Use Sandboxes in SysConfig to define groups of Application Modules that must have security isolation from other parts of the application. Each Sandbox is associated with an SSU STACK, and contains at least one Application Module, as well as a stack memory AP range. All LINKs associated with the Application Modules in the Sandbox have read-write access to the Sandbox stack memory; all other LINKs have no access. Each Sandbox is associated with one debug ZONE.

SysConfig defines a SECURE_GROUP in the linker command file for each Sandbox. This setting causes the linker to require protected calls for all function calls from other STACKs into the Sandbox STACK. By default, any unprotected call into a SECURE_GROUP causes the linker to generate an error. SysConfig provides an option to auto-generate trampolines and landing calls to satisfy the protected call requirement. When enabling this option, be sure to review the output linker map file to confirm that no undesired cross-STACK trampolines to untrusted code are generated.