SBIR-STTR Award

Unikernels have long predicted to be the next generation of "cloud software" - for their performance, security and consolidation points, however, their low level nature and need for re-compilation have kept massive adoption from proceeding. NanoVMs has created a method of producing unikernels from normal linux binaries that has the potential to dramatically change how server side software is provisioned. Unikernels can boot faster than any known system today - in < 5ms and can run much faster at run-time. Many researchers can run databases such as cassandra and mysql up to 20%. The reason is their focus on being a single-process system - meaning all the resources available in a given virtual machine are dedicated to running one program versus a linux system that has hundreds of programs pre-installed all running. Unikernels are noted for their security properties of not having a shell, not having the notion of usernames/passwords, embracing the single process model disallowing arbitrary programs from running and their reduction in attack surface.

NanoVMs proposes developing a new type-1 hypervisor specifically tuned for unikernels. Unikernels run Linux software faster and safer than Linux. Unikernels are provisioned as small, isolated virtual machines that run one and only one program. Unikernels have no users, passwords, remote login, ssh or shell. While unikernels such as the open-source Nanos unikernel made by NanoVMs run in production environments across many public clouds and private datacenters, legacy software sometimes cannot be ran as they use the multi-process paradigm whereas unikernels are single-process and many threaded. Furthermore, additional security and performance benefits are constrained by legacy hypervisors that are not unikernel aware as they assume guests are heavy-weight general purpose operating systems. Today unikernels cannot run applications such as Postgresql as it inherently uses multiple processes, shared memory, IPC calls and more. The classic unikernel design is a single process, many thread architecture. This limits expensive context switching and eliminates entire classes of software vulnerabilities – that is the ability to fork/exec entirely new programs after compromising writeable and executable memory. If one wanted to run something like PostgreSQL or any other application made this way one could convert new process instantiation to threads but the patching doesn’t stop there. The level of patching required for software like this can be done but it ends up becoming a completely different piece of software. The multiple-process paradigm was heavily used in the mid 90s when a lot of this software was created. This was before commercialized public cloud, commercialized virtualization and before commercially available SMP systems and before when true threading was useable in Linux. Unikernels generally run much faster than when provisioned on Linux systems namely because there is a lot less context switching. Unikernels are limited from achieving to their true potential though because the underlying hypervisor, of which they are always provisioned on top of assumes a general-purpose operating system. Hypervisors are generally unaware of their guests scheduling and the guest is unaware of the host scheduling. Both prevent further performance from being realized. Further, most hypervisors limit the number of guests to be ran arbitrarily as they assume general purpose operating system guests that consume many more resources. Unikernels tend to take up fewer resources as there are only single application workloads being ran. For latency sensitive workloads such as 5G using NFV services performance becomes an increasingly attractive benefit for creating a hypervisor specifically tuned for running unikernel workloads. This project proposes adding secure VM to VM IPC primitives to allow multi-process workloads to function in a unikernel based environment while adding guest introspection to scale both latency and density of unikernel fleets.