Huawei
Huawei may introduce new ‘sandbox mode’ for Linux kernel to refine memory safety
Huawei is equally focusing on hardware as well as software products and in the latest edition, the company plans to introduce a new sandbox mode, specifically for Linux kernel. This initiative will play a vital role in optimizing the kernel’s memory safety.
According to the information, the new sandbox mode will contribute to imposing native kernel code in a secure environment, enabling only the memory to access predefined addresses. Eventually, this will either lessen or eliminate the impact of potential vulnerabilities on the kernel.
Thus, sandbox mode will be useful in reducing the effect of bugs and security threats over memory. On the other hand, the patch series will integrate sandbox-mode APIs and arch-independent infrastructure into the kernel.
Notably, these APIs are capable of preventing ‘out-of-bounds’ access due to the protected page. In other words, the sandbox mode API will enable each component to work in a remote environment, separating the major memory parts used as input or output from the rest of the kernel.
Following these notes, Huawei developers believe that a new sandbox mode for the Linux kernel could help in improving the security aspects of the memory. One of the Huawei Cloud engineers – Petr Tesarik recently put forth a ‘request for comments’ patch series for the new sandbox mode.
Ahead, Petr shared a description document regarding the sandbox mode, patch series, and other supplementary segments. This patch series runs the target function on a vmalloc()’ed copy of all input and output data.
With arch support, the common base permits the sandbox mode to recover from protection violations. It further returns with an error code say -EFAULT to the caller, so that execution can keep on going and offers a strong isolation. You can check the complete proposed document HERE.