EPSRC logo

Details of Grant 

EPSRC Reference: EP/V000365/1
Title: CloudCAP: Capability-based Isolation for Cloud Native Applications
Principal Investigator: Pietzuch, Professor PR
Other Investigators:
Drossopoulou, Professor S
Researcher Co-Investigators:
Project Partners:
Department: Computing
Organisation: Imperial College London
Scheme: Standard Research
Starts: 01 October 2020 Ends: 30 September 2023 Value (£): 879,242
EPSRC Research Topic Classifications:
Computer Sys. & Architecture Fundamentals of Computing
EPSRC Industrial Sector Classifications:
Information Technologies
Related Grants:
Panel History:
Panel DatePanel NameOutcome
06 Apr 2020 ISCF Digital Security by Design Research Projects Announced
Summary on Grant Application Form
Programming and deployment models for cloud native applications have shifted from virtual machines (VMs), to container-based microservices, and now serverless function-as-service (FaaS) applications, yet security concerns for cloud native applications remain. Tenants must trust bespoke and opaque software security mechanisms in large cloud stacks; cloud providers must protect themselves from untrusted tenant code with heavy-weight mechanisms. A key open research challenge is therefore how to design appropriate isolation mechanisms that can be used to compartmentalise cloud native applications and also shield them from the rest of a complex, untrusted cloud software stack.

We believe that hardware-based capabilities, as offered by Arm CHERI hardware, can act as a building block for lightweight yet principled isolation abstractions, and can be used to compartmentalise the full cloud stack including cloud native applications. By leveraging hardware capabilities for isolation, it becomes possible to give unprivileged userspace code strong guarantees about isolation and the impact by the rest of the untrusted cloud stack. The CloudCAP project will conduct research at the intersection of systems and programming languages. Its overall goal is to investigate and devise new abstractions and mechanisms for capability-based hardware to support flexible, lightweight and scalable compartmentalisation as part of future cloud stacks and cloud native applications. The project will result in capability-based cloud compartments, a new abstraction that can express policies about the confidentiality and integrity of data and computation, both within, and across, the components of a cloud stack and cloud native applications. A fundamental contribution of CloudCAP will be that, through CHERI's capability hardware support, it will become possible to make cloud compartments practical: they will be implementable efficiently and be compatible with existing cloud stacks and programming language runtimes.

Key Findings
This information can now be found on Gateway to Research (GtR) http://gtr.rcuk.ac.uk
Potential use in non-academic contexts
This information can now be found on Gateway to Research (GtR) http://gtr.rcuk.ac.uk
Description This information can now be found on Gateway to Research (GtR) http://gtr.rcuk.ac.uk
Date Materialised
Sectors submitted by the Researcher
This information can now be found on Gateway to Research (GtR) http://gtr.rcuk.ac.uk
Project URL:  
Further Information:  
Organisation Website: http://www.imperial.ac.uk