
Attack Surface: Why I Unikernel, Part 1 - luu
http://www.somerandomidiot.com/blog/2014/08/11/attack-surface-area/
======
acqq
The background:

"Unikernels: Rise of the Virtual Library Operating System"

[http://queue.acm.org/detail.cfm?id=2566628](http://queue.acm.org/detail.cfm?id=2566628)

It got only a few comments on HN 116 days ago:
[https://news.ycombinator.com/item?id=8025493](https://news.ycombinator.com/item?id=8025493)

------
tedunangst
Also, the how: [http://www.somerandomidiot.com/blog/2014/08/18/i-am-
unikerne...](http://www.somerandomidiot.com/blog/2014/08/18/i-am-unikernel/)

~~~
acqq
Thanks! It's a "high-level summary" of all necessary steps needed to host the
site with the described technologies. Reading it:

"I start up the build host, then once it’s responding, I scp my unikernel,
mir-www.xen, over to its filesystem. The blog is currently about 17 megabytes
(mostly high-resolution embroidery photos), so this is starting to take a
while; soon I’ll have to do something smarter."

"Each deployment makes a 1GB snapshot, so soon I’ll have enough snapshots on
EC2 that I’ll have to go in and delete a few."

What's the size of the final binary that actually runs? 17 MB or 1 GB?

~~~
mje__
The smallest EBS snapshot you can create is 1GB

------
vec
So what's the advantage of doing this over just using S3/CloudFront static
hosting? In either case your attack surface is essentially that of AWS itself
and S3 hosting seems like it would be much simpler (and almost certainly much
cheaper).

~~~
lbotos
In theory you can use a unikernel to run a rails app, python app, etc. This
post uses static sites as the example but I think it's more of a "prep" than
the end all be all use.

~~~
mercurial
I don't think Mirage is quite mature enough for that yet, but eventually, it
should be possible to run at least an Ocsigen/Eliom (OCaml web framework) on
it.

------
crazytony
Seems like an ok 'Hello, Unikernel' article if a bit forced but her point
about bots mining on AWS actually undermines her deployment strategy: the
miners have been compromising AWS credentials/security NOT boxes hosted on
AWS. They don't want your little t2.micro instance running a static server.
They startup new c3.8xlarge instances and deploy their software.

She's still hosting this thing in AWS so she's still vulnerable and no amount
of Unikerneling is going to save her from that attack vector.

Sorry for the pun and creating a verb out of a noun.

~~~
Someone
No apologies are needed. In English, you can verb any noun
([http://en.m.wiktionary.org/wiki/Citations:verb](http://en.m.wiktionary.org/wiki/Citations:verb))

~~~
sp332
Today's xkcd [http://xkcd.com/1443/](http://xkcd.com/1443/)

------
krick
While obviously overkill to run a small blog it certainly feels tempting. If
could be efficiently automated surely it is worth a try.

However, what I'm more interested in is how Mirage works for, say, more
practical tasks. It is quite some time already after it came up the first
time, there were few blog posts about how to do this or that on Mirage OS, yet
I never saw any real benchmarking. Is Mirage more/less/about-the-same
effective in serving static content than nginx on Linux? Is it any
worse/better than CloudFron static hosting for that purpose? How about real
apps on multiple nodes using Mirage? How about it performing on ARM (as I
understand that's still largely an experiment, but anyway, it is interesting
enough topic to talk about)? Never saw an analysis of it by any actual
security professional as well. Essentially speaking, I'm a bit upset that such
an interesting project gathers somewhat less attention than, it feels to me,
it should.

------
zokier
How does his setup compare to running the blog in a minimal (ie not full
distro based) Docker container?

~~~
acqq
_Her_ setup is based on the unikernel which is practically "a custom minimal
OS doing only one thing," having only Xen under. Knowing that Xen is under it
it doesn't even have to have to customize the drivers for the different
hardware -- Xen does that. Docker container has a bunch of regular stuff which
runs on Linux, but separated from the other stuff.

------
breischl
Very cool idea. It actually reminds me of how the Azure PaaS offering (Web &
Worker Roles) work - you just send up the code you want to run and they run
it. It's different than the unikernel because under the covers Azure is
running a full Windows OS, but from a user perspective it's not all that
different.

------
peterwwillis
Breaking news: Hipster bloggers use all-organic artisanal application stacks
to replace an operating system with a smaller, more intimate operating system
that thinks the 90s were just so cool, man, even if they have to spend all
their time to reinvent the wheel without any obvious benefit. Film at 11.

~~~
zem
did you even read the post? she spent several paragraphs talking about the
attack-resistance benefits running on a unikernel provided.

also, when did people here start looking down on hacking for the sheer joy of
it? personally, i found this post pretty inspiring; i've been looking for
people who are doing stuff with mirage other than hacking on mirage itself.

~~~
x0x0
Which is still less secure than running her static site straight out of s3.

~~~
acqq
Possibly, but she can't modify the code of S3 and whereas she can modify the
unikernel as much as she wants. Only at this moment, the static pages are
enough.

Storing something on S3 has order of magnitude less hacker points than doing
this.

