Sandboxing Functions for Efficient and Secure Multi-tenant Serverless Deployments
Authors: 
Charalampos Mainas, Ioannis Plakas, Georgios Ntoutsos, Anastassios NanosAuthors Info & Claims
Pages 25 - 31
Abstract
Serverless computing has gained significant traction for its ability to streamline development workflows and optimize resource utilization. However, ensuring optimal performance and isolation for workloads in multi-tenant environments remains a critical challenge.
In this work, we identify the need for sandboxing mechanisms to extend the tenancy model of Knative and enhance the security and efficiency of multi-tenant serverless deployments. Existing solutions like gVisor and kata-containers provide a level of isolation but do not meet the requirements for allowing the execution of untrusted workloads in a Knative cluster.
We consider the option of unikernels in serverless environments. We build an end-to-end serverless system based on unikernels and compare its performance and isolation characteristics to existing sandbox solutions. Our initial findings demonstrate that existing sandbox mechanisms exhibit significant overheads. On the contrary, a unikernel-based solution offers a compelling balance between performance and security, achieving identical response times to generic containers.
References
[1]
2023. HTTP reply function in C. https://github.com/nubificus/app-httpreply/blob/nbfc-knative/main.c
[2]
2023. HTTP reply function in go. https://github.com/nubificus/helloworld-knative/blob/main/hello.go
[3]
2023. K8s tenancy model. https://kubernetes.io/blog/2021/04/15/three-tenancy-models-for-kubernetes/
[4]
2023. urunc: A unikernel container runtime. https://github.com/nubificus/urunc
[5]
Alexander Jung, Unikraft. 2022. Beyond Orchestration: The Cloud Native Runtimes Ecosystem for Performance and Security. https://kccncna2022.sched.com/event/182OM
[6]
Brendan Burns, Brian Grant, David Oppenheimer, Eric Brewer, and John Wilkes. 2016. Borg, Omega, and Kubernetes. Commun. ACM 59, 5 (apr 2016), 50--57.
[7]
James Cadden, Thomas Unger, Yara Awad, Han Dong, Orran Krieger, and Jonathan Appavoo. 2020. SEUSS: skip redundant paths to make serverless fast. In Proceedings of the Fifteenth European Conference on Computer Systems (Heraklion, Greece) (EuroSys '20). Association for Computing Machinery, New York, NY, USA, Article 32, 15 pages.
[8]
Henrique Fingler, Amogh Akshintala, and Christopher J. Rossbach. 2019. USETL: Unikernels for Serverless Extract Transform and Load Why should you settle for less?. In Proceedings of the 10th ACM SIGOPS Asia-Pacific Workshop on Systems (Hangzhou, China) (APSys '19). Association for Computing Machinery, New York, NY, USA, 23--30.
[9]
Gaulthier Gain, Cyril Soldani, Felipe Huici, and Laurent Mathy. 2022. Want more unikernels? inflate them!. In Proceedings of the 13th Symposium on Cloud Computing (San Francisco, California) (SoCC '22). Association for Computing Machinery, New York, NY, USA, 510--525.
[10]
Muhammed Golec, Guneet Kaur Walia, Mohit Kumar, Felix Cuadrado, Sukhpal Singh Gill, and Steve Uhlig. 2023. Cold start latency in serverless computing: A systematic review, taxonomy, and future directions. arXiv preprint arXiv:2310.08437 (2023).
[11]
Tim Goodwin, Andrew Quinn, and Lindsey Kuper. 2023. What goes wrong in serverless runtimes? A survey of bugs in Knative Serving. In Proceedings of the 1st Workshop on SErverless Systems, Applications and MEthodologies (Rome, Italy) (SESAME '23). Association for Computing Machinery, New York, NY, USA, 12--18.
[12]
Google. 2018. gVisor. Documentation website. https://gvisor.dev/docs/
[13]
Eric Jonas, Johann Schleier-Smith, Vikram Sreekanti, Chia-Che Tsai, Anurag Khandelwal, Qifan Pu, Vaishaal Shankar, Joao Carreira, Karl Krauth, Neeraja Yadwadkar, et al. 2019. Cloud programming simplified: A berkeley view on serverless computing. arXiv preprint arXiv:1902.03383 (2019).
[14]
Julian Friedman. 2020. Knative Threat Model. https://github.com/knative/community/blob/main/working-groups/security/threat-model.md
[15]
Kata Containers Community. 2019. kata-containers. Splash page. https://katacontainers.io
[16]
Simon Kuenzer, Vlad-Andrei Bădoiu, Hugo Lefeuvre, Sharan Santhanam, Alexander Jung, Gaulthier Gain, Cyril Soldani, Costin Lupu, Ştefan Teodorescu, Costi Răducanu, Cristian Banu, Laurent Mathy, Răzvan Deaconescu, Costin Raiciu, and Felipe Huici. 2021. Unikraft: fast, specialized unikernels the easy way. In Proceedings of the Sixteenth European Conference on Computer Systems (Online Event, United Kingdom) (EuroSys '21). Association for Computing Machinery, New York, NY, USA, 376--394.
[17]
Anil Madhavapeddy, Richard Mortier, Charalampos Rotsos, David Scott, Balraj Singh, Thomas Gazagnaire, Steven Smith, Steven Hand, and Jon Crowcroft. 2013. Unikernels: library operating systems for the cloud. SIGARCH Comput. Archit. News 41, 1 (mar 2013), 461--472.
[18]
Anil Madhavapeddy and David J. Scott. 2014. Unikernels: the rise of the virtual library operating system. Commun. ACM 57, 1 (jan 2014), 61--69.
[19]
Chetankumar Mistry, Bogdan Stelea, Vijay Kumar, and Thomas Pasquier. 2020. Demonstrating the Practicality of Unikernels to Build a Serverless Platform at the Edge. In 2020 IEEE International Conference on Cloud Computing Technology and Science (CloudCom). 25--32.
[20]
MITRE. 2024. CVE-list related to containers. CVE list of vulnerabilities related to the term 'containers'. https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=containers
[21]
Felix Moebius, Tobias Pfandzelter, and David Bermbach. 2024. Are Unikernels Ready for Serverless on the Edge? arXiv:cs.DC/2403.00515
[22]
Michael Sammler, Deepak Garg, Derek Dreyer, and Tadeusz Litak. 2019. The high-level benefits of low-level sandboxing. Proc. ACM Program. Lang. 4, POPL, Article 32 (dec 2019), 32 pages.
[23]
Hossein Shafiei, Ahmad Khonsari, and Payam Mousavi. 2022. Serverless Computing: A Survey of Opportunities, Challenges, and Applications. ACM Comput. Surv. 54, 11s, Article 239 (nov 2022), 32 pages.
[24]
Zhiming Shen, Zhen Sun, Gur-Eyal Sela, Eugene Bagdasaryan, Christina Delimitrou, Robbert Van Renesse, and Hakim Weatherspoon. 2019. X-Containers: Breaking Down Barriers to Improve Performance and Isolation of Cloud-Native Containers. In Proceedings of the Twenty-Fourth International Conference on Architectural Support for Programming Languages and Operating Systems (Providence, RI, USA) (ASPLOS '19). Association for Computing Machinery, New York, NY, USA, 121--135.
[25]
Vincent van Rijn and Jan S. Rellermeyer. 2021. A fresh look at the architecture and performance of contemporary isolation platforms. In Proceedings of the 22nd International Middleware Conference (Québec city, Canada) (Middleware '21). Association for Computing Machinery, New York, NY, USA, 323--335.
Index Terms
- Sandboxing Functions for Efficient and Secure Multi-tenant Serverless Deployments
Recommendations
High-density Multi-tenant Bare-metal Cloud
ASPLOS '20: Proceedings of the Twenty-Fifth International Conference on Architectural Support for Programming Languages and Operating SystemsVirtualization is the cornerstone of the infrastructure-as-a-service (IaaS) cloud, where VMs from multiple tenants share a single physical server. This increases the utilization of data-center servers, allowing cloud providers to provide cost-efficient ...
Multi-tenant, secure, load disseminated SaaS architecture
ICACT'10: Proceedings of the 12th international conference on Advanced communication technologyThe availability of high speed internet has diversified the way we used to intermingle with each other. The emergence of social networks and interactive web applications has left a dent in existing software and service delivery models. Software vendors ...
Supporting Multi-Provider Serverless Computing on the Edge
ICPP Workshops '18: Workshop Proceedings of the 47th International Conference on Parallel ProcessingServerless computing has recently emerged as a new execution model for cloud computing, in which service providers offer compute runtimes, also known as Function-as-a-Service (FaaS) platforms, allowing users to develop, execute and manage application ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
April 2024
46 pages
ISBN:9798400705458
DOI:10.1145/3642977
Copyright © 2024 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 22 April 2024
Check for updates
Qualifiers
- Short-paper
Funding Sources
Conference
SESAME '24
Sponsor:
SESAME '24: 2nd Workshop on SErverless Systems, Applications and MEthodologies
April 22, 2024
Athens, Greece
Upcoming Conference
EuroSys '25
- Sponsor:
- sigops
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 131Total Downloads
- Downloads (Last 12 months)131
- Downloads (Last 6 weeks)19
Reflects downloads up to 13 Dec 2024
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in