SandBox Mode is a new way to mitigate kernel memory corruption vulnerabilities by executing possibly buggy code in its own address space. Any attempt to write outside the designated memory areas results in aborting the sandboxed function, leaving the kernel memory intact. While other similar solutions exist, this is the first one which ticks multiple boxes at the same time: it is 100% precise like KASAN but suitable for production; it is as effective as HEKI, but works without a hypervisor or even virtualization support in hardware. And, most importantly, it incurs zero overhead for code that is not sandboxed. Its current limitation is that it requires some effort to adapt functions to be sandboxed and let them communicate with the rest of the kernel. It also requires developers to clearly define which data should be accessible from the sandbox. An example use case is parsing user-controlled data (such as security keys, or a boot logo). The talk aims at getting feedback from kernel developers on the concept, and on the way the sandbox is enforced.
Petr Tesarik started using Linux as a high school student in 1996. He joined SUSE Level 3 Support in 2006. In 2018 he moved to SUSE Labs and became team lead of Hardware Enablement. He has been a freelancer since 2023, currently paid to work on the Linux kernel for the open-source... Read More →