Controlled Shared Memory (COSM) Isolation: Design and Testbed Evaluation

Controlled Shared Memory (COSM) Isolation: Design and Testbed Evaluation

Recent memory-sharing approaches, e.g., based on the Compute Express Link (CXL) standard, allow the flexible high-speed sharing of data (i.e., data communication) among multiple hosts. In information systems for sensitive data, the data sharing between hosts, must be closely controlled. Security pol...

Full description

Saved in:
Bibliographic Details
Main Authors: Vignesh Sundaravarathan, Martin Reisslein, Akhilesh S. Thyagaturu, Nick Ross, Gurpreet Singh Kalsi, Jason Howard, Jan Kaisrlik, Bartosz Matwiejczyk, Marek M. Landowski, Piotr Dorozynski, Harvey Vrsalovic, Sanjaya Tayal
Format: Article
Language:English
Published: IEEE 2025-01-01
Series:IEEE Access
Subjects:
Compute express link (CXL)
data transmission
data inspection
data isolation
shared memory
write/read permission
Online Access:https://ieeexplore.ieee.org/document/10976706/
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Recent memory-sharing approaches, e.g., based on the Compute Express Link (CXL) standard, allow the flexible high-speed sharing of data (i.e., data communication) among multiple hosts. In information systems for sensitive data, the data sharing between hosts, must be closely controlled. Security policies may require strict isolation, so-called air-gapping. However, strict isolation mechanisms are currently lacking in data communications based on shared memory. We propose the novel COntrolled Shared Memory (COSM) framework for strictly and dynamically controlling the data communication via shared memory approaches. We introduce the novel concept of COSM isolation, which restricts data communication via shared memory regions with first-level isolation based on a write-and-read permission matrix and second-level isolation based on data inspection. These isolation levels are enforced by the memory controller on an externally-attached shared memory device (ESMD). COSM isolation is thus generally more secure than the existing software-based isolation (e.g., virtual machine isolation of a hypervisor) and existing hardware-assisted isolation (e.g., single-root input/output virtualization). We implement COSM host-to-host isolation in a testbed with an ESMD built on a Field Programmable Gate Array (FPGA). We evaluate the host data write and read rates [bit/s] and latencies under various ESMD loads as well as write-and-read permission configurations. The introduced COSM isolation can serve as the foundation for a new sub-field of research within the information technology (IT) security research field.
ISSN:2169-3536

Similar Items