-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcodomains-intro.tex
54 lines (51 loc) · 2.2 KB
/
codomains-intro.tex
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
\section{Codomains Introduction}
\label{sec:codomains-intro}
A cooperative domain, or \emph{codomain}, is an isolation domain
that a thread may migrate to over the course of its evolution, such as another
process, another host, or an SGX hardware enclave.
%
I explore system primitives for using codomains that enable a developer to
write a monolithic program that executes over multiple domains, with the
underlying system being responsible for moving the execution between domains,
maintaining resource consistency across domains, and restricting
information flow among domains.
%
The application need not directly construct codomains; a monitor or emulator
could do so on the process's behalf, thereby enabling opportunities for
instrumenting existing, legacy, applications.
%
In contrast to prior work in program partitioning, codomains present
a language-neutral, run-time mechanism for switching domains, rather than
resorting to language-specific or compile-time techniques.
\parhead{Codomains vs. Conclaves}
%
Codomains are orthogonal to conclaves, though the implementation may
use conclaves to support SGX domains.
%
Codomains further differ from conclaves with respect to use cases, and the
method for constructing trust boundaries.
%
Whereas conclaves are a solution for preserving the confidentiality of a single
\footnote{
Conclaves may comprise
multiple parties, but these parties must trust one another (or, as in
the case of NGINX multiplexing multiple parties, NGINX must be trusted
to isolate one party's components from another).
}
party's data when running an application on an untrusted cloud,
%
codomains can further express solutions for multi-party and
federated computations.
%
With conclaves, a deployer statically specifies the trust boundaries based on
which components (processes) may communicate with one another;
%
%Boundaries are binary; trust means unfettered communcation; no trust means no
%communication.
%
with codomains, the boundaries themselves may change over
the application's evolution, and data, rather than code, may drive the boundary
construction.
%
Finally, whereas conclaves take an approach of hoisting the entire application
into enclaves, codomains use enclaves in an on-demand, as needed, fashion.