"SandBox Mode" Proposed For The Linux Kernel To Improve Memory Safety
![LINUX SECURITY](/assets/categories/linuxsecurity.webp)
Petr Tesarik with Huawei sent out the "request for comments" patch series on the new SandBox Mode. Petr describes the SandBox Mode as:
"The ultimate goal of SandBox Mode is to execute native kernel code in an environment which permits memory access only to predefined addresses, so potential vulnerabilities cannot be exploited or will have no impact on the rest of the kernel.
This patch series adds the API and arch-independent infrastructure of SandBox Mode to the kernel. It runs the target function on a vmalloc()'ed copy of all input and output data. This alone prevents some out-of-bounds accesses thanks to guard pages."
The SandBox Mode documentation further adds:
"The primary goal of SandBox Mode (SBM) is to reduce the impact of potential memory safety bugs in kernel code by decomposing the kernel. The SBM API allows to run each component inside an isolated execution environment. In particular, memory areas used as input and/or output are isolated from the rest of the kernel and surrounded by guard pages. Without arch hooks, this common base provides *weak isolation*.
On architectures which implement the necessary arch hooks, SandBox Mode leverages hardware paging facilities and CPU privilege levels to enforce the use of only these predefined memory areas. With arch support, SBM can also recover from protection violations. This means that SBM forcibly terminates the sandbox and returns an error code (e.g. ``-EFAULT``) to the caller, so execution can continue. Such implementation provides *strong isolation*."
It will be interesting to see how this SandBox Mode proposal is received by upstream kernel developers. Those interested can see the RFC patch series for more information on this just-proposed addition to the Linux kernel.
18 Comments