TL;DR
This paper introduces virtines, a hardware-efficient abstraction for isolating individual functions at the hardware level, enabling fine-grained security for applications like serverless computing with minimal code changes.
Contribution
The paper presents virtines, a novel function-level isolation abstraction built from hardware virtualization, and a prototype extension to C language, along with an embeddable hypervisor Wasp.
Findings
Virtines enable function isolation with acceptable performance overhead.
The prototype demonstrates easy integration with existing C codebases.
Hardware virtualization can be pushed to its limits for fine-grained isolation.
Abstract
An important class of applications, including programs that leverage third-party libraries, programs that use user-defined functions in databases, and serverless applications, benefit from isolating the execution of untrusted code at the granularity of individual functions or function invocations. However, existing isolation mechanisms were not designed for this use case; rather, they have been adapted to it. We introduce \textit{virtines}, a new abstraction designed specifically for function granularity isolation, and describe how we build virtines from the ground up by pushing hardware virtualization to its limits. Virtines give developers fine-grained control in deciding which functions should run in isolated environments, and which should not. The virtine abstraction is a general one, and we demonstrate a prototype that adds extensions to the C language. We present a detailed…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Code & Models
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
