Programming and deployment models for cloud native applications have shifted from virtual machines (VMs), to container-based microservices, and now serverless function-as-service (FaaS) applications, yet security concerns for cloud native applications remain. Tenants must trust bespoke and opaque software security mechanisms in large cloud stacks; cloud providers must protect themselves from untrusted tenant code with heavy-weight mechanisms. A key open research challenge is therefore how to design appropriate isolation mechanisms that can be used to compartmentalise cloud native applications and also shield them from the rest of a complex, untrusted cloud software stack.
We believe that hardware-based capabilities, as offered by Arm CHERI hardware, can act as a building block for lightweight yet principled isolation abstractions, and can be used to compartmentalise the full cloud stack including cloud native applications. By leveraging hardware capabilities for isolation, it becomes possible to give unprivileged userspace code strong guarantees about isolation and the impact by the rest of the untrusted cloud stack. The CloudCAP project will conduct research at the intersection of systems and programming languages. Its overall goal is to investigate and devise new abstractions and mechanisms for capability-based hardware to support flexible, lightweight and scalable compartmentalisation as part of future cloud stacks and cloud native applications. The project will result in capability-based cloud compartments, a new abstraction that can express policies about the confidentiality and integrity of data and computation, both within, and across, the components of a cloud stack and cloud native applications. A fundamental contribution of CloudCAP will be that, through CHERI's capability hardware support, it will become possible to make cloud compartments practical: they will be implementable efficiently and be compatible with existing cloud stacks and programming language runtimes.
CHERI object-capability compartments are a new isolation technology using Arm CHERI hardware. Compartments reside in a program address-space and enable isolated execution of mutually-distrusted parts of the program: data and code of a compartment can be accessed only by the data and code. Taking into account the growing number of Arm-based servers, we imagine cloud systems in which CHERI object-capability compartments become a new building block for lightweight isolation abstractions.
In this project, we try to reconsider the whole cloud stack and incorporate compartments into it. We seek answers to the following questions: