Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

SandCell: Sandboxing Rust Beyond Unsafe Code

Jialun Zhang, Merve Gulmez, Thomas Nyman, Gang Tan

TL;DR

SandCell tackles the challenge of memory-safety in Rust by introducing a flexible, compiler-based sandboxing approach that can isolate both safe and unsafe code along syntactic boundaries (functions, modules, crates) and per-invocation run-time instances. It combines a data-flow-informed instrumentation pass with in-process sandboxing (SDRaD-v2) and a shared data-domain allocator to minimize cross-boundary data copying, achieving memory isolation without sacrificing too much performance. The design supports multiple specification strategies (library-, user-, and input-oriented) and provides strong containment guarantees against known exploits and soundness vulnerabilities, while keeping integration effort modest. Empirically, SandCell demonstrates safety benefits across real Rust crates and libraries with varying data-transfer patterns, achieving competitive overheads that are often lower than process-based or copy-based sandboxing approaches, and showing tangible applicability to real-world Rust software stacks.

Abstract

Rust is a modern systems programming language that ensures memory safety by enforcing ownership and borrowing rules at compile time. While the unsafe keyword allows programmers to bypass these restrictions, it introduces significant risks. Various approaches for isolating unsafe code to protect safe Rust from vulnerabilities have been proposed, yet these methods provide only fixed isolation boundaries and do not accommodate expressive policies that require sandboxing both safe and unsafe code. This paper presents SandCell for flexible and lightweight isolation in Rust by leveraging existing syntactic boundaries. SandCell allows programmers to specify which components to sandbox with minimal annotation effort, enabling fine-grained control over isolation. The system also introduces novel techniques to minimize overhead when transferring data between sandboxes. Our evaluation demonstrates SandCell's effectiveness in preventing vulnerabilities across various Rust applications while maintaining reasonable performance overheads.

SandCell: Sandboxing Rust Beyond Unsafe Code

TL;DR

SandCell tackles the challenge of memory-safety in Rust by introducing a flexible, compiler-based sandboxing approach that can isolate both safe and unsafe code along syntactic boundaries (functions, modules, crates) and per-invocation run-time instances. It combines a data-flow-informed instrumentation pass with in-process sandboxing (SDRaD-v2) and a shared data-domain allocator to minimize cross-boundary data copying, achieving memory isolation without sacrificing too much performance. The design supports multiple specification strategies (library-, user-, and input-oriented) and provides strong containment guarantees against known exploits and soundness vulnerabilities, while keeping integration effort modest. Empirically, SandCell demonstrates safety benefits across real Rust crates and libraries with varying data-transfer patterns, achieving competitive overheads that are often lower than process-based or copy-based sandboxing approaches, and showing tangible applicability to real-world Rust software stacks.

Abstract

Rust is a modern systems programming language that ensures memory safety by enforcing ownership and borrowing rules at compile time. While the unsafe keyword allows programmers to bypass these restrictions, it introduces significant risks. Various approaches for isolating unsafe code to protect safe Rust from vulnerabilities have been proposed, yet these methods provide only fixed isolation boundaries and do not accommodate expressive policies that require sandboxing both safe and unsafe code. This paper presents SandCell for flexible and lightweight isolation in Rust by leveraging existing syntactic boundaries. SandCell allows programmers to specify which components to sandbox with minimal annotation effort, enabling fine-grained control over isolation. The system also introduces novel techniques to minimize overhead when transferring data between sandboxes. Our evaluation demonstrates SandCell's effectiveness in preventing vulnerabilities across various Rust applications while maintaining reasonable performance overheads.

Paper Structure

This paper contains 78 sections, 6 figures, 11 tables.

Table of Contents

  1. Introduction
  2. This paper and contributions.
  3. Background
  4. Memory Safety in Rust
  5. Unsafe Rust
  6. Bugs in Safe Rust
  7. In-process isolation
  8. Protection Keys for Userspace.
  9. Motivation and Challenges
  10. Challenge I: Isolation between unsafe code.
  11. Challenge II: Isolation between different executions of the same code.
  12. Challenge III: Isolating soundness bugs and bugs in standard library.
  13. Challenge IV: Reducing data exchange cost.
  14. System and Adversary Model
  15. Design
  16. ...and 63 more sections

Figures (6)

  • Figure 1: A simplified web server. In Rust, modules (the keyword mod) are used to organize definitions such as functions and types.
  • Figure 2: A SandCell specification example.
  • Figure 3: SandCell run-time architecture.
  • Figure 4: Node and edge types in the dataflow graph.
  • Figure 5: Execution Time of compress() and uncompress() for SandCell, SandCrust, SDRaD-FFI with SDRaD-v1, SDRaD-FFI with SDRaD-v2, Baseline, and Baseline with mimalloc allocator
  • ...and 1 more figures