Unikernel Apocalypse Big Trouble in Ring 0 presented at toorcon2018SanDiego 2018

by Jeff Dileo, Spencer Michaels,

Summary : "Unikernels" are specialized, single-address-space machine images that run entirely in ring 0 as a guest VM atop a hypervisor. They typically bundle application code and a framework platform on top of a thin hypercall-based IO/IPC layer used to perform IO. Typically famous for double (and sometimes single) digit millisecond boot times, Unikernels are a product of security nihilism taken to its logical extreme. Unikernel developers consider most extant software stacks insecure and have taken it upon themselves to throw everything away and reinvent the _entire_ programming and system stack anew. During this talk, we will present our research on unikernel security standings, including our methodology for assessing their implementations of memory hardening techniques. We will also present several attacks against unikernels, with live demonstrations, and suggest mitigation strategies for the weaknesses discovered.Operating systems are insecure. Why do we even need them anyway? Why not just run our web apps in kernel space and let the cloud schedule CPU and I/O?What could go wrong?In an effort to mitigate security and performance issues caused by application and OS functionality bloat, some are attempting to combine the concept of library operating systems with modern virtualization technologies to create purpose-built lightweight virtual machines that strip out "unnecessary" functionality. These "unikernels" are specialized, single-address-space machine images that have been coupled with a kernel and thin OS stub layer to create a single binary blob.Proponents of unikernels claim that their smaller total codebases and lack of excess services make them more efficient and secure than applications running on top of full operating systems, either as a container or a virtual machine. We surveyed several major unikernels, and found that this was decidedly not the case; unikernels, which in many ways resemble embedded systems, often have a similarly negligible level of security. Standard memory hardening practices such as ASLR, W^X, stack canaries, heap integrity checks, and more are completely absent or seriously flawed. As such, it is frequently possible for attackers to achieve code execution as a result of memory corruption vulnerabilities within unikernel applications, even in cases where the application's source and binary are unknown. Furthermore, because the application and "kernel" code run together as a single process within kernel memory, an attacker who compromises a unikernel can immediately exploit functionality that would require privilege escalation on a regular operating system, such as raw packet I/O.During this talk, we will present our research on unikernel security standings, including our methodology for assessing their implementations of memory hardening techniques. We will also present several attacks against unikernels, with live demonstrations, and suggest mitigation strategies for the weaknesses discovered.