Space-Control: Process-Level Isolation for Sharing CXL-based Disaggregated Memory

TL;DR

Space-Control introduces a hardware-software co-design solution that provides fine-grained process-level memory isolation in CXL-based disaggregated memory systems, addressing a critical security gap with minimal performance impact.

Contribution

It presents a novel hardware-software co-design called Space-Control that enforces process-level isolation in shared disaggregated memory using authentication and access control mechanisms.

Findings

Achieves process-level isolation with up to 127 processes.

Incurs only 3.3% performance overhead in simulations.

Addresses a significant security gap in CXL memory sharing.

Abstract

Memory disaggregation via Compute Express Link (CXL) enables multiple hosts to share remote memory, improving utilization for data-intensive workloads. Today, virtual memory enables process-level isolation on a host and CXL enables host-level isolation. This creates a critical security gap: the absence of process-level memory isolation in shared disaggregated memory. We present Space-Control, a hardware-software co-design that provides fine-grained, process-level isolation for shared disaggregated memory. Space-Control authenticates execution context in the hardware and enforces access control on every memory access and amortizes lookup times with a small cache. Our design allows up to 127 processes Simulation Toolkit (SST) based CXL model, Space-Control incurs minimal performance overhead of 3.3%, making shared disaggregated memory isolation practical.