Shrink Wrap Your OS
NanoVMs offers a Unikernel that minimizes the software running in the operating system, thus reducing the attack surface.

Shrink Wrap Your OS

During my early years working Unix security at Bell Labs in the mid-1980’s, I remember following (and envying) some amazing research going on at CMU. Under the direction of Professor Rick Rashid, the team in Pittsburgh was inventing a new OS design concept known as a microkernel. I sincerely believe that their work, which resulted in the Mach OS, is one of the more important achievements in the history of cyber security.

Sadly, in the years following Mach 3.0 in the mid-1990’s, the OS community drifted in the direction of plug-and-play. That is, to reduce the cost of users having trouble installing drivers or making applications work, developers began putting everything but the kitchen sink into the OS. This had the effect of helping Grandma connect her PC to a printer, but it also created enormous bloat in the software that runs on our computers.

From a security perspective, this expansion in size and scope helps explain the stubborn resilience of malware – even in the presence of advanced protections. By offering a wide computing base for malicious code, large operating systems expanded the attack surface, and made it easier for hackers to find an execution path for their exploits. In this way, the expansive OS helps not just Grandma, but also terrorists targeting critical infrastructure.

The TAG Cyber team had the opportunity last week to connect with a start-up called NanoVMs. Backed by heady investors including Ron Gula and Ray Rothrock, the company focuses on offering so-called Unikernels for enterprise, cloud, and other computing environments. Ian Eyberg was our tour guide to the NanoVM Unikernel approach – and his direct, PowerPoint-free explanation was refreshing. Here is what I learned:

“We don’t consider ourselves a security company,” he explained. “We are a software infrastructure company. But the security advantages of a Unikernel should be obvious, because it helps an organization provide a more proactive defense, rather than just responding to incidents. For this reason, we find that security organizations are often the champions behind engagements they might have with us for support.”

First, it is worth noting that while a Unikernel and microkernel are more-or-less the same thing, Eyberg did offer a nuanced explanation of subtle differences between the two, related to issues such as process management. I suspect that hardcore OS developers would scoff at my equating the two, but for the purposes of this article, I’ll not make any distinction. Both Unikernels and microkernels minimize code in the OS – and for security, this is awesome.

One Unikernel use-case we discussed involved microservices in cloud. Enterprise teams know that microservices provide the isolation required to minimize lateral traversal, as in APTs. The problem is that containers can introduce performance and maintenance issues. Unikernels, in contrast, allow one to match a monolithic workload function to the underlying features of the OS. The result is easier debugging, greater scalability, and faster deployment.

Another interesting use-case we discussed involved support for serverless computing, which is now popular in data center environments where Linux and containers might be causing security and performance issues. Eyberg explained how Unikernels are easier to boot, simpler to maintain, and much more consistent with the common need to implement auto-scaling for different applications.

It is certainly true that NanoVMs might not be for everyone. Small companies who do not maintain or administer their own computing will probably not be good targets for Unikernels. And with more companies blindly pushing their workloads out to XaaS environments where the underlying data management model is unknown, it is unclear how NanoVMs will convince them to care about OS minimization.

But NanoVMs should enjoy a tailwind from larger organizations who continue to manage computing infrastructure. Interest will be especially intense from banks and telecom companies, for example, where the need to micro-segment workloads is intense. I’d expect to see spill-over as well from the open-source community using tools such as Firecracker, but who would like to work with a commercial vendor.

I encourage you to take a look at this. It’s rare that an old grumpy analyst like me finds something interesting and exciting, but this is one of those cases. NanoVMs has a fine solution, and although tiny, is likely to grow as more companies see the clear security benefit of shrink-wrapping the OS to meet the minimal needs of a workload. As always, please share with us your learning after you look into this technology.


Ellis Belfer

Lead Software/DevOps Engineer

5 年

Yes, only run the absolute minimum of required services to minimize the attack surface.

Effective hardening makes a huge difference! Don't be the low hanging fruit.

要查看或添加评论,请登录

Edward Amoroso的更多文章

  • Protecting the U.S. Bitcoin Reserve and Stockpile from Cyber Threats

    Protecting the U.S. Bitcoin Reserve and Stockpile from Cyber Threats

    As you no doubt have heard, plans are in place to establish a Strategic Bitcoin Reserve and Digital Asset Stockpile…

    11 条评论
  • Parable of Network Observability

    Parable of Network Observability

    I’d like to discuss here a common problem we see in our work at TAG every day – namely, the deployment of “network…

    23 条评论
  • Parable of the Cyber Industrial Complex

    Parable of the Cyber Industrial Complex

    Preamble In 1961, Eisenhower gave a famous speech that warned of the dangers of the so-called military-industrial…

    34 条评论
  • The Challenges of CISOs Working for Cybersecurity Vendors

    The Challenges of CISOs Working for Cybersecurity Vendors

    (Note to Reader: Normally these reports are available only to TAG Research as a Service (RaaS) subscribers. But with…

    27 条评论
  • Have Uncle Joe Read This Before He Invests in Crypto

    Have Uncle Joe Read This Before He Invests in Crypto

    I’ve been lecturing to my graduate students on the foundations of cryptocurrency and blockchain for years. Starting…

    15 条评论
  • Why TAG is Now Rating Cybersecurity Vendors

    Why TAG is Now Rating Cybersecurity Vendors

    by Edward Amoroso The first time I ever paid attention to an analyst quadrant – fully two decades ago, I found myself…

    11 条评论
  • Predicting the Impact of Trump’s Election on Cyber

    Predicting the Impact of Trump’s Election on Cyber

    Below are seven predictions from our team at TAG for how the recent Trump election of 2024 will impact U.S.

    83 条评论
  • Five Tips for Working CISOs

    Five Tips for Working CISOs

    Our team at TAG has been coaching CISOs for years – and this includes private discussions just about every day of every…

    11 条评论
  • The SEC is Weakening the Cybersecurity Posture of the United States. Here is Why.

    The SEC is Weakening the Cybersecurity Posture of the United States. Here is Why.

    Preface During May and June of 2024, draft versions of this article were shared with Chief Information Security…

    123 条评论
  • Sad Loss Today

    Sad Loss Today

    Several years ago, before the Pandemic, I received a friendly call from a law firm I’d done some business with – and…

    9 条评论

社区洞察

其他会员也浏览了