Architecture
- Parent VM: Security barrier with operation validation
- Inner VM: Isolated execution environment for user code
- Tool call flow: Inner VM → Parent VM validation → Host handler
Basic Configuration
Parent Validation Options
Operation Name Filtering
Control which tool names are allowed:Built-in Suspicious Pattern Detection
The Double VM detects these attack patterns automatically:| Pattern | Description |
|---|---|
EXFIL_LIST_SEND | List/query followed by send/export |
RAPID_ENUMERATION | Same operation called >10 times in 5s |
CREDENTIAL_EXFIL | Credential access + external operation |
BULK_OPERATION | Bulk/batch/mass operation names |
DELETE_AFTER_ACCESS | Delete operation after data access |
Custom Suspicious Patterns
Define your own detection logic:Detection Pattern Interface
Rate Limiting
Prevent rapid-fire tool calls:Security Benefits
- Operation Isolation - Tool calls pass through validation layer
- Pattern Detection - Detect multi-step attack sequences
- Rate Limiting - Prevent denial-of-service via tool flooding
- Audit Trail - Operation history for forensics
- Defense in Depth - Additional layer beyond AST validation
Performance Considerations
The Double VM adds minimal overhead:- Latency: ~1-2ms per tool call for validation
- Memory: ~10MB additional for parent VM context
- CPU: Negligible for pattern matching
Related
- Security Levels - Security presets
- AI Scoring Gate - Semantic security analysis
- Worker Pool - OS-level isolation