Xen Project Releases 1.0 of Mirage OS
Mirage OS is a ‘cloud operating system’ that seeks to avoid security vulnerabilities and bloat by facilitating the creation of single purpose virtual appliances. Applications are developed in the OCaml functional programming language and compiled into standalone ‘unikernels’ that run directly on the Xen hypervisor. By removing the traditional operating system, and replacing it with language libraries that replicate operating system constructs, Mirage offers the promise of smaller, faster applications with a reduced attack surface area. Applications can be deployed directly into Xen based public clouds such as Amazon’s EC2 and Rackspace Cloud.
The Mirage OS approach is likely to appeal most to creators of infrastructure software such as web servers, DNS servers and software defined networking (SDN). University of Cambridge contributor Anil Madhavapeddy comments:
Mirage represents our dream to be able to rapidly build specialised infrastructure applications using modern, modular programming techniques such as those found in OCaml. We've seen a lot of datacenter tools being written in high-level languages (most often Java and Scala), and we wanted to explore the benefits (and drawbacks!) of bringing functional programming techniques down to the bare metal.
Porting it to run on other hypervisors such as VMWare, KVM and Hyper-V is simply a matter of writing an appropriate bootloader and virtual device drivers. This is an excellent project for someone who wants to get their feet wet with systems programming, and we'd be happy to mentor them on our mailing list (firstname.lastname@example.org).
A significant potential application area for Mirage OS is to provide a smaller and more secure ‘domain 0’, the special domain used for the management of a hypervisor. Anil Madhavapeddy states that this has been one of the primary drivers behind Mirage development:
The XenServer distribution has been steadily eliminating the requirement for a single monolithic "domain 0" for some years now, and Mirage provides the final piece of the puzzle: a programming environment to convert the management toolstack into a set of specialised microkernels that communicate and achieve consensus with each other using standard distributed systems protocols. This will really raise the bar for building more secure clouds, since the management toolstack holds the keys to all the customer data held within the virtual machines in a cluster.
On the question of why OCaml was chosen University of Cambridge contributor Richard Mortier says:
Several reasons: tried and tested functional language; active community; very efficient and relatively simple to port runtime; large parts of the Xen management stack were already written in OCaml; the powerful module system makes it possible to really effectively modularise the system.
When asked about potential tie ins to trusted execution environments Citrix XenServer systems architect David Scott explains:
For me, there are two important aspects to trusted execution: (i) how do you check that you're running the binary you thought you were running; and (ii) how do you know the code is doing what you think it should be doing. Techniques such as measured boot focus on the first of these: checking you're running the right binary. Mirage helps with the second by:
- Minimising the attack surface by only linking in the libraries you need.
- Allowing your configuration to be linked into your app, rather than stored somewhere external on a (possibly mutable) filesystem.
- Maximising the amount of code which is immune to certain kinds of memory corruption and buffer overflow attacks.
The Mirage OS team are also targeting embedded applications and Internet of Things (IoT) use cases. Anil Madhavapeddy points out that ‘the OCaml compiler itself is easy to retarget to tiny targets (even a PIC18 microcontroller)’, but ‘the bulk of the effort is around the build systems’. The development team are moving their personal web pages to Mirage OS based servers over the holidays, with one of them using as Raspberry Pi as the back end.