Recent memory-sharing approaches, e.g., based on the Compute Express Link (CXL) standard, allow the flexible high-speed sharing of data (i.e., data communication) among multiple hosts. In information systems for sensitive data, the data sharing between hosts, must be closely controlled. Security policies may require strict isolation, so-called air-gapping. However, strict isolation mechanisms are currently lacking in data communications based on shared memory. We propose the novel COntrolled Shared Memory (COSM) framework for strictly and dynamically controlling the data communication via shared memory approaches. We introduce the novel concept of COSM isolation, which restricts data communication via shared memory regions with first-level isolation based on a write-and-read permission matrix and second-level isolation based on data inspection. These isolation levels are enforced by the memory controller on an externally-attached shared memory device (ESMD). COSM isolation is thus generally more secure than the existing software-based isolation (e.g., virtual machine isolation of a hypervisor) and existing hardware-assisted isolation (e.g., single-root input/output virtualization). We implement COSM host-to-host isolation in a testbed with an ESMD built on a Field Programmable Gate Array (FPGA). We evaluate the host data write and read rates [bit/s] and latencies under various ESMD loads as well as write-and-read permission configurations. The introduced COSM isolation can serve as the foundation for a new sub-field of research within the information technology (IT) security research field
