CaptchaLa Blog

Appearance

Securing the Sandbox: A Rootless Containerized Framework for Process-Oriented Monitoring in Computer Graphics Education

Source: arXiv:2606.05929 · Published 2026-06-04 · By Germán Arroyo, Luis López, Juan Carlos Torres

TL;DR

This paper addresses the challenge of preserving authentic student programming effort in the age of Generative AI, which makes it difficult to distinguish human-derived code from AI-generated submissions when grading final artifacts alone. To maintain pedagogical integrity, the authors propose shifting focus from artifact-based to process-oriented evaluation by monitoring iterative development behaviors. However, centralized platforms like JupyterHub—while enabling real-time process monitoring—pose severe infrastructure security risks since they allow arbitrary shell commands with potential host system compromise. To reconcile this, the authors introduce VISMATIC, a rootless containerized sandbox framework that isolates student processes using unprivileged namespaces and intercepts explicit user API interactions rather than passive telemetry to capture genuine student coding activity safely. Deployed on low-cost Raspberry Pi hardware with resource limits and storage quotas, VISMATIC provides interactive computational notebooks integrating LATEX-rendered theory with graphical feedback tailored to Computer Graphics education. A pilot cohort of 19 students generated detailed API interaction logs that the authors analyzed using behavioral metrics such as session intensity, cumulative engagement, and temporal activity rhythms. Crucially, these metrics revealed anomalies—like continuous high-intensity sessions without breaks—consistent with automated or off-platform AI workflows, enabling detection of likely academic integrity violations while preserving student anonymity through pseudonymization. The system offers a scalable, practical framework to enforce authentic coding discipline and contain operational risk in AI-assisted educational settings.

Key findings

  • VISMATIC’s rootless containerization using Podman with user namespaces effectively isolates student workloads from host privileges, mitigating kernel-level privilege escalation exploits including CVE-2026-31431 (Copy Fail), Dirty Pipe, and Dirty Frag.
  • The pilot deployment on a Raspberry Pi 5 supported 10-20 concurrent students with stable performance, accumulating 1,880 explicit API events over 57 active student-hours across 19 students.
  • Tracking explicit API events (file modifications, code executions, terminal usage) rather than passive keep-alive telemetry prevents artificial inflation of engagement times and captures authentic iterative coding behaviors.
  • Session intensity vs duration analysis flagged statistical outliers with continuous coding/events over 24+ hours without cognitive breaks, indicative of automated scripts or macros not physically feasible by humans.
  • Cumulative engagement heatmaps revealed segmented, staircase-like activity growth punctuated by plateaus correlating with offline thinking periods, whereas automated or off-platform activity exhibited linear unbroken trajectories.
  • A daily work volume metric showed cohort workload distributions with peaks near assignment deadlines, supporting interpretation of temporal stress cycles and cramming behaviors.
  • The abstraction layer combining loop-device mounted quotas for storage and rootless containers prevents denial-of-service attacks by disk exhaustion and limits blast radius of compromised sessions.
  • The platform’s privacy-by-design anonymization strategy replaces personally identifiable student information with randomized animal-themed pseudonyms, enabling privacy-compliant behavioral monitoring.

Threat model

The adversary is a student participant attempting to evade authentic process-oriented monitoring by using automated scripts, browser macros, or generative AI to produce code outside the sanctioned development workflow. The attacker can interact remotely with the central execution environment but is confined to unprivileged user namespaces with no root or kernel-level access. The adversary cannot break rootless container boundaries or escalate privileges to compromise the host or other users due to kernel namespace isolation and lack of root privileges. Lateral movement and host compromise are assumed infeasible under the designed defense-in-depth container architecture.

Methodology — deep read

  1. Threat Model & Assumptions: The adversary is a student who may attempt to use generative AI tools or automation to produce code off-platform or via macros/scripts to circumvent authentic interactive development. The adversary can interact remotely with the Jupyter-based environment but cannot gain root privileges on the host system. The system assumes kernel exploits like CVE-2026-31431 exist but the rootless containerization design limits privilege escalation and cross-container lateral movement.

  2. Data: Data consisted of HTTP API request logs intercepted explicitly inside the VISMATIC JupyterHub environment. These logs recorded direct student interactions such as file saves/edits, code execution commands, and terminal commands. The dataset was collected from a pilot cohort of 19 students over approximately 57 active hours, resulting in 1,880 explicit interaction events. No sub-second keystroke data was captured to reduce I/O overhead.

  3. Architecture / Algorithm: VISMATIC employs a layered defense architecture with (a) an Apache2 reverse proxy providing SSL termination and WebSocket tunneling, (b) rootless containers orchestrated by Podman using Linux user namespaces to map student processes to unprivileged host UIDs, and (c) storage abstraction via loop-mounted ext4 device images enforcing strict storage quotas per user. The computational stack includes JupyterHub as a gateway, a custom Ubuntu 24.04 container image with Python scientific libraries (NumPy, ipywidgets), a read-only course materials repository, and a server-side-only private CG library that prevents offline notebook export and execution.

  4. Training Regime: Not applicable since this is a security/monitoring infrastructure paper rather than a machine learning model training. However, collected interaction data was analyzed offline by the authors.

  5. Evaluation Protocol: Evaluation was conducted using a real classroom pilot with 19 student accounts. Metrics were computed over explicit API event data including temporal heatmaps (hour/day), cumulative platform engagement curves, session intensity (events per minute), and daily work volumes. Baseline comparison was between human-authentic interaction patterns (variable session intensities, plateaued cumulative interaction) versus anomalous patterns such as sustained unbroken high-intensity sessions and linear cumulative trajectories indicating automated/scripted activity. Result visualizations included heatmaps and scatter plots as in Fig. 3 and Fig. 4. No cross-validation but results validated by expert instructor knowledge.

  6. Reproducibility: No code or dataset public release mentioned. The closed-source private CG library and institutional deployment likely restrict broader replication. The paper describes the architecture and pilot dataset but does not provide formal open source artifacts or trained models. The described rootless container approach and telemetry interception techniques could be implemented independently.

Concrete Example: A student using VISMATIC logs file edits and code cell executions explicitly via JupyterHub API events. Their session exhibits natural pauses, moderate intensity ratios, and cumulative interaction with plateau phases indicating offline reasoning. Conversely, an automated bot running a browser macro posts continuous rapid file saves and code runs for over 24 hours without rest. This continuous high-intensity interaction is flagged as anomalous, triggering instructor review. Meanwhile, rootless containers mapped to unprivileged UIDs prevent the bot from breaking out to host or other students’ namespaces. The low-cost Raspberry Pi hardware hosts these containers with enforced CPU/memory quotas and persistent storage quotas via loop devices, maintaining service stability and containment.

Technical innovations

  • Integration of rootless container orchestration (via Podman) with Linux user namespaces to enforce strict privilege isolation against recent real-world kernel exploits in an educational multi-tenant Jupyter environment.
  • Use of explicit user-driven JupyterHub API interaction interception (file edits, kernel executions, terminal commands) instead of passive telemetry for robust process-oriented monitoring and anomaly detection.
  • Persistent storage quota enforcement using loop-device mounted ext4 filesystem images per user to prevent denial-of-service attacks and ensure data isolation.
  • Privacy-by-design anonymization with randomized credential provisioning and pseudonymous account mapping to reconcile behavioral transparency with student data protection regulations.
  • Deployment of compute and monitoring infrastructure on low-cost, physically isolated Raspberry Pi nodes forming an edge computing risk-containment model for academic settings.

Datasets

  • VISMATIC pilot interaction dataset — 1,880 explicit API events over 57 active hours from 19 students — collected internally on Raspberry Pi 5 hardware, non-public

Baselines vs proposed

  • JupyterHub default telemetry (passive heartbeat): inflated engagement due to automated browser keep-alives every ~300 seconds vs VISMATIC explicit API event tracking with non-inflated genuine engagement measures
  • Docker with root daemon: vulnerable to CVE-2026-31431 privilege escalation vs VISMATIC Podman rootless containers with strong user namespace isolation
  • Unrestricted storage: vulnerable to disk exhaustion denial-of-service vs VISMATIC loop-device storage quota enforcing hard limits per user

Figures from the paper

Figures are reproduced from the source paper for academic discussion. Original copyright: the paper authors. See arXiv:2606.05929.

Fig 1

Fig 1: A typical student view of the VISMATIC Jupyter notebook interface. The environment seamlessly integrates

Fig 2

Fig 2: Architectural overview of the VISMATIC secured sandbox. The system employs a layered defense strategy:

Fig 3

Fig 3: Daily activity heatmap illustrating temporal en-

Fig 4

Fig 4: Comprehensive behavioral analysis of platform interactions, highlighting human vs. automated development

Fig 5

Fig 5: Longitudinal daily work volume. Aggregated explicit interaction events reveal the evolution of cohort

Limitations

  • Pilot evaluation limited to a small student cohort (n=19) and short-term deployment, restricting generalizability across disciplines or larger scale.
  • No adversarial evaluation involving active attacks against the isolated container framework (e.g., deliberate exploitation attempts) was reported.
  • Behavioral metrics rely only on macro-level API event timing without fine-grained keystroke or semantic code analysis, potentially missing subtle cheating modes.
  • Closed-source private libraries and course materials prevent external reproducibility and community audit of the full environment.
  • The approach enforces process monitoring at platform level but cannot detect cheating that occurs via collusion or external communication channels.
  • No formal usability or student experience study was described regarding the impact of rootless sandbox constraints on pedagogical workflows.

Open questions / follow-ons

  • How effective is the VISMATIC framework at detecting more sophisticated adversarial workflows involving partial human involvement or mixed automated/manual coding?
  • What are the trade-offs in student user experience and workflow flexibility caused by rootless container constraints and resource quotas?
  • Can fine-grained semantic code analysis or integration with AI code provenance tools complement macro-level API telemetry to improve anomaly detection?
  • How well does this approach generalize to other STEM disciplines or larger scale deployments beyond a single Raspberry Pi cluster?

Why it matters for bot defense

Bot-defense and CAPTCHA practitioners can draw important parallels from VISMATIC’s layered rootless containment and fine-grained API interaction monitoring to mitigate insider threat and unauthorized automation in multi-tenant platforms. Capturing explicit user interaction signals, rather than relying on passive heartbeats or session metrics, significantly improves fidelity in distinguishing legitimate human activity from automated workflows, a key challenge also faced in anti-bot systems. Furthermore, the use of unprivileged container namespaces to enforce least privilege isolation reduces the risk of lateral movement or host compromise when executing potentially adversarial workloads remotely—a foundational security principle valuable for any sandboxed execution infrastructure found in bot-defense contexts.

The privacy-by-design pseudonymization approach also offers a blueprint for balancing detailed behavioral monitoring with user privacy compliance, a critical consideration in deploying comprehensive learning analytics or bot detection telemetry. While VISMATIC focuses on educational integrity, the principles of macro-level interaction pattern analysis, resource-constrained containment, and explicit API telemetry logging align closely with requirements for robust CAPTCHA bypass detection and platform abuse prevention in web security and bot-defense applications.

Cite

bibtex
@article{arxiv2606_05929,
  title={ Securing the Sandbox: A Rootless Containerized Framework for Process-Oriented Monitoring in Computer Graphics Education },
  author={ Germán Arroyo and Luis López and Juan Carlos Torres },
  journal={arXiv preprint arXiv:2606.05929},
  year={ 2026 },
  url={https://arxiv.org/abs/2606.05929}
}

Read the full paper

Last updated:

Articles are CC BY 4.0 — feel free to quote with attribution

© 2026 CaptchaLa