tjhu
commented
2 years ago Hi,
Redleaf relies on language-based isolation. Since user programs have to be written in safe Rust, one cannot forge arbitrary references/pointers. A user program cannot access other domains' resources without being granted explicit permissions to do so. You can read more about it in section 3 of the paper.
In your OSDI'20 paper, you mentioned that "RedLeaf does not rely on hardware address spaces for isolation", but how do you realize memory isolation in RedLeaf? Since all the domains are in ring0, a malicious user program has access to all the physical memory and can do anything bad to other user programs.