Leanpub Header

Skip to main content

Application Sandboxing

Principles, Technologies, and Secure Isolation

This book is 100% completeLast updated on 2026-07-03

Application sandboxing is the foundation of secure modern computing. This book explores the principles, architectures, and technologies behind containers, virtual machines, browser sandboxes, WebAssembly, and more, explaining how they isolate untrusted code, where their security boundaries break down, and how to choose the right approach for real-world systems.

Minimum price

$19.00

$29.00

You pay

Author earns

$

Also available for 1 book credit with a Reader Membership

PDF
EPUB
About

About

About the Book

This book is a comprehensive technical guide to application sandboxing in modern computing. It covers the theory, architecture, implementation, and security models behind every major isolation technology, from Linux namespaces and cgroups through containers, virtual machines, microVMs, WebAssembly, browser sandboxes, and confidential computing. You will learn how each approach works under the hood, what trade-offs it makes in security versus performance versus portability, how attackers bypass these boundaries, and how to select, implement, and harden sandboxing solutions for desktop, server, cloud-native, and embedded environments. Whether you are a systems engineer designing the next generation of secure infrastructure, a security professional hunting for escape vectors, or an application developer who needs to ship code that runs safely in shared environments, this book will give you the technical depth and practical guidance to make informed decisions about isolation.

Share this book

Author

About the Author

Steve T. Publications

Steve T. is a cybersecurity leader, researcher, and engineer with more than 20 years of experience across application security, infrastructure security, vulnerability management, software development, and secure engineering practices. Having built his career alongside the growth of the modern internet, he has worked through multiple generations of technology, evolving security threats, and changing development methodologies.

He is currently part of the advanced research organization at a leading cybersecurity company, where he focuses on emerging threats, security innovation, and the practical application of research. His work involves investigating new attack techniques, evaluating emerging technologies, conducting deep technical analysis, and helping organizations better understand and manage complex security risks.

In addition to his research responsibilities, Steve leads a team of senior engineers and subject matter experts who create technical books, training programs, and educational resources for security professionals. Through this work, he helps engineers, developers, architects, and security practitioners strengthen their skills and build more secure systems.

Steve's technical expertise spans software development, reverse engineering, web application security, penetration testing, security architecture, incident response, vulnerability research, operating system internals, and secure software development. His ability to analyze systems at both the source code and binary levels enables him to bridge the worlds of software engineering, security research, and practical defense.

Over the course of his career, Steve has worked with organizations across a wide range of industries, helping them identify, assess, and remediate security weaknesses in critical applications and infrastructure. He is recognized for combining deep technical expertise with a pragmatic approach to security, focusing on solutions that are effective, sustainable, and aligned with business goals.

Through his work in research, engineering, leadership, and education, Steve continues to contribute to the advancement of cybersecurity and the development of secure, resilient technology systems.

Contents

Table of Contents

Principles, Technologies, and Secure Isolation

Introduction: When Isolation Fails

  1. The Promise of Sandboxing
  2. What This Book Covers
  3. What This Book Does Not Cover
  4. How to Read This Book
  5. A Note on the Evolving Landscape

Chapter 1: Why Sandboxing? — The Threat Model and the Promise of Isolation

  1. The Cost of Unbounded Execution: Real Incidents
  2. Blast Radius and the Defense-in-Depth Philosophy
  3. A Taxonomy of Isolation Mechanisms
  4. What This Book Will (and Won’t) Cover

Chapter 2: The Kernel as Enforcer — Namespaces, Cgroups, and the Linux Sandboxing Stack

  1. Namespaces: Partitioning What You See
  2. Cgroups: Controlling What You Can Do
  3. User Namespaces and Unprivileged Containers
  4. Composing Isolation: From Primitives to Containers
  5. Limitations and Known Gaps in Linux Isolation

Chapter 3: Mandatory Access Control — SELinux, AppArmor, and Smack

  1. Discretionary vs Mandatory Access Control
  2. SELinux: Architecture and Policy Model
  3. AppArmor: Profile-Based Protection
  4. Smack and Alternative MAC Frameworks
  5. Operational Challenges and Adoption Barriers

Chapter 4: System Call Filtering — seccomp, Landlock, and Capability Dropping

  1. Linux Capabilities: Fine-Grained Privilege Splitting
  2. seccomp-bpf: Filtering the System Call Surface
  3. Landlock: A New Era of Unprivileged Sandboxing
  4. Composing Filters with Capability Dropping
  5. Real-World seccomp Profiles and Case Studies

Chapter 5: eBPF — The Universal Sandbox Primitive

  1. From TCPdump to Trusted Kernel Runtime: The eBPF Revolution
  2. How eBPF Works: Verifier, Programs, and Maps
  3. eBPF for Network and Filesystem Sandboxing
  4. Observability-Driven Security with eBPF
  5. Trust Boundaries and the eBPF Threat Model
  6. The eBPF Security Model in Practice

Chapter 6: Container Runtimes and the OCI Ecosystem

  1. The OCI Standard: Making Containers Portable
  2. Docker Architecture Deep Dive
  3. containerd and CRI-O: Kubernetes-Native Runtimes
  4. Rootless Containers and User Namespace Remapping
  5. Storage Drivers and Image Layers

Chapter 7: Virtual Machines and MicroVMs — Hardware-Level Isolation

  1. Virtualization Fundamentals and the Hypervisor Stack
  2. KVM and QEMU: The Linux Virtualization Foundation
  3. MicroVMs: Firecracker, Crosvm, and the Edge of Performance
  4. Security Comparison: VMs vs Containers
  5. When to Choose Hardware Isolation Over OS-Level Sandboxing

Chapter 8: Desktop and Mobile Sandboxes — macOS, Windows, Android, iOS, and Browsers

  1. macOS Sandbox: Seatbelt and Entitlements
  2. Windows AppContainer and Virtual-Based Sandboxing
  3. Android’s Per-App Isolation Model
  4. iOS Application Sandboxing and Entitlements
  5. Browser Sandboxes: Process Isolation and Site Separation

Chapter 9: Language and Runtime Sandboxes — From chroot to WebAssembly

  1. chroot: The Oldest Trick in the Book
  2. FreeBSD Jails: BSD’s Isolation Philosophy
  3. LXC and LXD: System Containers on Linux
  4. WebAssembly and WASI: Sandboxing at the Bytecode Level
  5. Language and Runtime Sandboxing Approaches

Chapter 10: Sandbox Escapes — How Isolation Fails and What to Do About It

  1. Container Escape Techniques and Case Studies
  2. VM Escape: Hypervisor Vulnerabilities and Side Channels
  3. Browser Sandbox Bypasses
  4. Desktop OS Sandbox Escapes
  5. Defense Strategies and the Ongoing Arms Race

Chapter 11: Designing and Operating Sandboxed Environments

  1. Threat Modeling Your Sandboxing Strategy
  2. Selecting Isolation Technology for Different Workloads
  3. Hardening Container Images and Runtimes
  4. Network Segmentation and Zero-Trust Networking
  5. Observability, Debugging, and Operational Excellence

Chapter 12: The Future of Sandboxing — Serverless, Confidential Computing, and Beyond

  1. Serverless Isolation: The Function-as-a-Service Model
  2. Confidential Computing: When the Kernel Can’t Be Trusted
  3. WebAssembly’s Expanding Sandbox Horizon
  4. The Convergence Playbook: Containers, VMs, and Wasm Together
  5. Open Challenges and Where the Field Is Heading

Conclusion: The Principle of Measured Trust

References

Get the free sample chapters

Click the buttons to get the free sample in PDF or EPUB, or read the sample online here

The Leanpub 60 Day 100% Happiness Guarantee

Within 60 days of purchase you can get a 100% refund on any Leanpub purchase, in two clicks.

See full terms...

Earn $8 on a $10 Purchase, and $16 on a $20 Purchase

We pay 80% royalties on purchases of $7.99 or more, and 80% royalties minus a 50 cent flat fee on purchases between $0.99 and $7.98. You earn $8 on a $10 sale, and $16 on a $20 sale. So, if we sell 5000 non-refunded copies of your book for $20, you'll earn $80,000.

(Yes, some authors have already earned much more than that on Leanpub.)

In fact, authors have earned over $15 million writing, publishing and selling on Leanpub.

Learn more about writing on Leanpub

Free Updates. DRM Free.

If you buy a Leanpub book, you get free updates for as long as the author updates the book! Many authors use Leanpub to publish their books in-progress, while they are writing them. All readers get free updates, regardless of when they bought the book or how much they paid (including free).

Most Leanpub books are available in PDF (for computers) and EPUB (for phones, tablets and Kindle). The formats that a book includes are shown at the top right corner of this page.

Finally, Leanpub books don't have any DRM copy-protection nonsense, so you can easily read them on any supported device.

Learn more about Leanpub's ebook formats and where to read them

Write and Publish on Leanpub

You can use Leanpub to easily write, publish and sell in-progress and completed ebooks and online courses!

Leanpub is a powerful platform for serious authors, combining a simple, elegant writing and publishing workflow with a store focused on selling in-progress ebooks.

Leanpub is a magical typewriter for authors: just write in plain text, and to publish your ebook, just click a button. (Or, if you are producing your ebook your own way, you can even upload your own PDF and/or EPUB files and then publish with one click!) It really is that easy.

Learn more about writing on Leanpub