Hardware and container virtualisations are the fundamental technologies of modern cloud stacks. While these technologies virtualise different layers of software and hardware, they have one common thing: they are quite inefficient in terms of communication between isolated entities. The isolation relies on MMU and involves a privileged intermediary, which leads to heavy transitions or sharing data at the page granularity. The escape from this trap we see in the hardware capabilities introduced in CHERI. The CHERI architecture efficiently combines hardware memory capabilities with conventional MMU architectures. It gives not only safety to memory pointers, but also provides lightweight isolation mechanisms.
In this talk, I will present Introvisor, a lightweight hypervisor for microservices. It uses CHERI capabilities for isolation and data sharing, does not require software porting thus compatible with existing software, and provides strong security guarantees.
Speakers: Vasily A. Sartakov