How to Run Untrusted AI Code

How to Run Untrusted AI Code
Published on 19.12.2025
A couple of years ago, I was working on small project, where i had to run intentionally vulnerable code in a sandboxed environment. The project died, but now I wanted to build something on top of that foundation. Enter AI era - agents are generating untrusted code left and right, and we need safe sandboxed environments to run them. Simple as that. Prolly naive econmically, but utility exists.

Virtualization Primer

To run untrusted code, you need to make sure anything that happens inside this sandbox doesn't affect the outside world. Emulation can help with that. One can write a program that emulates a CPU, like x86 ISA or RISC-V. And plug in memory into the mix, and voila! You have a sandbox. Of course, this is a naive approach, but it's a start.

One of the immediate issues you see is the speed. Emulation is slow by nature, you are emulating what the CPU can do already but on another abstraction layer, which is by definition slower since it involves more computational overhead. Enter hypervisors.

Hypervisors are programs that run on top of a specific hardware and provide a virtualized environment. This is possible because the hardware is designed to support virtualization. It let's you switch between different execution contexts at a hardware level.

Bottom line, 
Emulation = Slow, any architecture, Hypervisors = Fast, hardware specific.

KVM (Kernel-based Virtual Machine)

KVM is one such hypervisor that natively exists in linux kernel. The kernel exposes KVM via `/dev/kvm` device which you can interact with using `ioctl` system calls.

#include <sys/ioctl.h>

// Create KVM context
int kvm_fd = open("/dev/kvm", O_RDWR);

// Create VM
int vm_fd = ioctl(kvm_fd, KVM_CREATE_VM, 0);

// Run VM
ioctl(vm_fd, KVM_RUN, 0);

Under the hood

KVM allocates hardware speicifc structures(`VMCS/VMCB`) and this is managed by the CPU. KVM writes initial config states into it and CPU reads and writes to it during virtualization context switching.

When KVM calls `KVM_RUN` ioctl, it launches `VMLAUNCH/VMRUN` instruction to start the VM. CPU enters guest mode and loads the state from `VMCS/VMCB`. CPU does the actual register/state swapping using these structures.

The context switching is done by the CPU at a hardware level and the transition is called `VMEXIT/VMENTRY`. `VMEXIT` is when the CPU leaves the guest mode and `VMENTRY` is when the CPU enters the guest mode. 

KVM is powerful, but it just provides the virtualization primitives. You would need to implement the rest of the functionality like device emulation, VM lifecycle, etc.

Firecracker

Now Firecracker is that layer that sits on top of KVM and provides the VM lifecycle management, device emulation, and other things. It was built by AWS and is used in AWS Lambda. Mainly because it's fast and lightweight. 

oh did i mention - it's written in rust btw XD

It's pretty simple to use, it exposes a simple REST API to create, start, stop, and destroy VMs. Each VM is a separate process, and you can attach devices to it. All you need is a kernel and a rootfs.

An Open Source Platform

Orchestrating it for thousands of VMs can get tricky soon. Boiling it down to just a function call and not having to worry about the underlying infrastructure is ideal. And there are a few many startups doing this.

I started building a platform on top of Firecracker, so one can run untrusted code, expose APIs to outside world, upload files, and so on. 

I started building this into an actual product after an MVP i hacked together in a few hours at ODF demo day. It's a functioning project now, but still in early stages. It doesn't have clustering capabilities yet, but it's a start.

Today i'm open sourcing this platform after building it for a couple of months, so anyone can run untrusted code. It has a very simple API, moderately easy to self-host, and has a dashboard to manage VMs and API keys.

You can use this to run AI-generated code safely, spin up remote coding workspaces, or analyze malicious files in isolation. The possibilities are pretty much endless.

Here's how simple it is to use:

from concave import sandbox

with sandbox() as s:
    result = s.run("print('Hello from Concave!')")
    print(result.stdout)

You can scale it upto a few thousands of VMs concurrently on larger bare metal machines. It's not a cluster yet, but PRs are welcome.

>>> It's called Concave and you can find the code here. If you wanna contribute, PRs are welcome.

Hit me up on X - @matmul.