CAREER: Colony: A Framework for Bespoke Virtual Execution Contexts

职业：Colony：定制虚拟执行上下文的框架

• 批准号: 2239757
• 负责人: Kyle Hale
• 金额: $ 63.22万
• 依托单位: Illinois Institute of Technology
• 依托单位国家: 美国
• 项目类别: Continuing Grant
• 财政年份: 2023
• 资助国家: 美国
• 起止时间: 2023-05-01 至 2028-04-30
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2239757&HistoricalAwards=false
• 关键词: CAREER; Colony; Framework; Bespoke; Virtual

Vulnerabilities present in software running on shared computing infrastructure (e.g., cloud datacenters) can result in significant economic losses, compromised user data, and weakened national security when such infrastructure does not properly separate programs from one another in secure, isolated compartments. While techniques do exist to ensure such isolation, they typically increase the engineering burden on programmers or trade off performance for security, limiting their effectiveness and reach. Today, programmers are deploying code on shared computing infrastructure in increasingly fine-grained units (e.g., serverless computing), making this trade off more severe over time. The off-the-shelf technologies, such as containers that isolation frameworks are often built on, were not designed for this fine-grained use case. This project thus aims to ensure both performance and security for code running on cloud infrastructure by designing new isolation mechanisms from the ground up using novel operating system, compiler, programming language, and virtualization technologies. The project will help produce more robust cloud computing infrastructure that is less susceptible to attack, less likely to leak sensitive user data, and more productive for programmers. If successful, potential impacts include reduced economic losses from compromised infrastructure, strengthened national security, and increased privacy for the broader public using cloud services. The project will also make contributions in education and broadening participation in the computing profession by enhancing educational content, injecting industry-relevant and applied content into the curriculum, increasing the representation of people from diverse backgrounds in computer systems research, revitalizing the computer systems curriculum at the PI’s institution, and fostering undergraduate research engagement. This project proposes Colony, a new software framework for lightweight, bespoke, virtualized execution contexts. Colony leverages novel execution abstractions customized for individual applications and designed for both performance and isolation. Colony contexts are synthesized using compiler analyses, and are exposed through a rich set of programming abstractions and programming language extensions. Colony builds on a new abstraction for isolated function execution, the virtualized subroutine, or virtine, along with an embeddable hypervisor. The goal of the Colony project is to achieve both high performance and strong isolation for individually isolated function contexts in a variety of applications. The project will explore various mechanisms to enable bespoke contexts, including virtualization mechanisms enhanced for optimized start-up performance, and programming models with novel language/compiler support. These bespoke contexts can be used for lighter-weight isolation than managed languages, giving them broad applicability to areas such as OS kernel drivers, third-party libraries, and database user-defined functions, as well as the more nascent serverless computing paradigm. The proposed work has potential to open up new lines of research in operating systems, virtualization, compilers, and system security.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

在共享计算基础设施上运行的软件中存在的漏洞（例如，云计算中心）可能导致重大的经济损失、泄露的用户数据以及削弱的国家安全，当这样的基础设施不能在安全、隔离的隔间中适当地将程序彼此分离时。虽然确实存在确保这种隔离的技术，但它们通常会增加程序员的工程负担，或者牺牲性能来换取安全性，从而限制了它们的有效性和范围。今天，程序员正在以越来越细粒度的单元（例如，无服务器计算），使得这种权衡随着时间的推移变得更加严重。现成的技术，例如隔离框架通常构建在其上的容器，并不是为这种细粒度用例而设计的。因此，该项目旨在通过使用新的操作系统、编译器、编程语言和虚拟化技术从头开始设计新的隔离机制，确保在云基础设施上运行的代码的性能和安全性。该项目将有助于产生更强大的云计算基础设施，不易受到攻击，不太可能泄露敏感的用户数据，并为程序员提供更高的生产力。如果成功，潜在的影响包括减少基础设施受损造成的经济损失，加强国家安全，以及使用云服务为更广泛的公众提供更多的隐私。该项目还将通过加强教育内容，将行业相关和应用内容注入课程，增加来自不同背景的人在计算机系统研究中的代表性，振兴PI机构的计算机系统课程，并促进本科生的研究参与，从而在教育和扩大计算机专业的参与方面做出贡献。这个项目提出了殖民地，一个新的轻量级，定制的，虚拟化的执行环境的软件框架。Colony利用了为单个应用程序定制的新颖的执行抽象，并为性能和隔离而设计。使用编译器分析合成殖民地上下文，并通过一组丰富的编程抽象和编程语言扩展暴露。Colony建立在一个新的隔离函数执行抽象之上，虚拟化子例程或virtine，沿着一个可嵌入的hypervisor。殖民地项目的目标是在各种应用程序中为单独隔离的功能上下文实现高性能和强隔离。该项目将探索各种机制来实现定制的上下文，包括为优化启动性能而增强的虚拟化机制，以及具有新颖语言/编译器支持的编程模型。这些定制的上下文可以用于比托管语言更轻的隔离，使它们广泛适用于操作系统内核驱动程序，第三方库和数据库用户定义函数等领域，以及更新生的无服务器计算范例。该奖项反映了NSF的法定使命，并通过使用基金会的智力价值和更广泛的影响审查标准进行评估，被认为值得支持。