Originally published in Minoan Security’s Blog

SideKernel now has a working CLI that boots a microVM on top of a stripped-down Kata Containers Linux kernel. So I'm now continuing development inside it; which also helps me hit obstacles and fix them as I go.

More excitingly, Porter (minoansecurity/porter) is now integrated into SideKernel. It detects newly opened ports inside the sandbox and automatically forwards them to the host, so they just show up on localhost!

Porter is a dependency-free Rust crate that detects open ports on macOS and Linux machines. SideKernel needed a crate for port detection inside the microVM sandbox, so that ports get automatically exposed to the host and the experience stays as transparent as possible for the end user. It had to be embeddable in Rust applications and dependency-free for a reduced attack surface.

The VMM orchestration is all written in Swift, but all other system components are being written in Rust.

For example, a Rust PID-1 agent in the initramfs is the VM’s first process: it mounts the root filesystem, then runs a vsock server that the host drives to exec commands, allocate PTYs, and stream stdio. It’s also what detects and forwards new ports.

Finally, a virtioFS mount maps the host’s working directory into the sandbox, so changes flow bidirectionally between host and VM, which makes file-sharing easy.

I’m aspiring to keep the whole software zero or low dependency, to keep the attack surface low and the supply chain minimal.

Way more exciting feature updates coming in the next weeks, and I think they are features that no other sandbox on the market has implemented, and users need.

Agentic AI security is systems security. Beyond the headlines and the buzzwords, the security fundamentals of AI security are exactly the same ones we’ve built for decades for systems.

What’s new about agents is that they are both the front and back-end, simultaneously. And as such, the trust-boundary that we had between the two collapses. The same system that ingests untrusted input (and more importantly, unstructured input) now also holds the privileges on the system.

Agents can’t be trusted, like a “traditional” backend would. And because they can’t be trusted, they should be treated accordingly.

Prompt injection is a confused deputy attack

A prompt injection, for instance, is the textbook example of a confused deputy: where an agent on the front-end gets manipulated to do actions on the back-end on behalf of a false authority… Several real-world incidents show this (e.g. AWS Bedrock AgentCore’s “Agent God Mode”, Microsoft’s EchoLeak).

Deploying agents securely

So to deploy agents securely, you need to control:

1. The infrastructure they run on

2. Their access

And at last but not least, strip all the assumptions of trust that a big part of the industry today has blindly accepted as normal.

Agents are a matter of systems security (access control is systems security too). And securing the agents is a matter of security architecture.

By the way: at Minoan Security we’re building a secure-deployment package for start-ups and SMBs, with FADP/GDPR in mind.

More soon but in the meantime, if you need to deploy AI agents and aren’t sure how to do it with reasonable guardrails, book an introductory meeting with us. Don’t let them loose in your data and infrastructure!

Originally published in Minoan Security’s Blog

Here’s a question: when you run Claude Code/Codex or other CLI agents, do you run them on your host machine? Or do you isolate it in some sandbox?

I’d bet that for most of you the answer is the former. Not because you do not care about security, but because sandboxes are hard to use.

The past year, the developer tools market has seen an explosion of AI agent sandboxes, many of which have gained popularity but quite paradoxically, limited adoption among everyday developers.

If there are so many solutions (and some of them are great!), then why is almost no one using them?

Or more specifically: “What usability barriers do macOS developers face when using coding agent sandboxes, that hinder their adoption?”

That exactly is the research question I am trying to answer through my MSc practicum at Georgia Tech. And the answer to that is SideKernel, a reasonably secure but usable sandbox.

The goal is to provide strong security guarantees (e.g. kernel isolation, small TCB) while making the sandbox as transparent as possible to the end user. And that’s a hard problem, especially on the closed Apple ecosystem.

Well, I’ll attempt to solve it and build a great product along the way. And I hope to share an interesting thing or two with you in the process.