A unikernel is a miniature VM unto itself, with its own streamlined operating system, highly specialized and extremely small. Only the bare minimum exists with the unikernel -- with no extraneous functions or utilities. Yet these tiny VMs can pack a powerful punch thanks to the efficiency advantages for service providers and others.
Alongside those efficiency advantages that I highlighted in Part 1 of this unikernel mini-series, unikernels can also improve application security, ideal for service providers in the New IP world. (See The Pop of the Unikernel: The Efficiency Advantage.)
Unlike with traditional VMs, only the hypervisor lies between the unikernel and the hardware. According to Gareth Rushgrove, a developer at Puppet Labs, this makes unikernels "very fast to boot, but with strong isolation guarantees."
This isolation factor makes unikernels very attractive from a security perspective -- particularly as an alternative to containers, which typically share kernels.
"The challenge [of containers] is that the security attack surface of a 'shared kernel' strategy has its weakest link in that 'shared kernel' itself," explains open-source evangelist Russell Pavlicek in a blog post. "If one malicious hacker manages to violate that shared kernel, all instances that employ that shared kernel are potentially compromised. Certainly, a similar argument can be made of traditional hypervisors -- if you can violate the hypervisor, you might be able to violate the VMs it powers -- but the industry has had many years of experience hardening hypervisor installations."
In this sense, unikernels potentially scale more efficiently and securely than do containers.
"Any breach from one container could lead to contamination of other containers on the same OS. This may not be a concern if you trust all the developers and their code [and] may be [an] acceptable [risk] for a small, close-knit team, but as an organization grows, the need for better isolation becomes increasingly important," Amir Chaudhry, programme manager of the University of Cambridge Computer Laboratory's Systems Research Group, told The New IP in an email interview.
Lars Kurth, Xen Project advisory board chairman, nonetheless cautions that the security benefits of isolation are limited.
"A unikernel running directly within the hypervisor will benefit from the stronger isolation hypervisors provide [versus] the weaker isolation provided by containers," Kurth told The New IP via email. "Of course, if you run containers within hypervisors as is the currently recommended approach -- which also is in use by AWS, Alibaba, Google and others -- this particular disadvantage goes away."
In a separate email interview, Mark Coggin, senior marketing director of Red Hat's Platforms Business Unit, added, "In the event that an existing [vulnerability] is discovered, à la Heartbleed or Shellshock, that [isolation] benefit disappears."
Kurth, however, noted that the security advantage of the unikernel goes beyond heightened isolation in and of itself.
"Unikernels are single-process applications, which... provides an additional level of security by removing complexity and attack opportunities," Kurth pointed out, "whereas in container and traditional application stacks, the attacker can use one of the lower levels to break into the application."
Indeed, both Chaudry and Kurth insist that the very highlights of unikernels that make them efficient also contribute to making them more secure. Unikernel deployment strips the software stack down to the bare minimum, removing all unnecessary layers -- and, with them, means of attack.
"The unikernel... has a much smaller attack surface than a traditional VM, even though it interacts with the world in the same way via open protocols," wrote Chaudry.
"Unikernels such as MirageOS and HaLVM statically compile the application with the language run-time into a cloud image; dead-code elimination removes any code that is not actually used," explained Kurth. "This has a number of consequences. There is less code and thus fewer attack opportunities, [and] unikernel images for different applications... differ in terms of layout and thus an attacker has to create an attack vector for a specific application image."
In any case, containers are here to stay for now, security issues or not.
"Given that they operate at different layers of the stack, both containers and unikernels have their place in the clouds of the future," explained Chaudhry. "How a developer [or] business chooses to use them will depend on the specific combination of problems they are trying to solve."
Hence, service providers deploying multiple virtualization solutions must strategize well on securing their work holistically. For the most important and unique projects, however, unikernels seem to have the security edge.
— Joe Stanganelli,
Freelance Contributor, special to The New IP