Presented at ToorCon San Diego 20 (2018)
Sept. 16, 2018, noon
"Unikernels" are specialized, single-address-space machine images that run entirely in ring 0 as a guest VM atop a hypervisor. They typically bundle application code and a framework platform on top of a thin hypercall-based IO/IPC layer used to perform IO. Typically famous for double (and sometimes single) digit millisecond boot times, Unikernels are a product of security nihilism taken to its logical extreme. Unikernel developers consider most extant software stacks insecure and have taken it upon themselves to throw everything away and reinvent the _entire_ programming and system stack anew. During this talk, we will present our research on unikernel security standings, including our methodology for assessing their implementations of memory hardening techniques. We will also present several attacks against unikernels, with live demonstrations, and suggest mitigation strategies for the weaknesses discovered.
Operating systems are insecure. Why do we even need them anyway? Why not just
run our web apps in kernel space and let the cloud schedule CPU and I/O?
What could go wrong?
In an effort to mitigate security and performance issues caused by application
and OS functionality bloat, some are attempting to combine the concept of
library operating systems with modern virtualization technologies to create
purpose-built lightweight virtual machines that strip out "unnecessary"
functionality. These "unikernels" are specialized, single-address-space machine
images that have been coupled with a kernel and thin OS stub layer to create a
single binary blob.
Proponents of unikernels claim that their smaller total codebases and lack of
excess services make them more efficient and secure than applications running
on top of full operating systems, either as a container or a virtual machine.
We surveyed several major unikernels, and found that this was decidedly not the
case; unikernels, which in many ways resemble embedded systems, often have a
similarly negligible level of security. Standard memory hardening practices
such as ASLR, W^X, stack canaries, heap integrity checks, and more are
completely absent or seriously flawed. As such, it is frequently possible for
attackers to achieve code execution as a result of memory corruption
vulnerabilities within unikernel applications, even in cases where the
application's source and binary are unknown. Furthermore, because the
application and "kernel" code run together as a single process within kernel
memory, an attacker who compromises a unikernel can immediately exploit
functionality that would require privilege escalation on a regular operating
system, such as raw packet I/O.
During this talk, we will present our research on unikernel security standings,
including our methodology for assessing their implementations of memory
hardening techniques. We will also present several attacks against unikernels,
with live demonstrations, and suggest mitigation strategies for the
Jeff Dileo is a security consultant by day, and sometimes by night. He hacks on embedded systems, mobile apps and devices, web apps, and complicated things that don't have names. He also likes exotic candies.
Spencer Michaels is a Security Consultant at NCC Group, an information security firm specializing in application, network, and mobile security. At NCC, Spencer performs network and web application penetration testing and code review, as well as research into various low-level technologies. He specializes in virtualization, embedded systems and low-power RF protocols, with <a href="https://ieeexplore.ieee.org/document/7860527/">his research on the latter</a> having been published in the proceedings of IEEE CNS 2016. In his spare time, Spencer enjoys speaking Mandarin and collecting obscure recordings of comically talentless opera singers.