Cyber-physical systems bridge the gap between cyber components, typically written in software, and the physical world. Software written with traditional development practices, however, likely contains bugs or unintended interactions among components, which can result in uncontrolled and possibly disastrous physical-world interactions. Complete verification of cyber-physical systems, however, is often impractical due to outsourced development of software, cost, software created without formal models, or excessively large or complex models where the verification process becomes intractable. Rather than mandating complete modeling and verification, we advocate sandboxing of unverified cyber-physical system controllers by augmenting the system with a verified safety wrapper that can take control of the plant in order to avoid violations of formal safety properties. The focus of this work is an automatic method, based on reach ability and time-bounded reach ability of hybrid systems, to generate verified sandboxes. The method is shown to be both more general than previous work, and allows the trade-off of increased computation time for improved reach ability accuracy. We also present an end-to-end toolkit which performs the low-level computation to generate the sandbox source code from Simulink/State flow models of a cyber-physical system.