Hacker News new | past | comments | ask | show | jobs | submit login

> We achieve lightweight VMs by using unikernels

When I attended Infiltrate a few years ago, there was a talk about unikernels. The speaker showed off how incredibly insecure many of them were, not even offering support for basic modern security features like DEP and ALSR.

Have they changed? Or did the speaker likely just cherry-pick some especially bad ones?




You are probably talking about this: https://research.nccgroup.com/wp-content/uploads/2020/07/ncc...

In short - not a fundamental limitation - just that kernels (even if they are small) have a ton of work that goes into them. Nanos for instance has page protections, ASLR, virtio-rng (if on GCP), etc.


I thought that presentation was a little like looking at a hobby OS of a type, then attempting to draw security conclusions for all of that type.

The NanoVMs unikernel for example, is pretty small, DoD supported, and has:

ASLR

    Stack Randomization
    Heap Randomization
    Library Randomization
    Executable Randomization
Page Protections

    Stack Execution off by Default
    Heap Execution off by Default
    Null Page is Not Mapped
    Stack Cookies/Canaries
    Rodata no execute
    Text no write
STIG


The headline reads like a reddit post so I'm going to assume the same still holds true.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: