Security is a core responsibility for Function-as-a-Service (FaaS) providers. The prevailing approach has each function execute in its own container to isolate concurrent executions of different functions. However, successive invocations of the same function commonly reuse the runtime state of a previous invocation in order to avoid container cold-start delays when invoking a function. Although efficient, this container reuse has security implications for functions that are invoked on behalf of differently privileged users or administrative domains: bugs in a function's implementation, third-party library, or the language runtime may leak private data from one invocation of the function to subsequent invocations of the same function. Groundhog isolates sequential invocations of a function by efficiently reverting to a clean state, free from any private data, after each invocation. The system exploits two properties of typical FaaS platforms: each container executes at most one function at a time and legitimate functions do not retain state across invocations. This enables Groundhog to efficiently snapshot and restore function state between invocations in a manner that is independent of the programming language/runtime and does not require any changes to existing functions, libraries, language runtimes, or OS kernels. We describe the design of Groundhog and its implementation in OpenWhisk, a popular production-grade open-source FaaS framework. On three existing benchmark suites, Groundhog isolates sequential invocations with modest overhead on end-to-end latency (median: 1.5%, 95p: 7%) and throughput (median: 2.5%, 95p: 49.6%), relative to an insecure baseline that reuses the container and runtime state.
翻译:集装箱再利用是功能- 服务( FaAS) 提供者的核心安全责任。 通用方法的每个功能都在其自己的容器中执行, 以隔离同时执行不同功能。 但是, 同一功能的连续援引通常会重新使用先前一次指定的时间状态, 以避免在援引功能时出现冷拖延。 虽然效率很高, 这种集装箱再利用对代表不同特权用户或行政领域援引的职能具有安全影响: 函数执行中的错误、 第三方图书馆或语言运行时段可能会将私人数据从使用该函数时的某一次泄露到随后的同一函数的援引中。 但是, 在同一功能之后, 同一功能的连续援引通常会重复使用先前一次指定时间的运行状态, 以避免在每次援引功能后出现任何私人数据的运行状态。 尽管效率重现, 集装箱每次运行最多一次功能, 合法功能不会保持在指定时间的状态。 这样, 土拨鼠可以以独立于程序语言/ 运行周期内的同一功能之间, 土拨鼠可以快速快速快速地快速恢复功能状态( ) 。 在运行时, 直径直径直径框架上, 运行中不需要任何功能 。