day ago

A VM is table stakes for isolation. Nothing OS-level is going to prevent breaking out, the attack surface is too big and none of the common OSes are hardened enough. But also missing here is the firewall, which you need to prevent both data exfil and remote code execution from prompt injection. And the final part that's missing, is segregating all credentials from the agent's execution environment, which I don't think there's any existing solution for yet. Likely this will be either MCPs, or transparent proxies with policy engines that execute requests from tool calls.

3 comments

0xbadcafebee

Etheryte 1 day ago

The final part is a long solved problem, pass in mock tokens, pass all requests through a proxy, only swap in the real tokens if the request matches whatever filtering requirements you have.

shayonj 1 day ago

This is going to be an interesting space to watch I think and big part of offering sandbox as a service basically for enterprise and saas needs.

mmastrac 1 day ago

I believe deno literally shipped that final part a few weeks back.