Groundhog: Efficient Request Isolation in FaaS

05/23/2022
by   Mohamed Alzayat, et al.
0

Security is a core responsibility for Function-as-a-Service (FaaS) providers. The prevailing approach has each function execute in its own container to isolate concurrent executions of different functions. However, successive invocations of the same function commonly reuse the runtime state of a previous invocation in order to avoid container cold-start delays when invoking a function. Although efficient, this container reuse has security implications for functions that are invoked on behalf of differently privileged users or administrative domains: bugs in a function's implementation, third-party library, or the language runtime may leak private data from one invocation of the function to subsequent invocations of the same function. Groundhog isolates sequential invocations of a function by efficiently reverting to a clean state, free from any private data, after each invocation. The system exploits two properties of typical FaaS platforms: each container executes at most one function at a time and legitimate functions do not retain state across invocations. This enables Groundhog to efficiently snapshot and restore function state between invocations in a manner that is independent of the programming language/runtime and does not require any changes to existing functions, libraries, language runtimes, or OS kernels. We describe the design of Groundhog and its implementation in OpenWhisk, a popular production-grade open-source FaaS framework. On three existing benchmark suites, Groundhog isolates sequential invocations with modest overhead on end-to-end latency (median: 1.5 an insecure baseline that reuses the container and runtime state.

READ FULL TEXT

page 9

page 15

page 16

research
03/01/2020

Retrofitting Fine Grain Isolation in the Firefox Renderer (Extended Version)

Firefox and other major browsers rely on dozens of third-party libraries...
research
03/28/2019

Mitigating Cold Starts in Serverless Platforms: A Pool-Based Approach

Rapid adoption of the serverless (or Function-as-a-Service, FaaS) paradi...
research
06/01/2022

Cooling Down FaaS: Towards Getting Rid of Warm Starts

Serverless execution and most notably the Function as a Service (FaaS) m...
research
10/01/2021

A Step Towards On-Path Security Function Outsourcing

Security function outsourcing has witnessed both research and deployment...
research
02/02/2018

Zero-Cost Coercions for Program and Proof Reuse

We introduce the notion of identity coercions between non-indexed and in...
research
01/16/2021

Benchmarking, Analysis, and Optimization of Serverless Function Snapshots

Serverless computing has seen rapid adoption due to its high scalability...
research
09/28/2021

Restructuring Serverless Computing with Data-Centric Function Orchestration

Serverless applications are usually composed of multiple short-lived, si...

Please sign up or login with your details

Forgot password? Click here to reset