A security mechanism for separating running programs, usually in an effort to mitigate system failures or software vulnerabilities from spreading. It is often used to execute untrusted programs or code without risking harm to the host machine or operating system. A sandbox provides a tightly controlled set of resources for guest programs to run in.