ARTICLES

Shrink Wrap Your OS

During my early years working Unix security at Bell Labs in the mid-1980’s, I remember following (and envying) some amazing research going on at CMU. Under the direction of Professor Rick Rashid, the team in Pittsburgh was inventing a new OS design concept known as a microkernel. I sincerely believe that their work, which resulted in the Mach OS, is one of the more important achievements in the history of cyber security.

Sadly, in the years following Mach 3.0 in the mid-1990’s, the OS community drifted in the direction of plug-and-play. That is, to reduce the cost of users having trouble installing drivers or making applications work, developers began putting everything but the kitchen sink into the OS. This had the effect of helping Grandma connect her PC to a printer, but it also created enormous bloat in the software that runs on our computers.

From a security perspective, this expansion in size and scope helps explain the stubborn resilience of malware – even in the presence of advanced protections. By offering a wide computing base for malicious code, large operating systems expanded the attack surface, and made it easier for hackers to find an execution path for their exploits. In this way, the expansive OS helps not just Grandma, but also terrorists targeting critical infrastructure.

The TAG Cyber team had the opportunity last week to connect with a start-up called NanoVMs. Backed by heady investors including Ron Gula and Ray Rothrock, the company focuses on offering so-called Unikernels for enterprise, cloud, and other computing environments. Ian Eyberg was our tour guide to the NanoVM Unikernel approach – and his direct, PowerPoint-free explanation was refreshing. Here is what I learned:

“We don’t consider ourselves a security company,” he explained. “We are a software infrastructure company. But the security advantages of a Unikernel should be obvious, because it helps an organization provide a more proactive defense, rather than just responding to incidents. For this reason, we find that security organizations are often the champions behind engagements they might have with us for support.”

First, it is worth noting that while a Unikernel and microkernel are more-or-less the same thing, Eyberg did offer a nuanced explanation of subtle differences between the two, related to issues such as process management. I suspect that hardcore OS developers would scoff at my equating the two, but for the purposes of this article, I’ll not make any distinction. Both Unikernels and microkernels minimize code in the OS – and for security, this is awesome.

One Unikernel use-case we discussed involved microservices in cloud. Enterprise teams know that microservices provide the isolation required to minimize lateral traversal, as in APTs. The problem is that containers can introduce performance and maintenance issues. Unikernels, in contrast, allow one to match a monolithic workload function to the underlying features of the OS. The result is easier debugging, greater scalability, and faster deployment.

Another interesting use-case we discussed involved support for serverless computing, which is now popular in data center environments where Linux and containers might be causing security and performance issues. Eyberg explained how Unikernels are easier to boot, simpler to maintain, and much more consistent with the common need to implement auto-scaling for different applications.

It is certainly true that NanoVMs might not be for everyone. Small companies who do not maintain or administer their own computing will probably not be good targets for Unikernels. And with more companies blindly pushing their workloads out to XaaS environments where the underlying data management model is unknown, it is unclear how NanoVMs will convince them to care about OS minimization.

But NanoVMs should enjoy a tailwind from larger organizations who continue to manage computing infrastructure. Interest will be especially intense from banks and telecom companies, for example, where the need to micro-segment workloads is intense. I’d expect to see spill-over as well from the open-source community using tools such as Firecracker, but who would like to work with a commercial vendor.

I encourage you to take a look at this. It’s rare that an old grumpy analyst like me finds something interesting and exciting, but this is one of those cases. NanoVMs has a fine solution, and although tiny, is likely to grow as more companies see the clear security benefit of shrink-wrapping the OS to meet the minimal needs of a workload. As always, please share with us your learning after you look into this technology.