Space-Control: Process-Level Isolation for Sharing CXL-based Disaggregated Memory

TL;DR

This work presents Space-Control, a hardware-software co-design that provides fine-grained, process-level isolation for shared disaggregated memory, and allows up to 127 processes Simulation Toolkit based CXL model, making shared disaggregated memory isolation practical.

Abstract

Memory disaggregation via Compute Express Link (CXL) enables multiple hosts to share remote memory, improving utilization for data-intensive workloads. Today, virtual memory enables process-level isolation on a host and CXL enables host-level isolation. This creates a critical security gap: the absence of process-level memory isolation in shared disaggregated memory. We present Space-Control, a hardware-software co-design that provides fine-grained, process-level isolation for shared disaggregated memory. Space-Control authenticates execution context in the hardware and enforces access control on every memory access and amortizes lookup times with a small cache. Our design allows up to 127 processes Simulation Toolkit (SST) based CXL model, Space-Control incurs minimal performance overhead of 3.3%, making shared disaggregated memory isolation practical.

Figures (15)

• Figure 1: Space-Control architecture providing process-level isolation for shared disaggregated memory. With the addition of new trusted hardware, only the trusted process P1 on host3 is allowed access to the shared memory. P2 (malicious, red) and P3 (untrusted, white) processes are not authorized to access the shared memory. The same trusted hardware is also present in host0 and host1, where other trusted processes are allowed to access the shared memory. In CXL however, any process authorized by the kernel can access that data.
• Figure 2: Process creation and permission grant workflow in Space-Control. A new process requests access to SDM, which proposes an entry to the metadata region. The FM is automatically notified and decides approval, commits the proposed entry to the table, and issues $L_{exp}$.
• Figure 3: Flow of remote memory access as a load/store (LD/ST) of a virtual address (VA) in Space-Control. SPACE validates the context, and the permission checker enforces isolation.
• Figure 4: The microarchitecture of the SPACE. It stores the host's secret key ($K_{host}$), FM's public label ($L_{exp}$) and a free HWPID list. There is additional logic to generate $L_{host}$. Further, SPACE provides minimal MMIO doorbells available to the OS for HWPID management.
• Figure 5: Layout of the permission table stored in the SDM. The permission table starts at an offset 128 B (cache-line aligned). It stores sorted permission entries (entry_t) keyed by start address.