CloudCAP: Capability-based Isolation for Cloud Native Applications

Programming and deployment models for cloud native applications have shifted from virtual machines (VMs), to container-based microservices, and now serverless function-as-service (FaaS) applications, yet security concerns for cloud native applications remain. Tenants must trust bespoke and opaque software security mechanisms in large cloud stacks; cloud providers must protect themselves from untrusted tenant code with heavy-weight mechanisms. A key open research challenge is therefore how to design appropriate isolation mechanisms that can be used to compartmentalise cloud native applications and also shield them from the rest of a complex, untrusted cloud software stack.

We believe that hardware-based capabilities, as offered by Arm CHERI hardware, can act as a building block for lightweight yet principled isolation abstractions, and can be used to compartmentalise the full cloud stack including cloud native applications. By leveraging hardware capabilities for isolation, it becomes possible to give unprivileged userspace code strong guarantees about isolation and the impact by the rest of the untrusted cloud stack. The CloudCAP project will conduct research at the intersection of systems and programming languages. Its overall goal is to investigate and devise new abstractions and mechanisms for capability-based hardware to support flexible, lightweight and scalable compartmentalisation as part of future cloud stacks and cloud native applications. The project will result in capability-based cloud compartments, a new abstraction that can express policies about the confidentiality and integrity of data and computation, both within, and across, the components of a cloud stack and cloud native applications. A fundamental contribution of CloudCAP will be that, through CHERI's capability hardware support, it will become possible to make cloud compartments practical: they will be implementable efficiently and be compatible with existing cloud stacks and programming language runtimes.

Technology and Knowledge Impact: The CloudCAP project will pursue a two-pronged strategy and engage with cloud providers and cloud developers: (i) to impact cloud providers, CloudCAP will raise awareness regarding the benefits of hardware-backed compartmentalisation of cloud infrastructures and tenant applications. Through our collaboration with Microsoft, we will work towards making advanced compartmentalisation features commercially viable in today's clouds; and (ii) to impact cloud developers, the CloudCAP project will advocate that capability-based features should be adopted in next-generation programming languages. It will provide a cookbook of patterns that will educate programmers about trustworthy development and offer guidance when compartmentalising applications. The software developed as part of the CloudCAP project will be distributed as software releases on GitHub under a permissive open-source license. This will allow programmers to experiment with CloudCAP's cloud compartmentalisation approach.

Economic Impact: Security is a commercial imperative for cloud computing, and the CloudCAP project will open up new opportunities for UK cloud providers to differentiate themselves through bespoke security features. In addition, it will create new opportunities for SMEs, public organisations and the defence and security sectors to reduce "time-to-market" when developing security-critical applications and services. The project aims to enhance how UK companies migrate security-sensitive applications to cloud environments and develop new trustworthy cloud native applications. Finally, it may result in commercially exploitable IP.

People Impact: As part of the CloudCAP project, we will train researchers in advanced methods and techniques from systems and programming languages research. These skills are highly sought after in academia and industry. The project will also impact students by being incorporated into teaching activities at Imperial College London.

Social Impact: Through a collaboration with the Digital Security by Design Social Sciences Hub, the CloudCAP project will result in a better understanding of the perception and trust in hardware security features. By understanding concerns, it will become possible to increase the trustworthiness of future cloud infrastructures, specifically accounting for the expectations and needs of end users.