MirageOS: building minimized special-purpose unikernels
Unikernels are specialized services, where the runtime binary (process, virtual machine) only contains the necessary libraries. This reduces the attack surface drastically (around two orders of magnitude). MirageOS is a unikernel project that uses OCaml, which also reduces the attack vectors (memory safety, type safety). MirageOS does not contain any process management, neither virtual memory – the entire unikernel is executed in single address space. The cooperative multitasking library lwt is used at the base.
MirageOS can be deployed to various modern hypervisors: Xen, Linux KVM, FreeBSD BHyve, OpenBSD VMM, virtio, as well as to the Genode microkernel-based operating system framework and the separation kernel Muen. It can also be run as a unix process with rather restrictive seccomp filters (less than 10 syscalls needed). It runs on X86-64, ARM64 (Raspberry PI), ESP32; RISC-V support is along its way.
Apart from core Internet Protocols (TCP/IP, DHCP, DNS, HTTP), security protocols (TLS, OpenPGP, OTR), and branchable distributed storage (implementing the git protocol) for persistency, several applications are work-in-progress:
- Calendar and address book (CalDAV/CardDAV) storing data in a remote git repository - EMail (MIME encoding/decoding, SMTP, IMAP) - Firewall - VPN Gateway
In this tutorial, first I’ll briefly introduce the benefits of MirageOS and the programming environment - the mirage command line utility takes care of target-specific dependency, initialization order, etc. by generating code. Afterwards, we’ll dig deep down further examples.
This session is held on in Tutorials #2