A Unikernel Firewall for QubesOS


[from the original post at: http://roscidus.com/blog/blog/2016/01/01/a-unikernel-firewall-for-qubesos/]

QubesOS provides a desktop operating system made up of multiple virtual machines, running under Xen. To protect against buggy network drivers, the physical network hardware is accessed only by a dedicated (and untrusted) “NetVM”, which is connected to the rest of the system via a separate (trusted) “FirewallVM”. This firewall VM runs Linux, processing network traffic with code written in C.

In this blog post, I replace the Linux firewall VM with a MirageOS unikernel. The resulting VM uses safe (bounds-checked, type-checked) OCaml code to process network traffic, uses less than a tenth of the memory of the default FirewallVM, boots several times faster, and should be much simpler to audit or extend.

Continue reading…


Please report any crashes (I haven’t received any reports yet, which makes me think people aren’t using it seriously yet). I’ve been using it for a few days and had some issues with running out of memory occasionally (the solution here is not to increase memory; the problems are generally caused by not running the GC at the right times). I’ve fixed a few, but some may remain.

(I also heard that the Linux sys-firewall can actually run in 200 MB, so I’m now running my unikernel in 20 MB ;-))