With the invention of computers came the need to develop systems that could do with applications. First came virtual machines (VMs). But they were large, slow, and resource-intensive.
Then, containers came. Since they load just enough kernel and runtime code to run the application in the container, they were lighter and faster than VMs. But then, the setup, maintenance, and management proved to be somewhat labor-intensive and as such, unikernels were born.
A unikernel is a unique, specialized single process system created using library OS and deployable on single address space. Basically, as the developer, you select only the libraries you need to run your application on a particular OS. Unikernels are ultralight, require little resources, and they deploy almost instantly.
But with hackers growing more innovative every day, any developer would be concerned about the security of unikernels before implementing them. Let’s take a look at where they stand in terms of security:
1. Strong Isolation
VMs offer high-level isolation by supporting unique operating systems for different users to run their software separately. However, the technology is growing more and more outdated and, therefore, quite technical and expensive in terms of hardware space.
On the other hand, containers make isolation a lot easier and cheaper in terms of disk space as systems don’t need to be separated at the hardware level but rather on the OS itself.
However, a malicious attack on the host OS could compromise all the data in the containers. Unikernels addresses the shortcomings of the containers and VMs. It provides stronger isolation than containers while having higher performance and lower resource use of the VMs.
2. No Shell to Attack
Most code-targeted attacks target the shell in a bid to manipulate the system. However, unikernels are created for just one single process and have no shell. This feature makes it hard to launch automated shell script attacks, especially from less experienced hackers.
3. No System Calls
Binary apps built on Linux need to communicate with the kernel OS they are executed on to request a service. This function is accomplished by an interface known as system calls that are vulnerable to attacks.
Unikernels don’t have operating systems and, therefore, don’t need system calls. So, hacking through this method is virtually impossible, that is unless the hacker has a complete layout of the application in use.
3. Immutable Infrastructure
Most traditional computing infrastructure is expensive and complex to install. So instead of installing completely new infrastructure when you need to boost functionality, you can simply upgrade, modify or add new code.
The downside, however, is that the system becomes vulnerable to malicious alterations from attackers. With unikernels, however, you’ll need to rebuild if you want to make any change. This feature makes them immutable.
Are There Any Risks You Should be Aware of?
Unikernels are not without their shortcomings, which come as a cost for the minimalistic benefit. For instance, since they only include the components needed for an application to run, they lack standard commands that help in debugging. Consequently, unikernels are hard to update and maintain and are also vulnerable to ASLR attacks.
That said, this information only scratched the surface. Unikernels’ benefits and functionality are more expansive. But we can safely say that they are secure – perhaps much more than the alternatives.