"SandBox Mode" Proposed For The Linux Kernel To Improve Memory Safety

Written by Michael Larabel in Linux Security on 14 February 2024 at 06:55 AM EST. 18 Comments
LINUX SECURITY
While there is already the work underway on allowing the Rust programming language within the Linux kernel in part to leverage its memory safety potential, a proposal was sent out this morning for a new "SandBox Mode" for the Linux kernel to also increase the memory safety of C code within the kernel.

Petr Tesarik with Huawei sent out the "request for comments" patch series on the new SandBox Mode. Petr describes the SandBox Mode as:
"The ultimate goal of SandBox Mode is to execute native kernel code in an environment which permits memory access only to predefined addresses, so potential vulnerabilities cannot be exploited or will have no impact on the rest of the kernel.

This patch series adds the API and arch-independent infrastructure of SandBox Mode to the kernel. It runs the target function on a vmalloc()'ed copy of all input and output data. This alone prevents some out-of-bounds accesses thanks to guard pages."

The SandBox Mode documentation further adds:
"The primary goal of SandBox Mode (SBM) is to reduce the impact of potential memory safety bugs in kernel code by decomposing the kernel. The SBM API allows to run each component inside an isolated execution environment. In particular, memory areas used as input and/or output are isolated from the rest of the kernel and surrounded by guard pages. Without arch hooks, this common base provides *weak isolation*.

On architectures which implement the necessary arch hooks, SandBox Mode leverages hardware paging facilities and CPU privilege levels to enforce the use of only these predefined memory areas. With arch support, SBM can also recover from protection violations. This means that SBM forcibly terminates the sandbox and returns an error code (e.g. ``-EFAULT``) to the caller, so execution can continue. Such implementation provides *strong isolation*."

It will be interesting to see how this SandBox Mode proposal is received by upstream kernel developers. Those interested can see the RFC patch series for more information on this just-proposed addition to the Linux kernel.
18 Comments
Related News
New Linux Patch Lets You Force CPU Bugs/Mitigations Even When Not Vulnerable
Linux To Allow Disabling TPM PCR Integrity Protection Due To Performance Bottleneck
OpenPaX Announced As "Open-Source Alternative To GrSecurity" With Free Kernel Patch
Unauthenticated RCE Flaw With CVSS 9.9 Rating For Linux Systems Affects CUPS
Landlock Sandboxing Now Supports More Controls Around Unix Sockets
Linux 6.12 Adds Build Options For Greater Control Over CPU Security Mitigations
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
OpenWrt Affected By Security Issue That Could Have Led To Compromised Build Artifacts
Linus Torvalds Comes Out Against "Completely Broken" x86_64 Feature Levels
Linux EFI Zboot Abandoning "Compression Library Museum", Focusing On Gzip & Zstd
COSMIC Alpha 4 Released For System76's Rust-Based Desktop
Rustls Multi-Threaded Performance Is Battering OpenSSL
Ptyxis Becomes Ubuntu's Recommended Replacement To GNOME Terminal
How AMD Is Taking Standard C/C++ Code To Run Directly On GPUs
Fedora 42 Aims To Enhance The Windows Subsystem For Linux Experience