2017-09-10 22:25:32 +00:00
|
|
|
---
|
2017-09-16 17:04:53 +00:00
|
|
|
title: Robust Open Bare-metal Ubiquitous Resilient
|
2017-09-10 22:25:32 +00:00
|
|
|
author: someone
|
|
|
|
---
|
2017-09-17 14:54:34 +00:00
|
|
|
At robur, we build performant bespoke minimal operating systems for high-assurance services.
|
2017-09-10 22:25:32 +00:00
|
|
|
|
2017-09-17 15:08:27 +00:00
|
|
|
With our approach to systems development we provide the following advantages for you:
|
2017-09-17 14:54:34 +00:00
|
|
|
* based on the unikernel pioneer [MirageOS](https://mirage.io)
|
|
|
|
* secure implementation guarded against memory corruption, typelevel problems, leaky abstraction and unforseen state
|
|
|
|
* ready for the cloud, services run on all major hypervisors
|
|
|
|
* instant boot
|
|
|
|
* competitive performance comparable to C / C++
|
|
|
|
* can target embedded devices because of small size and the ability to compile to native code
|
|
|
|
* minimized state allows to reason about entire systems and their adherence to the specification
|
|
|
|
* extensive library ecosystem, yet minimal trusted code base at runtime
|
2017-09-17 15:08:27 +00:00
|
|
|
* rapid prototyping with a seamless path from prototype to production
|
2017-09-16 17:04:53 +00:00
|
|
|
|
2017-09-17 15:08:27 +00:00
|
|
|
Computers on the Internet get compromised,
|
|
|
|
- to access data on the computer (databases, passwords, user accounts) or block
|
|
|
|
access to it (Ransomware),
|
|
|
|
- to participate in DoS of other services (e.g. the Mirai botnet on SmartTVs)
|
|
|
|
and manipulate opinion (chatbots).
|
|
|
|
|
|
|
|
The software stack often includes parts which are no longer needed, such as
|
|
|
|
floppy disk drivers. Critical security updates are rarely deployed in time,
|
|
|
|
because such a change may result in unforeseen behaviour. Additionally, lots of
|
|
|
|
embedded devices (home router, SmartTV, etc.) have no secure update channel.
|
|
|
|
|
|
|
|
Instead of trying to fix these decades-old operating systems, which were
|
|
|
|
designed as multi-user time sharing systems of the past, we build small services
|
|
|
|
from scratch with security in mind, directly on the hypervisor. In
|
|
|
|
our operating system, each service is a separate virtual machine with only the
|
|
|
|
required code.
|
2017-09-16 16:52:05 +00:00
|
|
|
|
2017-09-16 17:04:53 +00:00
|
|
|
This makes our systems much smaller. The binary size of an HTTP server with TLS
|
|
|
|
support in our system is around 4% compared to one in a conventional operating
|
|
|
|
system, making the attack surface much smaller.
|
2017-09-16 16:52:05 +00:00
|
|
|
|
2017-09-16 17:04:53 +00:00
|
|
|
Additionally, we use a safe programming language: a statically and strongly
|
|
|
|
typed functional programming language with automated memory management. This
|
|
|
|
reduces the attack vectors: temporal and spatial memory corruption are no
|
|
|
|
concern anymore. The declarative programming style makes it possible to
|
|
|
|
formally verify the correctness of the entire virtual machine with a theorem
|
|
|
|
prover.
|
2017-09-16 16:52:05 +00:00
|
|
|
|
2017-09-16 17:04:53 +00:00
|
|
|
One of our single purpose operating systems boots within milliseconds, and has a
|
2017-09-17 15:08:27 +00:00
|
|
|
minimal memory footprint. For client-side features that run in a webbrowser, we
|
2017-09-16 17:04:53 +00:00
|
|
|
compile to JavaScript from the same codebase, to ensure consistency. The strong
|
|
|
|
and static type system helps to detect errors early, and enables rapid
|
|
|
|
prototyping. For production use the prototype code can be further optimized for
|
|
|
|
performance.
|
2017-09-16 18:06:47 +00:00
|
|
|
|
|
|
|
## Conclusion
|
|
|
|
|
|
|
|
MirageOS started as a research project, and has matured to a full suite for
|
|
|
|
building secure operating systems, with libraries that work well in production
|
|
|
|
and cover a variety of application needs. MirageOS is a game changer for secure
|
|
|
|
network services, since the attack surface is minimised to 1% of the size of
|
|
|
|
other contemporary operating systems. In addition, common attack vectors are
|
|
|
|
avoided by the usage of a programming language with memory safety. A unikernel
|
|
|
|
boots within tens of milliseconds, and services can be spawned on demand. When a
|
|
|
|
request (e.g. a DNS request) for a unikernel comes in, the kernel boots up,
|
|
|
|
handles the request, and is destroyed after an inactivity period. Only the
|
|
|
|
necessary services need to run, and they can be short-lived to minimize state in
|
|
|
|
the system.
|
|
|
|
|
|
|
|
The choice of a high-level programming language also allows for rapid
|
|
|
|
prototyping, new features can be developed quickly. In contrast to scripting
|
|
|
|
languages, the code does not need to be re-implemented for production use (but
|
|
|
|
nevertheless can be fine-tuned for performance).
|
|
|
|
|
|
|
|
|
|
|
|
WHY YOU NEED THIS!
|
|
|
|
WHAT ERRORS WE CAN AVOID
|
|
|
|
HOW WE CAN HELP
|