Put malicious part (or security part) into a box, using pure software. Example:
References: reference More Fidelius Charm: Isolating Unsafe Rust Code Reference 1 Rust: memory safety is lost when any unsafe blocks are used. Fedelius Charm(FC): limiting access to the program’s memory while executing unsafe libraries: move sensitive program data to protected pages before entering unsafe code; call userspace lib e.g. fc_immutable in which call system call mprotect to change page permission bits and switch to isolated mode; allow unsafe code to run normally without modifications; restore visibility of the protected state when unsafe code completes; call userspace lib e.
Reference: Fast Byte-Granularity Software Fault Isolation. SOSP, 2009. Byte Granularity Isolation (BGI) is implemented as a compiler plug-in that genrates instrumented code for kernel extenstions, and an interposition library that mediates communication between the extensions and the kernel. BGI runs extensions in separate protection domains that share the same address space. It associates an access control list (ACL) with each byte of virtual memory that lists the domains that can access the byte and how they can access it.
uSFI1. Ultra-lightweight software fault isolation for iot-class devices. DATE, 2018. ↩
Reference: NaCl1, PNaCl2 Original NaCl Inner sandbox, the NaCl module: code section is read-only and statically linked; code section is conceptually divided into fixed sized bundles of 32 bytes. All valid instructions are reachable by a dissassembly starting at a bundle beginning. All indirect control flow instructions are replaced by a multiple-instruction sequence (pseudo-instruction) that ensures target address alignment to a bundle boundary. No instructions or pseudo-instrucitons in the binary crosses a bundle boundary.
If you could revise
the fundmental principles of
computer system design
to improve security...
... what would you change?