SURE: Secure Unikernels for Faster and Safer Serverless Computing: New Research Publication

This research, authored by Federico Parola (Politecnico di Torino), Shixiong Qi, Anvaya B. Narappa, K. K. Ramakrishnan (University of California, Riverside), and Fulvio Risso (Politecnico di Torino), is part of the ELASTIC Project and was presented at the ACM Symposium on Cloud Computing (SoCC ‘24).

Rethinking Serverless: Improving Efficiency and Security with Unikernels

As serverless computing becomes the standard for scalable, event-driven applications, existing platforms face limitations in:
High function startup latency due to cold starts.
Overhead in chaining and orchestrating functions within a microservices architecture.
Insufficient security isolation in containerized runtimes.

To address these inefficiencies, this study presents SURE, a unikernel-based serverless framework designed to reduce startup time, enhance security, and improve inter-service communication efficiency. SURE optimizes the serverless data plane by integrating unikernel virtualization, shared memory processing, and a secure, lightweight service mesh.

 

Key Innovations in SURE

  • Faster Function Startup with Unikernels
    SURE deploys each function as a unikernel-based virtual machine (VM), eliminating unnecessary OS components for faster boot times and reduced cold-start delays.
  • High-Performance Data Plane with Zero-Copy Communication
    SURE introduces Z-stack, a zero-copy, cross-node communication stack that removes the overhead of kernel-based networking, leading to significantly higher throughput compared to Knative, a widely used open-source serverless platform.
  • Library-Based Sidecar for Lightweight Service Mesh
    Traditional userspace sidecars introduce performance bottlenecks. SURE’s sidecar is implemented as a lightweight library inside the unikernel, avoiding unnecessary data copies and context switches.
  • Memory Protection Keys (MPK) for Secure Shared Memory
    SURE leverages Intel’s MPK technology to enforce fine-grained memory isolation in shared memory environments. This prevents unauthorized access and privilege escalation while maintaining performance efficiency.
  • Stronger Isolation for Serverless Functions
    SURE isolates Trusted Computing Base (TCB) components—such as the library-based sidecar, scheduler, and network stack—from untrusted user code, ensuring greater security while preserving unikernel efficiency.

Performance Gains and Real-World Impact

  • 79× Higher Throughput vs. Knative – SURE significantly reduces data plane overhead and enhances inter-function communication.
  • Milliseconds-Level Function Startup – Enables ultra-fast response times, making SURE ideal for latency-sensitive workloads such as real-time analytics, cloud applications, and AI/ML inference.

By combining unikernel efficiency with enhanced security measures, SURE redefines serverless computing, making it faster, safer, and more scalable.

Access and Further Information
The full publication and supporting materials are available on Zenodo.