Global Software Technology Summit 2024

Sharing versus isolation is the fundamental tension in cloud systems. Cloud services must be isolated to prevent attacks on each other and the cloud provider, but they also should communicate. Today, the isolation between services is enforced either via Virtual Machines or containers. In the former case, the virtualisation system provides strong isolation with high-overhead communication primitives, while the latter may offer fast IPC but provides weak isolation with a huge Trusted Computing Base (TCB). Low-TCB, fast IPC, and strong isolation are hardly achievable due to the fundamental problem of the isolation/sharing mechanism: the Memory Management Unit (MMU). The MMU is a privileged system element, and its communication requires a privileged intermediary. As a result, any attempt to implement cross-address-space communication will require switches into the privileged state, which is always performance costly. Moreover, the MMU works at the page granularity, and thus, fine-grained data sharing between isolated services is impossible or resource-inefficient. In the Intravisor project, we look for another isolation mechanism which we use as the base for fundamental system mechanisms. We use the hardware-memory capabilities introduced in the CHERI architecture and build the isolation and sharing primitives using them. As a result, our cloud runtime offers low-overhead isolation, fast IPC without the involvement of the privileged intermediary, and a low-TCB intermediary. In this talk, I will present the Intravisor project. I will discuss the rationale for its design, its components such as the de-privileged kernel and new IPC primitives, the mechanisms for increasing the memory density, and system support for the effective deployment of short-lived services.