A high-throughput, multi-tenant remote code execution platform engineered in Go. The system securely isolates and evaluates untrusted user scripts (Python 3 and Bash) inside resource-bounded sandbox environments, decoupling synchronous ingestion from heavy containerization workloads using a distributed message broker and an asynchronous worker pool pattern.
The architecture was subjected to rigorous external load generation testing using aggressive traffic burst models via high-performance HTTP loaders (Hey), yielding the following empirical validation metrics:
- High-Throughput Ingestion Gateway: Achieved an absolute edge ingestion processing throughput of 4,303+ requests/second under a sustained parallel saturation load.
- Microscopic Ingress Latency: Preserved a non-blocking gateway responsiveness averaging < 8.6ms per request loop, demonstrating complete mitigation of head-of-line blocking.
- Resilient Denial-of-Service Interception: Successfully caught and terminated 100% of computational infinite-loop attack vectors via rigid 5-second context cancellation ceilings, maintaining full host stability.
- Stable Isolated Execution Lifecycle: Verified a normalized steady-state sandbox compilation, execution, and stream-demultiplexing lifecycle averaging 3.60 seconds under heavy adversarial concurrency.
The platform utilizes a structured producer-consumer topology split across three distinct logical planes to completely insulate the host infrastructure from untrusted code payloads:
[hey client / CLI] ──(4,300 req/sec)──► [Go Ingress Gateway] ──(Instant Push)──► [Redis FIFO Queue]
│ │
(Responded in 8.6ms) (Tasks buffer safely)
│
(3 workers pull)
▼
[Docker Sandbox]
(Isolated at 3.6s latency)
- Ingress Plane: The Go API Gateway exposes a non-blocking ingestion route. It performs basic payload validation, attaches a unique UUID tracking token, pushes the execution task context onto the message broker, and drops the connection with an immediate
202 Acceptedstatus response. - Orchestration Plane: An in-memory Redis FIFO queue buffers incoming payloads. A specialized thread-pool of concurrent Go goroutine workers throttles consumption by pulling jobs sequentially using blocking pop primitives, keeping host CPU limits mathematically bounded.
- Execution Plane (The Sandbox): Workers programmatically spin up ephemeral, unprivileged Linux runtimes via the Docker Engine SDK, stream input arrays, capture output, store results back to Redis with a short TTL, and completely purge the container ecosystem.
To achieve enterprise-grade isolation and neutralize runtime environment escapes, the system enforces a zero-trust multi-layered defensive boundary at the Linux kernel primitive layer:
| Security Vector | Implementation Detail | Target Defense Point |
|---|---|---|
| Network Air-Gap | Containers initialized with --network none topology |
Eradicates network attachment, lateral movement, and reverse-shell vectors. |
| Memory Boundaries | Hard-capped at 64MB per execution via Linux cgroups v2 |
Halts host memory exhaustion and cascading Out-Of-Memory (OOM) faults. |
| CPU Allocation | Rigid threshold ceiling of 0.5 CPU shares | Eliminates processor thread starvation caused by infinite loops or fork bombs. |
| Kernel Restriction | Active system capability stripping via CapDrop: ["ALL"] |
Prevents container privilege escalation and host namespace breakouts. |
| Data Ephemerality | Forced deferred cleanup via destructive ContainerRemove |
Guarantees zero cross-tenant memory leakage or data residue survival. |
The Go management plane is instrumented with native Prometheus client libraries to expose deep runtime telemetry on a dedicated HTTP /metrics endpoint.
[Go Worker Daemon Engine] ──(Exposes /metrics)──► [Prometheus Scraper] ──► [Grafana Board]
By tracking custom metric aggregates, engineers can query historical performance curves using vector PromQL arithmetic expressions:
-
Average Execution Latency Formula:
engine_execution_latency_seconds_sum / engine_execution_latency_seconds_count -
Failure Resiliency Velocity: Monitors
engine_sandbox_timeouts_totalandengine_sandbox_oom_kills_totalcounters to instantly flag active adversarial script runs. -
Capacity Management Gauges: Tracks
engine_active_workers_countto map worker pool utilization factors against active Redis queue depths in real-time.
secure-sandbox-engine/
├── main.go # API Gateway, CLI Entrypoint, and Worker Pool Initializer
├── docker-compose.yml # Multi-Container Stack (Redis, Prometheus, Grafana)
├── prometheus.yml # Metric Scraper Ingress Scoping Layout
├── sandbox/
│ └── runner.go # Core Docker Container Lifecycle Orchestration & Resource Caps
├── queue/
│ └── redis_queue.go # Redis FIFO Stream Mechanics & Result Context Mapping
└── metrics/
└── telemetry.go # Prometheus Histogram, Counter, and Gauge Core Structs
- Go 1.21 or higher installed
- Docker Engine and Docker Compose running locally
Clone the repository and spin up the backend caching and telemetry engines:
git clone https://github.com/kushaagr/secure-sandbox-engine.git
cd secure-sandbox-engine
docker compose up -d
Synchronize Go packages and boot the multi-threaded worker daemon:
go mod tidy
go run main.go
Open a secondary terminal workspace and leverage the built-in CLI compiler proxy to run local script files through the engine:
# Create a dummy payload using python script
echo "print('Evaluating inside a secure sandbox environment!')" > test.py
# Submit script to the background engine
go run main.go test.pycurl -X POST -d "print('Hello from an HTTP stream entry point!')" http://localhost:2112/api/v1/executeBecause the API gateway is completely non-blocking, it will push the script payload to the Redis queue buffer and drop your network thread instantly, returning an asynchronous tracking token within milliseconds:
{"task_id":"stress-1718010542100","status":"queued"}
Distributed under the MIT License. See LICENSE for more information.