Overview
What this challenge is about.
Receive the current Docker-based sandbox configuration, post-incident reports for both escapes, and the runtime requirements for Python and C++ (compilers, package availability, network access denied). Design a defense-in-depth sandbox: gVisor for the runtime, custom seccomp-bpf filter denying ~120 syscalls (including those used in past escapes), user-namespace isolation, cgroups for CPU + memory + PIDs, and a read-only root filesystem with a writable tmpfs scratch. Implement the seccomp filter and the runtime wrapper. Run a red-team exercise: attempt 8 escape techniques (kernel-keyring, ptrace, /proc walks, namespace-jumping, etc.) and document which are blocked at which layer. Deliver the sandbox implementation, the seccomp profile, the red-team report, a performance-overhead comparison, and a 6-page architecture memo for the CTO.
The Brief
What you'll do, and what you'll demonstrate.
Replace a Docker-only sandbox with a defense-in-depth layered sandbox that blocks all 8 attempted escape techniques while keeping runtime overhead under 15 percent.
Earning criteria — what you'll demonstrate
- Design defense-in-depth using seccomp, namespaces, and gVisor together
- Write production-grade seccomp-bpf filters with audit + deny semantics
- Run an honest red-team exercise against your own design
- Quantify performance overhead against a real baseline
Program Fit
Where this fits in your program.
Sharpens the same skills your degree expects you to demonstrate.
Skills
Skills you'll demonstrate.
Each one shows up on your verified credential.
Careers
Roles this prepares you for.
Real titles. Real skill bridges. Pick the one closest to your trajectory.