Essentially itâs just: remove .py files an execute del os.environ[âSESSION_TOKENâ]? This doesnât really sound very secure, there are a number of ways to bypass both of these.
I think this is pretty standard and similar to approaches that are evolving naturally (I've certainly used very similar patterns).
I'd be pretty keen to actually hear more about the Unikraft setup and other deeper details about the agent sandboxes regarding the tradeoffs and optimizations made. All the components are there but has someone open-sourced a more plug-and-play setup like this?
Itâs neat to see more projects adopting Unikernals. Iâve played around with Unikraftâs Cloud offering about a year ago when it was CLI/API only and was impressed by the performance but found too many DX and polish issues to take it to production. Looks like theyâve improved a lot of that since.
Howdy! We are hard at work at improving the DX, and as a result we've been working on a brand new CLI. We haven't made any announcements yet, but it's already open-source for early adopts if you'd like to give it a try!
The billion engineers building sandbox tools at the moment are missing the point. Sandboxing doesn't matter when the LLM is vulnerable to prompt injection. Every MCP server you install, every webpage it fetches, every file it reads is a threat. Yeah you can sit there and manually approve every action it takes, but then how is any of this useful when you have to supervise it constantly? Even Anthropic say that this doesn't work because reviewing every action leads to exhaustion and rubber stamping.
The problem is not what the LLM shouldn't have access to, it's what it does have access to.
The usefulness of LLMs is severely limited while they lack the ability to separate instructions and data, or as Yann LeCun said, predict the consequences of their actions.
The first 3 âhardeningâ points are not great.
Essentially itâs just: remove .py files an execute del os.environ[âSESSION_TOKENâ]? This doesnât really sound very secure, there are a number of ways to bypass both of these.
Itâs just security through obscurity
I think this is pretty standard and similar to approaches that are evolving naturally (I've certainly used very similar patterns).
I'd be pretty keen to actually hear more about the Unikraft setup and other deeper details about the agent sandboxes regarding the tradeoffs and optimizations made. All the components are there but has someone open-sourced a more plug-and-play setup like this?
Itâs neat to see more projects adopting Unikernals. Iâve played around with Unikraftâs Cloud offering about a year ago when it was CLI/API only and was impressed by the performance but found too many DX and polish issues to take it to production. Looks like theyâve improved a lot of that since.
Howdy! We are hard at work at improving the DX, and as a result we've been working on a brand new CLI. We haven't made any announcements yet, but it's already open-source for early adopts if you'd like to give it a try!
https://github.com/unikraft/cli
Feedback is very much appreciated, we're listening! :)
The billion engineers building sandbox tools at the moment are missing the point. Sandboxing doesn't matter when the LLM is vulnerable to prompt injection. Every MCP server you install, every webpage it fetches, every file it reads is a threat. Yeah you can sit there and manually approve every action it takes, but then how is any of this useful when you have to supervise it constantly? Even Anthropic say that this doesn't work because reviewing every action leads to exhaustion and rubber stamping.
The problem is not what the LLM shouldn't have access to, it's what it does have access to.
The usefulness of LLMs is severely limited while they lack the ability to separate instructions and data, or as Yann LeCun said, predict the consequences of their actions.
Yup. I just wrote about this last week: https://tachyon.so/blog/sandboxes-wont-save-you
Of all the problems in agent security, sandboxing solves the easiest problem.
maybe the usecase that makes unikernels alot more mainstream. Always found them intriguing
Except this is very clearly running linux.
What can you NOT run on this, it's not very clear? Is it like MicroVMs on steroids where you can run more binaries than the strict minimum?