TO: Prof. Ellis
FROM: Edwin Baez
DATE: October 6th, 2021
SUBJECT: 500-Word Summary Of Article About Unikernel Security
The following 500-word summary of an Article about Unikernel Security. The author discusses the risks and benefits of running applications on Unikernel environments. By showing many diagrams and going in-depth on what each type of kernel does and allows, we can differentiate which kernels are right for us.
The Kernel is the essential center of a computer’s Operating System. It is basically the core that provides basic services for all other parts of the OS. Modern-day applications require cloud services to run in a Kernel environment, making it vulnerable to attacks. A unikernel is a specialized, single address space machine image constructed using the developer’s minimal set of a selection of services. With Unikernel environments, attacks are less likely due to the lightweight memory footprint and self-contained environment.
Virtualization is the process of mirroring or emulating a system using the resources of a host machine. It can be used to re-create networks or emulate a whole new machine, thus making it more secure to use. Virtual Machines cannot communicate with each other, so if one is ever infiltrated then no harm will be caused to the actual host machine. In other words, you can use your computer to run a virtual computer and whatever happens to that virtual computer will have no effect on your actual computer/hardware.
There are various types of Virtualization. The first is Full-Virtualization, which aliases the hardware the guest machine runs on. The main appeal is its ability to mirror hardware, making it more reliable, provides more consistent performance, and is able to isolate in case of a malicious attack. If a cyber-attack were to happen, the attacker cannot attack the host but can eventually see that It is attacking a virtual machine. The second type of virtualization is OS-Virtualization. OSV is ran on a single kernel but it runs many operating systems at once. It’s basically many containers and each holding its own operating system. These containers don’t have access to the hardware of the physical machine so it is limited to the OS of the host. With that said, If the machine was ever to get attacked, all containers will be compromised.
There are two types of unikernels whose security profiles differ. Clean Slate Unikernels are not emulators. They are written in a single programming language whether it’s C++, HalVM, or Javascript. They also allow language-specific virtual machines to function, for example, Java Virtual Machine (JVM). Legacy Unikernels, on the other hand, implement a subset to ensure unmodified software can run while only requiring minor configurations. According to J. Talbot et al, “They don’t support timesharing (the ability to simultaneously run multiple independent programs), instead, they delegate this role to the virtualization layer” [1, p.2].
Isolation is the main goal of most, if not all, security enthusiasts. Software running on a Unikernel is more isolated than software running in a container. This is due to the fact that unikernels are singular and have a reduced attack surface.
REFERENCE
[1] J. Talbot et al., “A Security Perspective on Unikernels,” 2020 International Conference on Cyber Security and Protection of Digital Services (Cyber Security), 2020, pp. 1-7, doi: 10.1109/CyberSecurity49315.2020.9138883.
