Huawei proposes to launch a new “sandbox mode” for the Linux kernel to improve memory security
Chinese tech giant Huawei has proposed a new “SandBox Mode” for the Linux kernel to improve memory safety. The ultimate goal of SandBox Mode is to execute native kernel code in an environment that permits memory access only to predefined addresses. This way, vulnerabilities cannot be exploited or will have no impact on the rest of the kernel. This patch series adds the API and arch-independent infrastructure of SandBox Mode to the kernel. It runs the target function on a vmalloc()’ed copy of all input and output data. This alone prevents some out-of-bounds accesses thanks to guard pages. The SandBox Mode API allows running each component inside an isolated execution environment.
In particular, memory areas used as input and/or output are isolated from the rest of the kernel and surrounded by guard pages. Without arch hooks, this common base provides weak isolation. On architectures that implement the necessary arch hooks, SandBox Mode leverages hardware paging facilities and CPU privilege levels to enforce the use of only these predefined memory areas. With arch support, SBM can also recover from protection violations. This means that SBM forcibly terminates the sandbox and returns an error code (e.g. -EFAULT) to the caller, so execution can continue. Such implementation provides strong isolation.