SURE: A High-Performance, Efficient, and Secure Serverless Framework Based on Unikernels

Current serverless platforms face substantial overhead from kernel-based networking and per-function sidecars. In addition, container-based runtimes suffer from excessive startup times and limited isolation. These limitations motivate the need for a more efficient and secure design. We present SURE, a unikernel-based serverless framework that combines rapid function startup with a high-performance, secure data plane. SURE enables distributed zero-copy communication through seamless integration of a userspace zero-copy TCP/IP stack (Z-stack) with intra-node shared memory processing. To eliminate the inefficiency of per-function sidecars, SURE introduces a lightweight library-based sidecar, which reduces CPU overhead by over two orders of magnitude compared to traditional userspace sidecars. For security, SURE leverages Intel's Memory Protection Keys (MPK) to enforce fine-grained, page-level isolation in the shared memory data plane and to isolate the Trusted Computing Base (TCB) components in the function runtime (e.g., library-based sidecar, scheduler, etc) from untrusted user code. This is complemented by memory-pool-based security domains that isolate each function chain, ensuring scalability to large deployments. SURE further integrates a combination of binary inspection, W ⊕ X enforcement, and TCB-page blacklisting to prevent MPK privilege escalation within the single-address-space unikernel. These combined efforts create a more secure and efficient data plane with improved performance. Our evaluation shows that SURE improves throughput by 6×-8× compared to SPRIGHT, a high-performance serverless platform.