Presentation: Designing secure services with unikernels: a tough nut to crack

Location:

Day of week:

10:40am - 11:30am

Much cloud infrastructure consists of small, specialised services that interoperate via protocol interconnects such as HTTP. Securing these interconnects via SSL/TLS can ironically make services less secure, due to the terrible prevalence of security issues in common implementations such as OpenSSL. In this talk, I'll describe how to design and build "deploy-and-forget" cloud services that are specialised into *unikernels*: compact, single-address space virtual machines built in a high-level language that are largely immune to conventional buffer overflow attacks due to their type-safety down to the device drivers. For simple services such as web serving or REST endpoints, the unikernel image can be just a couple of megabytes in size as a standalone kernel that boots on Amazon AWS.

I will describe how to do this using the MirageOS, where we have built a clean-slate reimplementation of the full TLS stack in OCaml. I'll describe some of the design challenges in this rebuild, and also the innovative way that we tested it for compliance and security holes using the "Bitcoin Pinata" challenge. Finally, I'll explain how you can get started with using the stack for yourself with Docker and Amazon EC2.

Tracks

Wednesday Jun 10

Thursday Jun 11

Friday Jun 12

Conference for Professional Software Developers