{"id":"https://openalex.org/W7133528082","doi":"https://doi.org/10.48550/arxiv.2603.02277","title":"Quantifying Frontier LLM Capabilities for Container Sandbox Escape","display_name":"Quantifying Frontier LLM Capabilities for Container Sandbox Escape","publication_year":2026,"publication_date":"2026-03-01","ids":{"openalex":"https://openalex.org/W7133528082","doi":"https://doi.org/10.48550/arxiv.2603.02277"},"language":null,"primary_location":{"id":"doi:10.48550/arxiv.2603.02277","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2603.02277","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"type":"preprint","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://doi.org/10.48550/arxiv.2603.02277","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5128108973","display_name":"Rahul Marchand","orcid":null},"institutions":[],"countries":[],"is_corresponding":true,"raw_author_name":"Marchand, Rahul","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5050464262","display_name":"Art \u00d3 Cath\u00e1in","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Cathain, Art O","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5114331401","display_name":"Jerome Wynne","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Wynne, Jerome","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5128052542","display_name":"Philippos Maximos Giavridis","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Giavridis, Philippos Maximos","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5123710039","display_name":"Sam Deverett","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Deverett, Sam","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5128111158","display_name":"Dr John Wilkinson","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Wilkinson, John","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5128081558","display_name":"Jason Gwartz","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Gwartz, Jason","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5087769785","display_name":"Harry Coppock","orcid":"https://orcid.org/0000-0003-2404-8319"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Coppock, Harry","raw_affiliation_strings":[],"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":8,"corresponding_author_ids":["https://openalex.org/A5128108973"],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.29760000109672546,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.29760000109672546,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.290800005197525,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.06639999896287918,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/sandbox","display_name":"Sandbox (software development)","score":0.9223999977111816},{"id":"https://openalex.org/keywords/exploit","display_name":"Exploit","score":0.7379999756813049},{"id":"https://openalex.org/keywords/rootkit","display_name":"Rootkit","score":0.6464999914169312},{"id":"https://openalex.org/keywords/benchmark","display_name":"Benchmark (surveying)","score":0.5442000031471252},{"id":"https://openalex.org/keywords/container","display_name":"Container (type theory)","score":0.4731999933719635},{"id":"https://openalex.org/keywords/executable","display_name":"Executable","score":0.38580000400543213},{"id":"https://openalex.org/keywords/architecture","display_name":"Architecture","score":0.37689998745918274},{"id":"https://openalex.org/keywords/attack-surface","display_name":"Attack surface","score":0.3562999963760376},{"id":"https://openalex.org/keywords/malware","display_name":"Malware","score":0.3447999954223633}],"concepts":[{"id":"https://openalex.org/C167981075","wikidata":"https://www.wikidata.org/wiki/Q2667186","display_name":"Sandbox (software development)","level":2,"score":0.9223999977111816},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7620999813079834},{"id":"https://openalex.org/C165696696","wikidata":"https://www.wikidata.org/wiki/Q11287","display_name":"Exploit","level":2,"score":0.7379999756813049},{"id":"https://openalex.org/C10144332","wikidata":"https://www.wikidata.org/wiki/Q14645","display_name":"Rootkit","level":3,"score":0.6464999914169312},{"id":"https://openalex.org/C185798385","wikidata":"https://www.wikidata.org/wiki/Q1161707","display_name":"Benchmark (surveying)","level":2,"score":0.5442000031471252},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.5367000102996826},{"id":"https://openalex.org/C2781018962","wikidata":"https://www.wikidata.org/wiki/Q5164884","display_name":"Container (type theory)","level":2,"score":0.4731999933719635},{"id":"https://openalex.org/C160145156","wikidata":"https://www.wikidata.org/wiki/Q778586","display_name":"Executable","level":2,"score":0.38580000400543213},{"id":"https://openalex.org/C123657996","wikidata":"https://www.wikidata.org/wiki/Q12271","display_name":"Architecture","level":2,"score":0.37689998745918274},{"id":"https://openalex.org/C2776576444","wikidata":"https://www.wikidata.org/wiki/Q303569","display_name":"Attack surface","level":2,"score":0.3562999963760376},{"id":"https://openalex.org/C541664917","wikidata":"https://www.wikidata.org/wiki/Q14001","display_name":"Malware","level":2,"score":0.3447999954223633},{"id":"https://openalex.org/C140547941","wikidata":"https://www.wikidata.org/wiki/Q7797194","display_name":"Threat model","level":2,"score":0.33169999718666077},{"id":"https://openalex.org/C2779227376","wikidata":"https://www.wikidata.org/wiki/Q6505497","display_name":"Layer (electronics)","level":2,"score":0.33009999990463257},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.32910001277923584},{"id":"https://openalex.org/C513985346","wikidata":"https://www.wikidata.org/wiki/Q270471","display_name":"Virtualization","level":3,"score":0.3257000148296356},{"id":"https://openalex.org/C2780138299","wikidata":"https://www.wikidata.org/wiki/Q3404265","display_name":"Privilege (computing)","level":2,"score":0.3255000114440918},{"id":"https://openalex.org/C2777407602","wikidata":"https://www.wikidata.org/wiki/Q1888932","display_name":"Mandatory access control","level":4,"score":0.3239000141620636},{"id":"https://openalex.org/C170723468","wikidata":"https://www.wikidata.org/wiki/Q182933","display_name":"x86","level":3,"score":0.3190999925136566},{"id":"https://openalex.org/C86844869","wikidata":"https://www.wikidata.org/wiki/Q2798820","display_name":"Hacker","level":2,"score":0.2946000099182129},{"id":"https://openalex.org/C1304207","wikidata":"https://www.wikidata.org/wiki/Q7189582","display_name":"Physical access","level":3,"score":0.2919999957084656},{"id":"https://openalex.org/C37736160","wikidata":"https://www.wikidata.org/wiki/Q1801315","display_name":"Adversarial system","level":2,"score":0.29100000858306885},{"id":"https://openalex.org/C120314980","wikidata":"https://www.wikidata.org/wiki/Q180634","display_name":"Distributed computing","level":1,"score":0.28349998593330383},{"id":"https://openalex.org/C527821871","wikidata":"https://www.wikidata.org/wiki/Q228502","display_name":"Access control","level":2,"score":0.2680000066757202},{"id":"https://openalex.org/C74193536","wikidata":"https://www.wikidata.org/wiki/Q574844","display_name":"Kernel (algebra)","level":2,"score":0.2678999900817871},{"id":"https://openalex.org/C77109596","wikidata":"https://www.wikidata.org/wiki/Q4781497","display_name":"Application security","level":5,"score":0.2624000012874603},{"id":"https://openalex.org/C165064840","wikidata":"https://www.wikidata.org/wiki/Q1321061","display_name":"Matching (statistics)","level":2,"score":0.2547000050544739},{"id":"https://openalex.org/C71901391","wikidata":"https://www.wikidata.org/wiki/Q7126699","display_name":"Upload","level":2,"score":0.25440001487731934}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.48550/arxiv.2603.02277","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2603.02277","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"doi:10.48550/arxiv.2603.02277","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2603.02277","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"sustainable_development_goals":[{"display_name":"Peace, Justice and strong institutions","score":0.6935811042785645,"id":"https://metadata.un.org/sdg/16"}],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"Large":[0],"language":[1],"models":[2],"(LLMs)":[3],"increasingly":[4],"act":[5],"as":[6,66],"autonomous":[7],"agents,":[8],"using":[9,41],"tools":[10],"to":[11,56,133,147,151],"execute":[12],"code,":[13],"read":[14],"and":[15,18,33,87,120,135],"write":[16],"files,":[17],"access":[19,102],"networks,":[20],"creating":[21],"novel":[22],"security":[23],"risks.":[24],"To":[25],"mitigate":[26],"these":[27,60],"risks,":[28],"agents":[29],"are":[30,128,131],"commonly":[31],"deployed":[32],"evaluated":[34],"in":[35],"isolated":[36],"\"sandbox\"":[37],"environments,":[38],"often":[39],"implemented":[40,65],"Docker/OCI":[42],"containers.":[43],"We":[44,123],"introduce":[45],"SANDBOXESCAPEBENCH,":[46],"an":[47,53,67],"open":[48],"benchmark":[49,63],"that":[50,139],"safely":[51],"measures":[52],"LLM's":[54],"capacity":[55],"break":[57],"out":[58],"of":[59,95,110,141],"sandboxes.":[61],"The":[62],"is":[64,145],"Inspect":[68],"AI":[69],"Capture":[70],"the":[71,81,85,153],"Flag":[72],"(CTF)":[73],"evaluation":[74,142],"utilising":[75],"a":[76,92,96,104,108],"nested":[77],"sandbox":[78],"architecture":[79],"with":[80,100],"outer":[82],"layer":[83],"containing":[84],"flag":[86],"no":[88],"known":[89],"vulnerabilities.":[90],"Following":[91],"threat":[93],"model":[94],"motivated":[97],"adversarial":[98],"agent":[99],"shell":[101],"inside":[103],"container,":[105],"SANDBOXESCAPEBENCH":[106,144],"covers":[107],"spectrum":[109],"sandboxescape":[111],"mechanisms":[112],"spanning":[113],"misconfiguration,":[114],"privilege":[115],"allocation":[116],"mistakes,":[117],"kernel":[118],"flaws,":[119],"runtime/orchestration":[121],"weaknesses.":[122],"find":[124],"that,":[125],"when":[126],"vulnerabilities":[127],"added,":[129],"LLMs":[130],"able":[132],"identify":[134],"exploit":[136],"them,":[137],"showing":[138],"use":[140],"like":[143],"needed":[146,155],"ensure":[148],"sandboxing":[149],"continues":[150],"provide":[152],"encapsulation":[154],"for":[156],"highly-capable":[157],"models.":[158]},"counts_by_year":[],"updated_date":"2026-03-05T07:36:02.291473","created_date":"2026-03-05T00:00:00"}