CloudCAP: Capability-based Isolation for Cloud Native Applications

Lead Research Organisation: Imperial College London
Department Name: Computing


Programming and deployment models for cloud native applications have shifted from virtual machines (VMs), to container-based microservices, and now serverless function-as-service (FaaS) applications, yet security concerns for cloud native applications remain. Tenants must trust bespoke and opaque software security mechanisms in large cloud stacks; cloud providers must protect themselves from untrusted tenant code with heavy-weight mechanisms. A key open research challenge is therefore how to design appropriate isolation mechanisms that can be used to compartmentalise cloud native applications and also shield them from the rest of a complex, untrusted cloud software stack.

We believe that hardware-based capabilities, as offered by Arm CHERI hardware, can act as a building block for lightweight yet principled isolation abstractions, and can be used to compartmentalise the full cloud stack including cloud native applications. By leveraging hardware capabilities for isolation, it becomes possible to give unprivileged userspace code strong guarantees about isolation and the impact by the rest of the untrusted cloud stack. The CloudCAP project will conduct research at the intersection of systems and programming languages. Its overall goal is to investigate and devise new abstractions and mechanisms for capability-based hardware to support flexible, lightweight and scalable compartmentalisation as part of future cloud stacks and cloud native applications. The project will result in capability-based cloud compartments, a new abstraction that can express policies about the confidentiality and integrity of data and computation, both within, and across, the components of a cloud stack and cloud native applications. A fundamental contribution of CloudCAP will be that, through CHERI's capability hardware support, it will become possible to make cloud compartments practical: they will be implementable efficiently and be compatible with existing cloud stacks and programming language runtimes.

Planned Impact

Technology and Knowledge Impact: The CloudCAP project will pursue a two-pronged strategy and engage with cloud providers and cloud developers: (i) to impact cloud providers, CloudCAP will raise awareness regarding the benefits of hardware-backed compartmentalisation of cloud infrastructures and tenant applications. Through our collaboration with Microsoft, we will work towards making advanced compartmentalisation features commercially viable in today's clouds; and (ii) to impact cloud developers, the CloudCAP project will advocate that capability-based features should be adopted in next-generation programming languages. It will provide a cookbook of patterns that will educate programmers about trustworthy development and offer guidance when compartmentalising applications. The software developed as part of the CloudCAP project will be distributed as software releases on GitHub under a permissive open-source license. This will allow programmers to experiment with CloudCAP's cloud compartmentalisation approach.

Economic Impact: Security is a commercial imperative for cloud computing, and the CloudCAP project will open up new opportunities for UK cloud providers to differentiate themselves through bespoke security features. In addition, it will create new opportunities for SMEs, public organisations and the defence and security sectors to reduce "time-to-market" when developing security-critical applications and services. The project aims to enhance how UK companies migrate security-sensitive applications to cloud environments and develop new trustworthy cloud native applications. Finally, it may result in commercially exploitable IP.

People Impact: As part of the CloudCAP project, we will train researchers in advanced methods and techniques from systems and programming languages research. These skills are highly sought after in academia and industry. The project will also impact students by being incorporated into teaching activities at Imperial College London.

Social Impact: Through a collaboration with the Digital Security by Design Social Sciences Hub, the CloudCAP project will result in a better understanding of the perception and trust in hardware security features. By understanding concerns, it will become possible to increase the trustworthiness of future cloud infrastructures, specifically accounting for the expectations and needs of end users.


10 25 50

publication icon
Sartakov V.A. (2022) CAP-VMs: Capability-Based Isolation and Sharing in the Cloud in Proceedings of the 16th USENIX Symposium on Operating Systems Design and Implementation, OSDI 2022

publication icon
Sartakov V.A. (2023) ORC: Increasing Cloud Memory Density via Object Reuse with Capabilities in Proceedings of the 17th USENIX Symposium on Operating Systems Design and Implementation, OSDI 2023

Description In the CloudCAP project, we are investigating how hardware with support for memory capabilities (as developed by Arm as part of the UKRI Digital Security by Design initiative) can be used to make future cloud computing environments more secure. The project has produced four key findings: (1) as part of the CubicleOS system, we have shown that it is, in principle, feasible to compartmentalise monolithic operating system kernels in userspace while relying on existing interfaces with minimal changes; (2) as part of the cVM/Intravisor work, we have demonstrated that capability models can be used to protect cloud computing applications with minimal changes; (3) through our work on ORC, we have also shown how memory capabilities can increase the memory density of cloud environments; and (4) our work on MDR has show that memory capabilities can be used to support sandboxed computation that protects the privacy of multi-party computation.
Exploitation Route We are currently exploring commercialisation routes for aspect of the work. We have contributed the open source code releases to the wider UKRI DSbD ecosystem.
Sectors Digital/Communication/Information Technologies (including Software)

Description There are various active commercialisation efforts of capability-based technologies in the DSbD ecosystem. The ideas developed by the CloudCAP project and the associated source code releases have influenced and shaped a number of commercial efforts.
First Year Of Impact 2021
Sector Digital/Communication/Information Technologies (including Software)
Impact Types Economic