I am developing an application which needs to sandbox untrusted code. The form the untrusted code is provided in doesn't matter too much, as long as it's fairly expressive. No outside communication is required or should be allowed beyond taking a string as input and returning another string. It's OK if the resulting execution is fairly slow. My main priority is to find a secure way to do this.
NaCl looks promising, but hasn't yet received much hostile attention. The various java and javascript sandboxes have been pounded on pretty hard, but all of them have had recent privilege escalation vulnerabilities.
Are there any other sandboxing frameworks I should consider? I'm hoping there's a fairly simple secure-by-design framework (like NaCl, but more mature) which you can convince yourself is secure by auditing its code. I'm looking into the pypy sandbox, which claims to do this. However, I understand that so far it has not received much attention. Combining with an extra layer of OS virtualization like plash would reduce the risk somewhat, but those are complicated and can have vulnerabilities too.
You aren't being clear about how this sandbox is being used. If you are just running untrusted code, that is potentially malware then you should use a virtual machine like VMWare, if it has to be browser based then you should look into JPC.
Also, everything has vulnerabilities, especially StackOverflow :)