THE UNIKERNELS SOLUTION
One particular solution that is starting to be
embraced by various companies that are running
compute at the edge is the concept of unikernels.
Unikernels can be envisioned as the synthesis
of a single application, and the operating system bits
it needs to run is in a very small lightweight virtual
machine (VM). Not only do they provide the
necessary manageability, since they are designed
to be somewhat immutable with configuration
done at deployment time, but they also come
with a four-point security model.
This model is composed of the following:
• Single process system
• No users
• No shells
• Reduced attack surface
old VM stack
application
operating system
hypervisor
hardware
36 I ICT TODAY
SINGLE PROCESS
A single process system versus a multiple process
system, like Linux, means that each VM only runs
one application inside of it at a time. Since all
software is being deployed as VMs to begin with,
this makes the software run faster and also, by
design, makes it impossible to run other programs
inside the same VM. When considering how almost
any sort of attack occurs against servers, it all relies
on the concept that the attacker is trying to run code
on the company’s/organization’s server or device.
The bug or exploit is just the key to the door, but it is
not the main goal. When the capability of running more
than one program on the VM is removed, the main
motive of attacking the server is eliminated as well,
inherently creating a serverless type architecture.
docker stack
application
docker
operating system
hypervisor
hardware
unikernel stack
application
hypervisor
hardware
FIGURE 4: Unikernels are designed to only run one program per VM effectively putting an end to remote code execution attacks.