CAP-VMs: Capability-Based Isolation and Sharing for Microservices

TL;DR

This paper introduces cVMs, a capability-based VM abstraction that enhances isolation and data sharing efficiency in microservices on cloud platforms, leveraging hardware support for memory capabilities.

Contribution

cVMs utilize hardware memory capabilities to provide fine-grained isolation and sharing for microservices without requiring application code awareness, reducing complexity and overhead.

Findings

Low overhead isolation of services like Redis and Python

Efficient data sharing through capability-based primitives

Prototype shows improved performance and security

Abstract

Cloud stacks must isolate application components, while permitting efficient data sharing between components deployed on the same physical host. Traditionally, the MMU enforces isolation and permits sharing at page granularity. MMU approaches, however, lead to cloud stacks with large TCBs in kernel space, and page granularity requires inefficient OS interfaces for data sharing. Forthcoming CPUs with hardware support for memory capabilities offer new opportunities to implement isolation and sharing at a finer granularity. We describe cVMs, a new VM-like abstraction that uses memory capabilities to isolate application components while supporting efficient data sharing, all without mandating application code to be capability-aware. cVMs share a single virtual address space safely, each having only capabilities to access its own memory. A cVM may include a library OS, thus minimizing its dependency on the cloud environment. cVMs efficiently exchange data through two capability-based primitives assisted by a small trusted monitor: (i) an asynchronous read-write interface to buffers shared between cVMs; and (ii) a call interface to transfer control between cVMs. Using these two primitives, we build more expressive mechanisms for efficient cross-cVM communication. Our prototype implementation using CHERI RISC-V capabilities shows that cVMs isolate services (Redis and Python) with low overhead while improving data sharing.