A Unikernel Firewall for QubesOS


#1

[from the original post at: http://roscidus.com/blog/blog/2016/01/01/a-unikernel-firewall-for-qubesos/]

QubesOS provides a desktop operating system made up of multiple virtual machines, running under Xen. To protect against buggy network drivers, the physical network hardware is accessed only by a dedicated (and untrusted) “NetVM”, which is connected to the rest of the system via a separate (trusted) “FirewallVM”. This firewall VM runs Linux, processing network traffic with code written in C.

In this blog post, I replace the Linux firewall VM with a MirageOS unikernel. The resulting VM uses safe (bounds-checked, type-checked) OCaml code to process network traffic, uses less than a tenth of the memory of the default FirewallVM, boots several times faster, and should be much simpler to audit or extend.

Continue reading…


#2

Please report any crashes (I haven’t received any reports yet, which makes me think people aren’t using it seriously yet). I’ve been using it for a few days and had some issues with running out of memory occasionally (the solution here is not to increase memory; the problems are generally caused by not running the GC at the right times). I’ve fixed a few, but some may remain.

(I also heard that the Linux sys-firewall can actually run in 200 MB, so I’m now running my unikernel in 20 MB ;-))