[Script Info]
Title: 
[Events]
Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text
Dialogue: 0,0:00:00.00,0:00:18.66,Default,,0000,0000,0000,,{\i1}36c3 intro{\i0}
Dialogue: 0,0:00:18.66,0:00:23.91,Default,,0000,0000,0000,,Herald: Good morning again. Thanks. First\Noff for today is by Hannes Mehnert. It's
Dialogue: 0,0:00:23.91,0:00:29.39,Default,,0000,0000,0000,,titled "Leaving Legacy Behind". It's about\Nthe reduction of carbon footprint through
Dialogue: 0,0:00:29.39,0:00:33.23,Default,,0000,0000,0000,,micro kernels in MirageOS. Give a warm\Nwelcome to Hannes.
Dialogue: 0,0:00:33.23,0:00:39.25,Default,,0000,0000,0000,,{\i1}Applause{\i0}
Dialogue: 0,0:00:39.25,0:00:45.06,Default,,0000,0000,0000,,Hannes Mehnert: Thank you. So let's talk a\Nbit about legacy, so legacy we had have.
Dialogue: 0,0:00:45.06,0:00:50.00,Default,,0000,0000,0000,,Nowadays we run services usually on a Unix\Nbased operating system, which is
Dialogue: 0,0:00:50.00,0:00:55.08,Default,,0000,0000,0000,,demonstrated here on the left a bit the\Nlayering. So at the lowest layer we have
Dialogue: 0,0:00:55.08,0:01:00.83,Default,,0000,0000,0000,,the hardware. So some physical CPU, some\Nlock devices, maybe a network interface
Dialogue: 0,0:01:00.83,0:01:06.57,Default,,0000,0000,0000,,card and maybe some memories, some non-\Npersistent memory. On top of that, we
Dialogue: 0,0:01:06.57,0:01:13.74,Default,,0000,0000,0000,,usually run the Unix kernel. So to say.\NThat is marked here in brown which is
Dialogue: 0,0:01:13.74,0:01:19.58,Default,,0000,0000,0000,,which consists of a filesystem. Then it\Nhas a scheduler, it has some process
Dialogue: 0,0:01:19.58,0:01:25.47,Default,,0000,0000,0000,,management that has network stacks. So the\NTCP/IP stack, it also has some user
Dialogue: 0,0:01:25.47,0:01:32.35,Default,,0000,0000,0000,,management and hardware and drivers. So it\Nhas drivers for the physical hard drive,
Dialogue: 0,0:01:32.35,0:01:37.80,Default,,0000,0000,0000,,for their network interface and so on.\NThe ground stuff. So the kernel runs in
Dialogue: 0,0:01:37.80,0:01:46.38,Default,,0000,0000,0000,,privilege mode. It exposes a system called\NAPI or and/or a socket API to the
Dialogue: 0,0:01:46.38,0:01:52.35,Default,,0000,0000,0000,,actual application where we are there to\Nrun, which is here in orange. So the
Dialogue: 0,0:01:52.35,0:01:56.46,Default,,0000,0000,0000,,actual application is on top, which is the\Napplication binary and may depend on some
Dialogue: 0,0:01:56.46,0:02:02.88,Default,,0000,0000,0000,,configuration files distributed randomly\Nacross the filesystem with some file
Dialogue: 0,0:02:02.88,0:02:08.12,Default,,0000,0000,0000,,permissions set on. Then the application\Nitself also depends likely on a programming
Dialogue: 0,0:02:08.12,0:02:14.00,Default,,0000,0000,0000,,language runtime that may either be a Java\Nvirtual machine if you run Java or Python
Dialogue: 0,0:02:14.00,0:02:20.14,Default,,0000,0000,0000,,interpreter if you run Python, or a ruby\Ninterpreter if you run Ruby and so on.
Dialogue: 0,0:02:20.14,0:02:25.23,Default,,0000,0000,0000,,Then additionally we usually have a system\Nlibrary. Lip C which is just runtime
Dialogue: 0,0:02:25.23,0:02:30.79,Default,,0000,0000,0000,,library basically of the C programming\Nlanguage and it exposes a much nicer
Dialogue: 0,0:02:30.79,0:02:38.47,Default,,0000,0000,0000,,interface than the system calls. We may as\Nwell have open SSL or another crypto
Dialogue: 0,0:02:38.47,0:02:45.36,Default,,0000,0000,0000,,library as part of the application binary\Nwhich is also here in Orange. So what's a
Dialogue: 0,0:02:45.36,0:02:50.20,Default,,0000,0000,0000,,drop of the kernel? So the brown stuff\Nactually has a virtual memory subsystem
Dialogue: 0,0:02:50.20,0:02:55.11,Default,,0000,0000,0000,,and it should separate the orange stuff\Nfrom each other. So you have multiple
Dialogue: 0,0:02:55.11,0:03:01.79,Default,,0000,0000,0000,,applications running there and the brown\Nstuff is responsible to ensure that the
Dialogue: 0,0:03:01.79,0:03:07.15,Default,,0000,0000,0000,,orange that different pieces of orange\Nstuff don't interfere with each other so
Dialogue: 0,0:03:07.15,0:03:12.60,Default,,0000,0000,0000,,that they are not randomly writing into\Neach other's memory and so on. Now if the
Dialogue: 0,0:03:12.60,0:03:17.42,Default,,0000,0000,0000,,orange stuff is compromised. So if you\Nhave some attacker from the network or
Dialogue: 0,0:03:17.42,0:03:26.54,Default,,0000,0000,0000,,from wherever else who's able to find a\Nflaw in the orange stuff, the kernel is still
Dialogue: 0,0:03:26.54,0:03:32.42,Default,,0000,0000,0000,,responsible for strict isolation between\Nthe orange stuff. So as long as the
Dialogue: 0,0:03:32.42,0:03:38.07,Default,,0000,0000,0000,,attacker only gets access to the orange\Nstuff, it should be very well contained.
Dialogue: 0,0:03:38.07,0:03:42.65,Default,,0000,0000,0000,,But then we look at the bridge between the\Nbrown and orange stuff. So between kernel
Dialogue: 0,0:03:42.65,0:03:49.17,Default,,0000,0000,0000,,and user space and there we have an API\Nwhich is roughly 600 system calls at
Dialogue: 0,0:03:49.17,0:03:56.36,Default,,0000,0000,0000,,least on my FreeBSD machine here in Sys\Ncalls. So it's 600 different functions or
Dialogue: 0,0:03:56.36,0:04:05.24,Default,,0000,0000,0000,,the width of this API is 600 different\Nfunctions, which is quite big. And it's
Dialogue: 0,0:04:05.24,0:04:12.18,Default,,0000,0000,0000,,quite easy to hide some flaws in there.\NAnd as soon as you're able to find a flaw
Dialogue: 0,0:04:12.18,0:04:17.32,Default,,0000,0000,0000,,in any of those system calls, you can\Nescalate your privileges and then you
Dialogue: 0,0:04:17.32,0:04:22.25,Default,,0000,0000,0000,,basically run into brown moats and kernel\Nmode and you have access to the raw
Dialogue: 0,0:04:22.25,0:04:26.31,Default,,0000,0000,0000,,physical hardware. And you can also read\Narbitrary memory from any processor
Dialogue: 0,0:04:26.31,0:04:34.44,Default,,0000,0000,0000,,running there. So now over the years it\Nactually evolved and we added some more
Dialogue: 0,0:04:34.44,0:04:39.35,Default,,0000,0000,0000,,layers, which is hypervisors. So at the\Nlowest layer, we still have the hardware
Dialogue: 0,0:04:39.35,0:04:45.79,Default,,0000,0000,0000,,stack, but on top of the hardware we now\Nhave a hypervisor, which responsibility it
Dialogue: 0,0:04:45.79,0:04:51.30,Default,,0000,0000,0000,,is to split the physical hardware into\Npieces and slice it up and run different
Dialogue: 0,0:04:51.30,0:04:56.72,Default,,0000,0000,0000,,virtual machines. So now we have the byte\Nstuff, which is the hypervisor. And on top
Dialogue: 0,0:04:56.72,0:05:04.36,Default,,0000,0000,0000,,of that, we have multiple brown things and\Nmultiple orange things as well. So now the
Dialogue: 0,0:05:04.36,0:05:12.32,Default,,0000,0000,0000,,hypervisor is responsible for distributing\Nthe CPUs to virtual machines. And the
Dialogue: 0,0:05:12.32,0:05:17.13,Default,,0000,0000,0000,,memory to virtual machines and so on. It\Nis also responsible for selecting which
Dialogue: 0,0:05:17.13,0:05:21.66,Default,,0000,0000,0000,,virtual machine to run on which physical\NCPU. So it actually includes the scheduler
Dialogue: 0,0:05:21.66,0:05:28.95,Default,,0000,0000,0000,,as well. And the hypervisors\Nresponsibility is again to isolate the
Dialogue: 0,0:05:28.95,0:05:34.36,Default,,0000,0000,0000,,different virtual machines from each\Nother. Initially, hypervisors were done
Dialogue: 0,0:05:34.36,0:05:39.89,Default,,0000,0000,0000,,mostly in software. Nowadays, there are a\Nlot of CPU features available, which
Dialogue: 0,0:05:39.89,0:05:47.09,Default,,0000,0000,0000,,allows you to have some CPU support, which\Nmakes them fast, and you don't have to
Dialogue: 0,0:05:47.09,0:05:52.45,Default,,0000,0000,0000,,trust so much software anymore, but you\Nhave to trust in the hardware. So that's
Dialogue: 0,0:05:52.45,0:06:00.15,Default,,0000,0000,0000,,extended page tables and VTD and VTX\Nstuff. OK, so that's the legacy we have
Dialogue: 0,0:06:00.15,0:06:08.07,Default,,0000,0000,0000,,right now. So when you ship a binary, you\Nactually care about some tip of the
Dialogue: 0,0:06:08.07,0:06:12.23,Default,,0000,0000,0000,,iceberg. That is the code you actually\Nwrite and you care about. You care about
Dialogue: 0,0:06:12.23,0:06:18.82,Default,,0000,0000,0000,,deeply because it should work well and you\Nwant to run it. But at the bottom you have
Dialogue: 0,0:06:18.82,0:06:23.83,Default,,0000,0000,0000,,the sole operating system and that is the\Ncode. The operating system insist that you
Dialogue: 0,0:06:23.83,0:06:30.18,Default,,0000,0000,0000,,need it. So you can't get it without the\Nbottom of the iceberg. So you will always
Dialogue: 0,0:06:30.18,0:06:34.67,Default,,0000,0000,0000,,have a process management and user\Nmanagement and likely as well the
Dialogue: 0,0:06:34.67,0:06:41.10,Default,,0000,0000,0000,,filesystem around on a UNIX system. Then\Nin addition, back in May, I think their
Dialogue: 0,0:06:41.10,0:06:48.90,Default,,0000,0000,0000,,was a blog entry from someone who analyzed\Nfrom Google Project Zero, which is a
Dialogue: 0,0:06:48.90,0:06:54.54,Default,,0000,0000,0000,,security research team and red team which\Ntries to fund a lot of flaws in vitally
Dialogue: 0,0:06:54.54,0:07:02.48,Default,,0000,0000,0000,,use applications . And they found in a\Nyear maybe 110 different vulnerabilities
Dialogue: 0,0:07:02.48,0:07:08.33,Default,,0000,0000,0000,,which they reported and so on. And someone\Nanalyzed what these 110 vulnerabilities
Dialogue: 0,0:07:08.33,0:07:13.66,Default,,0000,0000,0000,,were about and it turned out that more\Nthan two thirds of them, that the root
Dialogue: 0,0:07:13.66,0:07:18.94,Default,,0000,0000,0000,,cause of the flaw was memory corruption.\NAnd memory corruption means arbitrary
Dialogue: 0,0:07:18.94,0:07:22.88,Default,,0000,0000,0000,,reads of rights from from arbitrary\Nmemory, which a process that's not
Dialogue: 0,0:07:22.88,0:07:29.90,Default,,0000,0000,0000,,supposed to be in. So why does that\Nhappen? That happens because we on the
Dialogue: 0,0:07:29.90,0:07:36.16,Default,,0000,0000,0000,,Unix system, we mainly use program\Nlanguages where we have tight control over
Dialogue: 0,0:07:36.16,0:07:40.20,Default,,0000,0000,0000,,the memory management. So we do it\Nourselves. So we allocate the memory
Dialogue: 0,0:07:40.20,0:07:44.64,Default,,0000,0000,0000,,ourselves and we free it ourselves. There\Nis a lot of boilerplate we need to write
Dialogue: 0,0:07:44.64,0:07:53.19,Default,,0000,0000,0000,,down and that is also a lot of boilerplate\Nwhich you can get wrong. So now we talked
Dialogue: 0,0:07:53.19,0:07:57.81,Default,,0000,0000,0000,,a bit about legacy. Let's talk about the\Ngoals of this talk. The goals is on the
Dialogue: 0,0:07:57.81,0:08:06.67,Default,,0000,0000,0000,,one side to be more secure. So to reduce\Nthe attack vectors because C and languages
Dialogue: 0,0:08:06.67,0:08:11.87,Default,,0000,0000,0000,,like that from the 70s and we may have\Nsome languages from the 80s or even from
Dialogue: 0,0:08:11.87,0:08:17.93,Default,,0000,0000,0000,,the 90s who offer you automated memory\Nmanagement and memory safety languages
Dialogue: 0,0:08:17.93,0:08:24.70,Default,,0000,0000,0000,,such as Java or Rust or Python or\Nsomething like that. But it turns out not
Dialogue: 0,0:08:24.70,0:08:30.49,Default,,0000,0000,0000,,many people are writing operating systems\Nin those languages. Another point here is
Dialogue: 0,0:08:30.49,0:08:37.16,Default,,0000,0000,0000,,I want to reduce the attack surface. So we\Nhave seen this huge stack here and I want
Dialogue: 0,0:08:37.16,0:08:45.88,Default,,0000,0000,0000,,to minimize the orange and the brown part.\NThen as an implication of that. I also
Dialogue: 0,0:08:45.88,0:08:50.41,Default,,0000,0000,0000,,want to reduce the runtime complexity\Nbecause that is actually pretty cumbersome
Dialogue: 0,0:08:50.41,0:08:56.10,Default,,0000,0000,0000,,to figure out what is now wrong. Why does\Nyour application not start? And if the
Dialogue: 0,0:08:56.10,0:09:01.83,Default,,0000,0000,0000,,whole reason is because some file on your\Nharddisk has the wrong filesystem
Dialogue: 0,0:09:01.83,0:09:09.56,Default,,0000,0000,0000,,permissions, then it's pretty hard to\Nget across if you're not yet a Unix expert
Dialogue: 0,0:09:09.56,0:09:16.55,Default,,0000,0000,0000,,who has a lift in the system for years or\Nat least months. And then the final goal,
Dialogue: 0,0:09:16.55,0:09:22.27,Default,,0000,0000,0000,,thanks to the topic of this conference and\Nto some analysis I did, is to actually
Dialogue: 0,0:09:22.27,0:09:29.75,Default,,0000,0000,0000,,reduce the carbon footprint. So if you run\Na service, you certainly that service does
Dialogue: 0,0:09:29.75,0:09:37.63,Default,,0000,0000,0000,,some computation and this computation\Ntakes some CPU takes. So it takes some CPU
Dialogue: 0,0:09:37.63,0:09:44.76,Default,,0000,0000,0000,,time in order to be evaluated. And now\Nreducing that means if you condense down
Dialogue: 0,0:09:44.76,0:09:49.86,Default,,0000,0000,0000,,the complexity and the code size, we also\Nreduce the amount of computation which
Dialogue: 0,0:09:49.86,0:09:57.80,Default,,0000,0000,0000,,needs to be done. These are the goals. So\Nwhat are MirageOS unikernels? That is
Dialogue: 0,0:09:57.80,0:10:07.46,Default,,0000,0000,0000,,basically the project i have been involved\Nin since six years or so. The general idea
Dialogue: 0,0:10:07.46,0:10:14.31,Default,,0000,0000,0000,,is that each service is isolated in a\Nseparate MirageOS unikernel. So your DNS
Dialogue: 0,0:10:14.31,0:10:19.72,Default,,0000,0000,0000,,resover or your web server don't run on\Nthis general purpose UNIX system as a
Dialogue: 0,0:10:19.72,0:10:25.91,Default,,0000,0000,0000,,process, but you have a separate virtual\Nmachine for each of them. So you have one
Dialogue: 0,0:10:25.91,0:10:31.38,Default,,0000,0000,0000,,unikernel which only does DNS resolution\Nand in that unikernel you don't even need
Dialogue: 0,0:10:31.38,0:10:35.76,Default,,0000,0000,0000,,a user management. You don't even need\Nprocess management because there's only a
Dialogue: 0,0:10:35.76,0:10:41.72,Default,,0000,0000,0000,,single process. There's a DNS resolver.\NActually, a DNS resolver also doesn't
Dialogue: 0,0:10:41.72,0:10:47.20,Default,,0000,0000,0000,,really need a file system. So we got rid\Nof that. We also don't really need virtual
Dialogue: 0,0:10:47.20,0:10:52.26,Default,,0000,0000,0000,,memory because we only have one process.\NSo we don't need virtual memory and we
Dialogue: 0,0:10:52.26,0:10:57.09,Default,,0000,0000,0000,,just use a single address space. So\Neverything is mapped in a single address
Dialogue: 0,0:10:57.09,0:11:03.34,Default,,0000,0000,0000,,space. We use program language called\NOCaml, which is functional programming
Dialogue: 0,0:11:03.34,0:11:08.08,Default,,0000,0000,0000,,language which provides us with memory\Nsafety. So it has automated memory
Dialogue: 0,0:11:08.08,0:11:17.28,Default,,0000,0000,0000,,measurement and we use this memory\Nmanagement and the isolation, which the
Dialogue: 0,0:11:17.28,0:11:24.33,Default,,0000,0000,0000,,program manager guarantees us by its type\Nsystem. We use that to say, okay, we can
Dialogue: 0,0:11:24.33,0:11:28.43,Default,,0000,0000,0000,,all live in a single address space and\Nit'll still be safe as long as the
Dialogue: 0,0:11:28.43,0:11:34.58,Default,,0000,0000,0000,,components are safe. And as long as we\Nminimize the components which are by
Dialogue: 0,0:11:34.58,0:11:42.64,Default,,0000,0000,0000,,definition unsafe. So we need to run some\NC code there as well. So in addition,
Dialogue: 0,0:11:42.64,0:11:47.66,Default,,0000,0000,0000,,well. Now, if we have a single service, we\Nonly put in the libraries or the stuff we
Dialogue: 0,0:11:47.66,0:11:51.70,Default,,0000,0000,0000,,actually need in that service. So as I\Nmentioned that the DNS resolver won't need
Dialogue: 0,0:11:51.70,0:11:56.59,Default,,0000,0000,0000,,a user management, it doesn't need a\Nshell. Why would I need to shell? What
Dialogue: 0,0:11:56.59,0:12:02.89,Default,,0000,0000,0000,,should I need to do there? And so on. So\Nwe have a lot of libraries, a lot of OCaml
Dialogue: 0,0:12:02.89,0:12:09.75,Default,,0000,0000,0000,,libraries which are picked by the single\Nservers or which are mixed and matched for
Dialogue: 0,0:12:09.75,0:12:14.16,Default,,0000,0000,0000,,the different services. So libraries are\Ndeveloped independently of the whole
Dialogue: 0,0:12:14.16,0:12:20.01,Default,,0000,0000,0000,,system or of the unikernel and are reused\Nacross the different components or across
Dialogue: 0,0:12:20.01,0:12:26.91,Default,,0000,0000,0000,,the different services. Some further\Nlimitation which I take as freedom and
Dialogue: 0,0:12:26.91,0:12:32.84,Default,,0000,0000,0000,,simplicity is not even we have a single\Naddress space. We are also only focusing
Dialogue: 0,0:12:32.84,0:12:37.84,Default,,0000,0000,0000,,on single core and have a single process.\NSo we don't have a process. We don't know
Dialogue: 0,0:12:37.84,0:12:46.68,Default,,0000,0000,0000,,the concept of process yet. We also don't\Nwork in a preemptive way. So preemptive
Dialogue: 0,0:12:46.68,0:12:52.79,Default,,0000,0000,0000,,means that if you run on a CPU as a\Nfunction or as a program, you can at any
Dialogue: 0,0:12:52.79,0:12:58.02,Default,,0000,0000,0000,,time be interrupted because something\Nwhich is much more important than you can
Dialogue: 0,0:12:58.02,0:13:03.97,Default,,0000,0000,0000,,now get access to the CPU. And we don't do\Nthat. We do co-operative tasks. So we are
Dialogue: 0,0:13:03.97,0:13:08.53,Default,,0000,0000,0000,,never interrupted. We don't even have\Ninterrupts. So there are no interrupts.
Dialogue: 0,0:13:08.53,0:13:13.48,Default,,0000,0000,0000,,And as I mentioned, it's executed as a\Nvirtual machine. So how does that look
Dialogue: 0,0:13:13.48,0:13:17.52,Default,,0000,0000,0000,,like? So now we have the same picture as\Npreviously. We have at the bottom the
Dialogue: 0,0:13:17.52,0:13:22.73,Default,,0000,0000,0000,,hypervisor. Then we have the host system,\Nwhich is the brownish stuff. And on top of
Dialogue: 0,0:13:22.73,0:13:29.85,Default,,0000,0000,0000,,that we have maybe some virtual machines.\NSome of them run via KVM and qemu UNIX
Dialogue: 0,0:13:29.85,0:13:34.78,Default,,0000,0000,0000,,system. Using some Virtio that is on the\Nright and on the left. And in the middle
Dialogue: 0,0:13:34.78,0:13:41.90,Default,,0000,0000,0000,,we have this MirageOS as Unicode where we\Nand the whole system don't run any qemu,
Dialogue: 0,0:13:41.90,0:13:49.92,Default,,0000,0000,0000,,but we run a minimized so-called tender,\Nwhich is this solo5-hvt monitor process.
Dialogue: 0,0:13:49.92,0:13:55.15,Default,,0000,0000,0000,,So that's something which just tries to\Nallocate or will allocate some host system
Dialogue: 0,0:13:55.15,0:14:01.58,Default,,0000,0000,0000,,resources for the virtual machine and then\Ndoes interaction with the virtual machine.
Dialogue: 0,0:14:01.58,0:14:06.99,Default,,0000,0000,0000,,So what does this solo5-hvt do in this\Ncase is to set up the memory, load the
Dialogue: 0,0:14:06.99,0:14:12.31,Default,,0000,0000,0000,,unikernel image which is a statically\Nlinked ELF binary and it sets up the
Dialogue: 0,0:14:12.31,0:14:17.83,Default,,0000,0000,0000,,virtual CPU. So the CPU needs some\Ninitialization and then booting is jumped
Dialogue: 0,0:14:17.83,0:14:24.74,Default,,0000,0000,0000,,to an address. It's already in 64 bit mode.\NThere's no need to boot via 16 or 32 bit
Dialogue: 0,0:14:24.74,0:14:34.08,Default,,0000,0000,0000,,modes. Now solo5-hvt and the MirageOS they\Nalso have an interface and the interface
Dialogue: 0,0:14:34.08,0:14:38.82,Default,,0000,0000,0000,,is called hyper calls and that interface\Nis rather small. So it only contains in
Dialogue: 0,0:14:38.82,0:14:46.02,Default,,0000,0000,0000,,total 14 different functions. Which main\Nfunction yields a way to get the argument
Dialogue: 0,0:14:46.02,0:14:52.85,Default,,0000,0000,0000,,vector clock. Actually, two clocks, one is\Na POSIX clock, which takes care of this
Dialogue: 0,0:14:52.85,0:14:58.34,Default,,0000,0000,0000,,whole time stamping and timezone business\Nand another one in a monotonic clock which
Dialogue: 0,0:14:58.34,0:15:06.57,Default,,0000,0000,0000,,by its name guarantees that time will pass\Nmonotonically. Then the other console
Dialogue: 0,0:15:06.57,0:15:12.51,Default,,0000,0000,0000,,interface. The console interface is only\None way. So we only output data. We never
Dialogue: 0,0:15:12.51,0:15:18.15,Default,,0000,0000,0000,,read from console. A block device. Well a\Nblock devices and network interfaces and
Dialogue: 0,0:15:18.15,0:15:25.83,Default,,0000,0000,0000,,that's all the hyper calls we have. To\Nlook a bit further down into detail of how
Dialogue: 0,0:15:25.83,0:15:34.71,Default,,0000,0000,0000,,a MirageOS unikernel looks like. Here I\Npictured on the left again the tender at
Dialogue: 0,0:15:34.71,0:15:41.27,Default,,0000,0000,0000,,the bottom, and then the hyper calls. And\Nthen in pink I have the pieces of code
Dialogue: 0,0:15:41.27,0:15:46.94,Default,,0000,0000,0000,,which still contain some C code and the\NMirageOS unikernel. And in green I have
Dialogue: 0,0:15:46.94,0:15:55.14,Default,,0000,0000,0000,,the pieces of code which does not include\Nany C code, but only OCaml code. So
Dialogue: 0,0:15:55.14,0:16:00.43,Default,,0000,0000,0000,,looking at the C code which is dangerous\Nbecause in C we have to deal with memory
Dialogue: 0,0:16:00.43,0:16:05.75,Default,,0000,0000,0000,,management on our own, which means it's a\Nbit brittle. We need to carefully review
Dialogue: 0,0:16:05.75,0:16:10.79,Default,,0000,0000,0000,,that code. It is definitely the OCaml\Nruntime which we have here, which is round
Dialogue: 0,0:16:10.79,0:16:18.58,Default,,0000,0000,0000,,25 thousand lines of code. Then we have a\Nlibrary which is called nolibc which is
Dialogue: 0,0:16:18.58,0:16:24.34,Default,,0000,0000,0000,,basically a C library which implements\Nmalloc and string compare and some
Dialogue: 0,0:16:24.34,0:16:29.44,Default,,0000,0000,0000,,basic functions which are needed by the\NOCaml runtime. That's roughly 8000 lines
Dialogue: 0,0:16:29.44,0:16:37.06,Default,,0000,0000,0000,,of code. That nolibc also provides a lot\Nof stops which just exit to or return
Dialogue: 0,0:16:37.06,0:16:46.85,Default,,0000,0000,0000,,null for the OCaml runtime because we use\Nan unmodified OCaml runtime to be able to
Dialogue: 0,0:16:46.85,0:16:50.75,Default,,0000,0000,0000,,upgrade our software more easily. We don't\Nhave any patents for The OCaml runtime.
Dialogue: 0,0:16:50.75,0:16:57.42,Default,,0000,0000,0000,,Then we have a library called\Nsolo5-bindings, which is basically
Dialogue: 0,0:16:57.42,0:17:03.22,Default,,0000,0000,0000,,something which translates into hyper\Ncalls or which can access a hyper calls
Dialogue: 0,0:17:03.22,0:17:07.85,Default,,0000,0000,0000,,and which communicates with the host\Nsystem via hyper calls. That is roughly
Dialogue: 0,0:17:07.85,0:17:14.91,Default,,0000,0000,0000,,2000 lines of code. Then we have a math\Nlibrary for sinus and cosinus and tangents
Dialogue: 0,0:17:14.91,0:17:20.94,Default,,0000,0000,0000,,and so on. And that is just the openlibm\Nwhich is originally from the freeBSD
Dialogue: 0,0:17:20.94,0:17:26.98,Default,,0000,0000,0000,,project and has roughly 20000 lines of\Ncode. So that's it. So I talked a bit
Dialogue: 0,0:17:26.98,0:17:32.27,Default,,0000,0000,0000,,about solo5, about the bottom layer and I\Nwill go a bit more into detail about the
Dialogue: 0,0:17:32.27,0:17:40.12,Default,,0000,0000,0000,,solo5 stuff, which is really the stuff \Nwhich you run at the bottom
Dialogue: 0,0:17:40.12,0:17:46.14,Default,,0000,0000,0000,,of the MirageOS. There's another choice.\NYou can also run Xen or Qubes OS at
Dialogue: 0,0:17:46.14,0:17:50.87,Default,,0000,0000,0000,,the bottom of the MirageOS unikernel. But\NI'm focusing here mainly on solo5. So
Dialogue: 0,0:17:50.87,0:17:56.85,Default,,0000,0000,0000,,solo5 has a sandbox execution environment\Nfor unikernels. It handles resources from
Dialogue: 0,0:17:56.85,0:18:03.91,Default,,0000,0000,0000,,the host system, but only aesthetically.\NSo you say at startup time how much memory
Dialogue: 0,0:18:03.91,0:18:09.15,Default,,0000,0000,0000,,it will take. How many network interfaces\Nand which ones are taken and how many
Dialogue: 0,0:18:09.15,0:18:13.52,Default,,0000,0000,0000,,block devices and which ones are taken by\Nthe virtual machine. You don't have any
Dialogue: 0,0:18:13.52,0:18:19.43,Default,,0000,0000,0000,,dynamic resource management, so you can't\Nadd at a later point in time a new network
Dialogue: 0,0:18:19.43,0:18:28.04,Default,,0000,0000,0000,,interface. That's just not supported. And it\Nmakes the code much easier. We don't even
Dialogue: 0,0:18:28.04,0:18:36.36,Default,,0000,0000,0000,,have dynamic allocation inside of \Nsolo5. We have a hyper cool interface. As I
Dialogue: 0,0:18:36.36,0:18:42.33,Default,,0000,0000,0000,,mentioned, it's only 14 functions. We have\Nbindings for different targets. So we can
Dialogue: 0,0:18:42.33,0:18:49.64,Default,,0000,0000,0000,,run on KVM, which is hypervisor developed\Nfor the Linux project, but also for
Dialogue: 0,0:18:49.64,0:18:57.06,Default,,0000,0000,0000,,Beehive, which is a free BSD hypervisor or\NVMM which is openBSD hypervisor. We also
Dialogue: 0,0:18:57.06,0:19:01.92,Default,,0000,0000,0000,,target other systems such as the g-node,\Nwich is an operating system, based on a
Dialogue: 0,0:19:01.92,0:19:08.83,Default,,0000,0000,0000,,micro kernel written mainly in C++,\Nvirtio, which is a protocol usually spoken
Dialogue: 0,0:19:08.83,0:19:15.49,Default,,0000,0000,0000,,between the host system and the guest\Nsystem, and virtio is used in a lot of
Dialogue: 0,0:19:15.49,0:19:22.77,Default,,0000,0000,0000,,cloud deployments. So it's OK. So qemu for\Nexample, provides you with a virtio
Dialogue: 0,0:19:22.77,0:19:29.43,Default,,0000,0000,0000,,protocol implementation. And a last\Nimplementation of solo5 or bindings for
Dialogue: 0,0:19:29.43,0:19:38.57,Default,,0000,0000,0000,,solo5 is seccomb. So Linux seccomb is a\Nfilter in the Linux kernel where you can
Dialogue: 0,0:19:38.57,0:19:47.18,Default,,0000,0000,0000,,restrict your process that will only use a\Ncertain number or a certain amount of
Dialogue: 0,0:19:47.18,0:19:53.79,Default,,0000,0000,0000,,system calls and we use seccomb so you can\Ndeploy it without virtual machine in the
Dialogue: 0,0:19:53.79,0:20:02.27,Default,,0000,0000,0000,,second case, but you are restricted to\Nwhich system calls you can use. So solo5
Dialogue: 0,0:20:02.27,0:20:06.50,Default,,0000,0000,0000,,also provides you with the host system\Ntender where applicable. So in the virtio
Dialogue: 0,0:20:06.50,0:20:11.88,Default,,0000,0000,0000,,case it not applicable. In the g-note case\Nit is also not applicable. In KVM we
Dialogue: 0,0:20:11.88,0:20:19.22,Default,,0000,0000,0000,,already saw the solo5 HVT, wich is a\Nhardware virtualized tender. Which is just
Dialogue: 0,0:20:19.22,0:20:25.79,Default,,0000,0000,0000,,a small binary because if you run qemu at\Nleast hundreds of thousands of lines of
Dialogue: 0,0:20:25.79,0:20:36.17,Default,,0000,0000,0000,,code in the solo5 HVT case, it's more like\Nthousands of lines of code. So here we
Dialogue: 0,0:20:36.17,0:20:42.93,Default,,0000,0000,0000,,have a comparison from left to right of\Nsolo5 and how the host system or the host
Dialogue: 0,0:20:42.93,0:20:49.10,Default,,0000,0000,0000,,system kernel and the guest system works.\NIn the middle we have a virtual machine, a
Dialogue: 0,0:20:49.10,0:20:54.49,Default,,0000,0000,0000,,common Linux qemu KVM based virtual\Nmachine for example, and on the right hand
Dialogue: 0,0:20:54.49,0:20:59.97,Default,,0000,0000,0000,,we have the host system and the container.\NContainer is also a technology where you
Dialogue: 0,0:20:59.97,0:21:08.48,Default,,0000,0000,0000,,try to restrict as much access as you can\Nfrom process. So it is contained and the
Dialogue: 0,0:21:08.48,0:21:14.94,Default,,0000,0000,0000,,potential compromise is also very isolated\Nand contained. On the left hand side we
Dialogue: 0,0:21:14.94,0:21:21.27,Default,,0000,0000,0000,,see that solo5 is basically some bits and\Npieces in the host system. So is the solo5
Dialogue: 0,0:21:21.27,0:21:27.38,Default,,0000,0000,0000,,HVT and then some bits and pieces in\NUnikernel. So is the solo5 findings I
Dialogue: 0,0:21:27.38,0:21:31.20,Default,,0000,0000,0000,,mentioned earlier. And that is to\Ncommunicate between the host and the guest
Dialogue: 0,0:21:31.20,0:21:37.10,Default,,0000,0000,0000,,system. In the middle we see that the API\Nbetween the host system and the virtual
Dialogue: 0,0:21:37.10,0:21:41.31,Default,,0000,0000,0000,,machine. It's much bigger than this. And\Ncommonly using virtio and virtio is really
Dialogue: 0,0:21:41.31,0:21:48.92,Default,,0000,0000,0000,,a huge protocol which does feature\Nnegotiation and all sorts of things where
Dialogue: 0,0:21:48.92,0:21:54.01,Default,,0000,0000,0000,,you can always do something wrong, like\Nyou can do something wrong and a floppy
Dialogue: 0,0:21:54.01,0:21:58.65,Default,,0000,0000,0000,,disk driver. And that led to some\Nexploitable vulnerability, although
Dialogue: 0,0:21:58.65,0:22:04.48,Default,,0000,0000,0000,,nowadays most operating systems don't\Nreally need a floppy disk drive anymore.
Dialogue: 0,0:22:04.48,0:22:08.18,Default,,0000,0000,0000,,And on the right hand side, you can see\Nthat the whole system interface for a
Dialogue: 0,0:22:08.18,0:22:12.53,Default,,0000,0000,0000,,container is much bigger than for a\Nvirtual machine because the whole system
Dialogue: 0,0:22:12.53,0:22:17.62,Default,,0000,0000,0000,,interface for a container is exactly those\Nsystem calls you saw earlier. So it's run
Dialogue: 0,0:22:17.62,0:22:24.15,Default,,0000,0000,0000,,600 different calls. And in order to\Nevaluate the security, you need basically
Dialogue: 0,0:22:24.15,0:22:32.77,Default,,0000,0000,0000,,to audit all of them. So that's just a\Nbrief comparison between those. If we look
Dialogue: 0,0:22:32.77,0:22:38.02,Default,,0000,0000,0000,,into more detail, what solo5 what shapes\Nit can have here on the left side. We can
Dialogue: 0,0:22:38.02,0:22:43.35,Default,,0000,0000,0000,,see it running in a hardware virtualized\Ntender, which is you have the Linux
Dialogue: 0,0:22:43.35,0:22:50.29,Default,,0000,0000,0000,,freebies, your openBSD at the bottom and\Nyou have solo5 blob, which is a blue thing
Dialogue: 0,0:22:50.29,0:22:54.59,Default,,0000,0000,0000,,here in the middle. And then on top you\Nhave the unikernel. On the right hand side
Dialogue: 0,0:22:54.59,0:23:02.85,Default,,0000,0000,0000,,you can see the Linux satcom process and\Nyou have a much smaller solo5 blob because
Dialogue: 0,0:23:02.85,0:23:06.94,Default,,0000,0000,0000,,it doesn't need to do that much anymore,\Nbecause all the hyper calls are basically
Dialogue: 0,0:23:06.94,0:23:11.96,Default,,0000,0000,0000,,translated to system calls. So you\Nactually get rid of them and you don't
Dialogue: 0,0:23:11.96,0:23:16.82,Default,,0000,0000,0000,,need to communicate between the host and\Nthe guest system because in seccomb you
Dialogue: 0,0:23:16.82,0:23:22.61,Default,,0000,0000,0000,,run as a whole system process so you don't\Nhave this virtualization. The advantage of
Dialogue: 0,0:23:22.61,0:23:29.22,Default,,0000,0000,0000,,using seccomb as well, but you can deploy\Nit without having access to virtualization
Dialogue: 0,0:23:29.22,0:23:38.05,Default,,0000,0000,0000,,features of the CPU. Now to get it in even\Nsmaller shape. There's another backend I
Dialogue: 0,0:23:38.05,0:23:42.87,Default,,0000,0000,0000,,haven't talked to you about. It's called\Nthe Muen. It's a separation kernel
Dialogue: 0,0:23:42.87,0:23:50.87,Default,,0000,0000,0000,,developed in Ada. So you basically ... so\Nnow we try to get rid of this huge Unix
Dialogue: 0,0:23:50.87,0:23:58.32,Default,,0000,0000,0000,,system below it. Which is this big kernel\Nthingy here. And Muen is an open source
Dialogue: 0,0:23:58.32,0:24:03.31,Default,,0000,0000,0000,,project developed in Switzerland in Ada,\Nas I mentioned, and that uses SPARK, which
Dialogue: 0,0:24:03.31,0:24:12.62,Default,,0000,0000,0000,,is proof system, which guarantees the\Nmemory isolation between the different
Dialogue: 0,0:24:12.62,0:24:19.57,Default,,0000,0000,0000,,components. And Muen now goes a step\Nfurther and it says, "Oh yeah. For you as
Dialogue: 0,0:24:19.57,0:24:23.54,Default,,0000,0000,0000,,a guest system, you don't do static\Nallocations and you don't do dynamic
Dialogue: 0,0:24:23.54,0:24:28.21,Default,,0000,0000,0000,,resource management." We as a host system,\Nwe as a hypervisor, we don't do any
Dialogue: 0,0:24:28.21,0:24:34.35,Default,,0000,0000,0000,,dynamic resource allocation as well. So it\Nonly does static resource management. So
Dialogue: 0,0:24:34.35,0:24:39.25,Default,,0000,0000,0000,,at compile time of your Muen separation\Nkernel you decide how many virtual
Dialogue: 0,0:24:39.25,0:24:44.46,Default,,0000,0000,0000,,machines or how many unikernels you are\Nrunning and which resources are given to
Dialogue: 0,0:24:44.46,0:24:50.12,Default,,0000,0000,0000,,them. You even specify which communication\Nchannels are there. So if one of your
Dialogue: 0,0:24:50.12,0:24:55.56,Default,,0000,0000,0000,,virtual machines needs to talk to another\None, you need to specify that at
Dialogue: 0,0:24:55.56,0:25:00.97,Default,,0000,0000,0000,,compile time and at runtime you don't have\Nany dynamic resource management. So that
Dialogue: 0,0:25:00.97,0:25:08.62,Default,,0000,0000,0000,,again makes the code much easier, much,\Nmuch less complex. And you get to much
Dialogue: 0,0:25:08.62,0:25:19.06,Default,,0000,0000,0000,,fewer lines of code. So to conclude with\Nthis Mirage and how this and also the Muen
Dialogue: 0,0:25:19.06,0:25:26.37,Default,,0000,0000,0000,,and solo5. And how that is. I like to cite\NAntoine: "Perfection is achieved, not when
Dialogue: 0,0:25:26.37,0:25:31.66,Default,,0000,0000,0000,,there is nothing more to add, but when\Nthere is nothing left to take away." I
Dialogue: 0,0:25:31.66,0:25:36.62,Default,,0000,0000,0000,,mean obviously the most secure system is a\Nsystem which doesn't exist.
Dialogue: 0,0:25:36.62,0:25:40.21,Default,,0000,0000,0000,,{\i1}Laughter{\i0}
Dialogue: 0,0:25:40.21,0:25:41.64,Default,,0000,0000,0000,,Let's look a bit further
Dialogue: 0,0:25:41.64,0:25:46.44,Default,,0000,0000,0000,,into the decisions of MirageOS.\NWhy do you use this strange
Dialogue: 0,0:25:46.44,0:25:50.96,Default,,0000,0000,0000,,programming language called OCaml and\Nwhat's it all about? And what are the case
Dialogue: 0,0:25:50.96,0:25:59.17,Default,,0000,0000,0000,,studies? So OCaml has been around since\Nmore than 20 years. It's a multi paradigm
Dialogue: 0,0:25:59.17,0:26:05.89,Default,,0000,0000,0000,,programming language. The goal for us and\Nfor OCaml is usually to have declarative
Dialogue: 0,0:26:05.89,0:26:14.39,Default,,0000,0000,0000,,code. To achieve declarative code you need\Nto provide the developers with some
Dialogue: 0,0:26:14.39,0:26:21.20,Default,,0000,0000,0000,,orthogonal abstraction facilities such as\Nhere we have variables then functions you
Dialogue: 0,0:26:21.20,0:26:24.89,Default,,0000,0000,0000,,likely know if you're a software\Ndeveloper. Also higher order functions. So
Dialogue: 0,0:26:24.89,0:26:31.50,Default,,0000,0000,0000,,that just means that the function is able\Nto take a function as input. Then in OCaml
Dialogue: 0,0:26:31.50,0:26:37.27,Default,,0000,0000,0000,,we tried to always focus on the problem\Nand do not distract with boilerplate. So
Dialogue: 0,0:26:37.27,0:26:43.51,Default,,0000,0000,0000,,some running example again would be this\Nmemory management. We don't manually deal
Dialogue: 0,0:26:43.51,0:26:52.94,Default,,0000,0000,0000,,with that, but we have computers to\Nactually deal with that. In OCaml you have
Dialogue: 0,0:26:52.94,0:27:00.17,Default,,0000,0000,0000,,a very expressive and static type system,\Nwhich can spot a lot of invariance or
Dialogue: 0,0:27:00.17,0:27:07.16,Default,,0000,0000,0000,,violation of invariance at build time.\NSo the program won't compile if you don't
Dialogue: 0,0:27:07.16,0:27:14.20,Default,,0000,0000,0000,,handle all the potential return types or\Nreturn values of your function. So now a
Dialogue: 0,0:27:14.20,0:27:20.19,Default,,0000,0000,0000,,type system, you know, you may know it\Nfrom Java is a bit painful. If you have to
Dialogue: 0,0:27:20.19,0:27:24.25,Default,,0000,0000,0000,,express at every location where you want\Nto have a variable, which type this
Dialogue: 0,0:27:24.25,0:27:31.90,Default,,0000,0000,0000,,variable is. What OCaml provides is type\Ninference similar to Scala and other
Dialogue: 0,0:27:31.90,0:27:37.83,Default,,0000,0000,0000,,languages. So you don't need to type all\Nthe types manually. And types are also
Dialogue: 0,0:27:37.83,0:27:43.67,Default,,0000,0000,0000,,unlike in Java. Types are erased during\Ncompilation. So types are only information
Dialogue: 0,0:27:43.67,0:27:48.82,Default,,0000,0000,0000,,about values the compiler has at compile\Ntime. But at runtime these are all erased
Dialogue: 0,0:27:48.82,0:27:54.92,Default,,0000,0000,0000,,so they don't exist. You don't see them.\NAnd OCaml compiles to native machine code,
Dialogue: 0,0:27:54.92,0:28:01.58,Default,,0000,0000,0000,,which I think is important for security\Nand performance. Because otherwise you run
Dialogue: 0,0:28:01.58,0:28:07.47,Default,,0000,0000,0000,,an interpreter or an abstract machine and\Nyou have to emulate something else and
Dialogue: 0,0:28:07.47,0:28:14.89,Default,,0000,0000,0000,,that is never as fast as you can. OCaml\Nhas one distinct feature, which is its
Dialogue: 0,0:28:14.89,0:28:21.46,Default,,0000,0000,0000,,module system. So you have all your\Nvalues, which types or functions. And now
Dialogue: 0,0:28:21.46,0:28:26.84,Default,,0000,0000,0000,,each of those values is defined inside of\Na so-called module. And the simplest
Dialogue: 0,0:28:26.84,0:28:32.67,Default,,0000,0000,0000,,module is just the filename. But you can\Nnest modules so you can explicitly say, oh
Dialogue: 0,0:28:32.67,0:28:39.54,Default,,0000,0000,0000,,yeah, this value or this binding is now\Nliving in a sub module here off. So each
Dialogue: 0,0:28:39.54,0:28:45.26,Default,,0000,0000,0000,,module you can also give it a type. So it\Nhas a set of types and a set of functions
Dialogue: 0,0:28:45.26,0:28:52.60,Default,,0000,0000,0000,,and that is called its signature, which is\Nthe interface of the module. Now you have
Dialogue: 0,0:28:52.60,0:28:59.60,Default,,0000,0000,0000,,another abstraction mechanism in OCaml\Nwhich is functors. And functors are
Dialogue: 0,0:28:59.60,0:29:04.47,Default,,0000,0000,0000,,basically compile time functions from\Nmodule to module. So they allow a
Dialogue: 0,0:29:04.47,0:29:09.99,Default,,0000,0000,0000,,pyramidisation. Like you can implement\Nyour generic map structure and all you
Dialogue: 0,0:29:09.99,0:29:18.74,Default,,0000,0000,0000,,require. So map is just a hash map or a\Nimplementation is maybe a binary tree. And
Dialogue: 0,0:29:18.74,0:29:25.98,Default,,0000,0000,0000,,you need to have is some comparison for\Nthe keys and that is modeled in OCaml by
Dialogue: 0,0:29:25.98,0:29:32.43,Default,,0000,0000,0000,,module. So you have a module called map\Nand you have a functor called make. And the
Dialogue: 0,0:29:32.43,0:29:38.46,Default,,0000,0000,0000,,make takes some module which implements\Nthis comparison method and then provides
Dialogue: 0,0:29:38.46,0:29:45.74,Default,,0000,0000,0000,,you with map data structure for that key\Ntype. And then MirageOS we actually use a
Dialogue: 0,0:29:45.74,0:29:51.80,Default,,0000,0000,0000,,module system quite a bit more because we\Nhave all these resources which are
Dialogue: 0,0:29:51.80,0:29:58.33,Default,,0000,0000,0000,,different between Xen and KVM and so on.\NSo each of the different resources like a
Dialogue: 0,0:29:58.33,0:30:06.74,Default,,0000,0000,0000,,network interface has a signature. OK, and\Ntarget specific implementation. So we have
Dialogue: 0,0:30:06.74,0:30:11.21,Default,,0000,0000,0000,,the TCP/IP stack, which is much higher\Nthan the network card, but it doesn't
Dialogue: 0,0:30:11.21,0:30:16.92,Default,,0000,0000,0000,,really care if you run on Xen or if you\Nrun on KVM. You just program against this
Dialogue: 0,0:30:16.92,0:30:22.27,Default,,0000,0000,0000,,abstract interface against the interface\Nof the network device. But you don't need
Dialogue: 0,0:30:22.27,0:30:27.74,Default,,0000,0000,0000,,to program. You don't need to write in\Nyour TCP/IP stack any code to run on Xen
Dialogue: 0,0:30:27.74,0:30:38.23,Default,,0000,0000,0000,,or to run on KVM. So MirageOS also\Ndoesn't really use the complete OCaml
Dialogue: 0,0:30:38.23,0:30:44.41,Default,,0000,0000,0000,,programming language. OCaml also provides\Nyou with an object system and we barely
Dialogue: 0,0:30:44.41,0:30:49.72,Default,,0000,0000,0000,,use that. We also have in MirageOS... well\NOCaml also allows you for with mutable
Dialogue: 0,0:30:49.72,0:30:57.61,Default,,0000,0000,0000,,state. And we barely used that mutable\Nstate, but we use mostly immutable data
Dialogue: 0,0:30:57.61,0:31:05.43,Default,,0000,0000,0000,,whenever sensible. We also have a value\Npassing style, so we put state and data as
Dialogue: 0,0:31:05.43,0:31:12.00,Default,,0000,0000,0000,,inputs. So stage is just some abstract\Nstate and data is just a byte vector
Dialogue: 0,0:31:12.00,0:31:17.01,Default,,0000,0000,0000,,in a protocol implementation. And then the\Noutput is also a new state which may be
Dialogue: 0,0:31:17.01,0:31:22.18,Default,,0000,0000,0000,,modified and some reply maybe so some\Nother byte vector or some application
Dialogue: 0,0:31:22.18,0:31:31.79,Default,,0000,0000,0000,,data. Or the output data may as well be an\Nerror because the incoming data and state
Dialogue: 0,0:31:31.79,0:31:38.18,Default,,0000,0000,0000,,may be invalid or might maybe violate some\Nsome constraints. And errors are also
Dialogue: 0,0:31:38.18,0:31:44.11,Default,,0000,0000,0000,,explicitly types, so they are declared in\Nthe API and the call of a function needs
Dialogue: 0,0:31:44.11,0:31:52.48,Default,,0000,0000,0000,,to handle all these errors explicitly. As\NI said, the single core, but we have some
Dialogue: 0,0:31:52.48,0:32:00.69,Default,,0000,0000,0000,,promise based or some even based\Nconcurrent programming stuff. And yeah, we
Dialogue: 0,0:32:00.69,0:32:04.45,Default,,0000,0000,0000,,have the ability to express a really\Nstrong and variants like this is a read-
Dialogue: 0,0:32:04.45,0:32:08.34,Default,,0000,0000,0000,,only buffer in the type system. And the\Ntype system is, as I mentioned, only
Dialogue: 0,0:32:08.34,0:32:15.16,Default,,0000,0000,0000,,compile time, no runtime overhead. So it's\Nall pretty nice and good. So let's take a
Dialogue: 0,0:32:15.16,0:32:21.21,Default,,0000,0000,0000,,look at some of the case studies. The\Nfirst one is unikernel. So it's called the
Dialogue: 0,0:32:21.21,0:32:29.74,Default,,0000,0000,0000,,Bitcoin Pinata. It started in 2015 when we\Nwere happy with from the scratch developed
Dialogue: 0,0:32:29.74,0:32:35.10,Default,,0000,0000,0000,,TLS stack. TLS is transport layer\Nsecurity. So what use if you browse to
Dialogue: 0,0:32:35.10,0:32:41.72,Default,,0000,0000,0000,,HTTPS. So we have an TLS stack in OCaml\Nand we wanted to do some marketing for
Dialogue: 0,0:32:41.72,0:32:50.67,Default,,0000,0000,0000,,that. Bitcoin Pinata is basically\Nunikernel which uses TLS and provides you
Dialogue: 0,0:32:50.67,0:32:57.79,Default,,0000,0000,0000,,with TLS endpoints, and it contains the\Nprivate key for a bitcoin wallet which is
Dialogue: 0,0:32:57.79,0:33:05.79,Default,,0000,0000,0000,,filled with, which used to be filled with\N10 bitcoins. And this means it's a
Dialogue: 0,0:33:05.79,0:33:10.77,Default,,0000,0000,0000,,security bait. So if you can compromise\Nthe system itself, you get the private key
Dialogue: 0,0:33:10.77,0:33:16.42,Default,,0000,0000,0000,,and you can do whatever you want with it.\NAnd being on this bitcoin block chain, it
Dialogue: 0,0:33:16.42,0:33:22.88,Default,,0000,0000,0000,,also means it's transparent so everyone\Ncan see that that has been hacked or not.
Dialogue: 0,0:33:22.88,0:33:30.45,Default,,0000,0000,0000,,Yeah and it has been online since three years\Nand it was not hacked. But the bitcoin we
Dialogue: 0,0:33:30.45,0:33:35.63,Default,,0000,0000,0000,,got were only borrowed from friends of us\Nand they were then reused in other
Dialogue: 0,0:33:35.63,0:33:40.37,Default,,0000,0000,0000,,projects. It's still online. And you can\Nsee here on the right that we had some
Dialogue: 0,0:33:40.37,0:33:49.74,Default,,0000,0000,0000,,HTTP traffic, like an aggregate of maybe\N600,000 hits there. Now I have a size
Dialogue: 0,0:33:49.74,0:33:54.60,Default,,0000,0000,0000,,comparison of the Bitcoin Pinata on the\Nleft. You can see the unikernel, which is
Dialogue: 0,0:33:54.60,0:34:00.41,Default,,0000,0000,0000,,less than 10 megabytes in size or in\Nsource code it's maybe a hundred thousand
Dialogue: 0,0:34:00.41,0:34:06.00,Default,,0000,0000,0000,,lines of code. On the right hand side you\Nhave a very similar thing, but running as
Dialogue: 0,0:34:06.00,0:34:16.49,Default,,0000,0000,0000,,a Linux service so it runs an openSSL S\Nserver, which is a minimal TLS server you
Dialogue: 0,0:34:16.49,0:34:22.82,Default,,0000,0000,0000,,can get basically on a Linux system using\NopenSSL. And there we have mainly maybe a
Dialogue: 0,0:34:22.82,0:34:29.02,Default,,0000,0000,0000,,size of 200 megabytes and maybe two\Nmillion two lines of code. So that's
Dialogue: 0,0:34:29.02,0:34:36.41,Default,,0000,0000,0000,,roughly a vector of 25. In other examples,\Nwe even got a bit less code, much bigger
Dialogue: 0,0:34:36.41,0:34:45.31,Default,,0000,0000,0000,,effect. Performance analysis I showed that\N... Well, in 2015 we did some evaluation
Dialogue: 0,0:34:45.31,0:34:50.66,Default,,0000,0000,0000,,of our TLS stack and it turns out we're in\Nthe same ballpark as other
Dialogue: 0,0:34:50.66,0:34:56.77,Default,,0000,0000,0000,,implementations. Another case study is\NCalDAV server, which we developed last
Dialogue: 0,0:34:56.77,0:35:04.73,Default,,0000,0000,0000,,year with a grant from Prototypefund which\Nis a German government funding. It is
Dialogue: 0,0:35:04.73,0:35:09.28,Default,,0000,0000,0000,,intolerable with other clients. It stores\Ndata in a remote git repository. So we
Dialogue: 0,0:35:09.28,0:35:14.14,Default,,0000,0000,0000,,don't use any block device or persistent\Nstorage, but we store it in a git
Dialogue: 0,0:35:14.14,0:35:18.60,Default,,0000,0000,0000,,repository so whenever you add the\Ncalendar event, it does actually a git
Dialogue: 0,0:35:18.60,0:35:24.83,Default,,0000,0000,0000,,push. And we also recently got some\Nintegration with CalDAV web, which is a
Dialogue: 0,0:35:24.83,0:35:30.98,Default,,0000,0000,0000,,JavaScript user interface doing in\NJavaScript, doing a user interface. And we
Dialogue: 0,0:35:30.98,0:35:36.94,Default,,0000,0000,0000,,just bundle that with the thing. It's\Nonline, open source, there is a demo
Dialogue: 0,0:35:36.94,0:35:42.44,Default,,0000,0000,0000,,server and the data repository online.\NYes, some statistics and I zoom in
Dialogue: 0,0:35:42.44,0:35:47.97,Default,,0000,0000,0000,,directly to the CPU usage. So we had the\Nluck that we for half of a month, we used
Dialogue: 0,0:35:47.97,0:35:56.17,Default,,0000,0000,0000,,it as a process on a freeBSD system. And\Nthat happened roughly the first half until
Dialogue: 0,0:35:56.17,0:36:01.42,Default,,0000,0000,0000,,here. And then at some point we thought,\Noh, yeah, let's migrated it to MirageOS
Dialogue: 0,0:36:01.42,0:36:06.33,Default,,0000,0000,0000,,unikernel and don't run the freeBSD system\Nbelow it. And you can see here on the x
Dialogue: 0,0:36:06.33,0:36:11.46,Default,,0000,0000,0000,,axis the time. So that was the month of\NJune, starting with the first of June on
Dialogue: 0,0:36:11.46,0:36:16.95,Default,,0000,0000,0000,,the left and the last of June on the\Nright. And on the y axis, you have the
Dialogue: 0,0:36:16.95,0:36:22.83,Default,,0000,0000,0000,,number of CPU seconds here on the left or\Nthe number of CPU ticks here on the right.
Dialogue: 0,0:36:22.83,0:36:28.65,Default,,0000,0000,0000,,The CPU ticks are virtual CPU ticks\Nwhich debug counters from the hypervisor.
Dialogue: 0,0:36:28.65,0:36:33.43,Default,,0000,0000,0000,,So from beehive and freeBSD here in that\Nsystem. And what you can see here is this
Dialogue: 0,0:36:33.43,0:36:39.46,Default,,0000,0000,0000,,massive drop by a factor of roughly 10.\NAnd that is when we switched from a Unix
Dialogue: 0,0:36:39.46,0:36:46.04,Default,,0000,0000,0000,,virtual machine with the process to a\Nfreestanding Unikernel. So we actually use
Dialogue: 0,0:36:46.04,0:36:50.91,Default,,0000,0000,0000,,much less resources. And if we look into\Nthe bigger picture here, we also see that
Dialogue: 0,0:36:50.91,0:36:57.71,Default,,0000,0000,0000,,the memory dropped by a factor of 10 or\Neven more. This is now a logarithmic scale
Dialogue: 0,0:36:57.71,0:37:03.04,Default,,0000,0000,0000,,here on the y axis, the network bandwidth\Nincreased quite a bit because now we do
Dialogue: 0,0:37:03.04,0:37:09.55,Default,,0000,0000,0000,,all the monitoring traffic, also via net\Ninterface and so on. Okay, that's CalDAV.
Dialogue: 0,0:37:09.55,0:37:16.76,Default,,0000,0000,0000,,Another case study is authoritative DNS\Nservers. And I just recently wrote a
Dialogue: 0,0:37:16.76,0:37:22.33,Default,,0000,0000,0000,,tutorial on that. Which I will skip\Nbecause I'm a bit short on time. Another
Dialogue: 0,0:37:22.33,0:37:27.21,Default,,0000,0000,0000,,case study is a firewall for QubesOS.\NQubesOS is a reasonable, secure operating
Dialogue: 0,0:37:27.21,0:37:33.39,Default,,0000,0000,0000,,system which uses Xen for isolation of\Nworkspaces and applications such as PDF
Dialogue: 0,0:37:33.39,0:37:38.61,Default,,0000,0000,0000,,reader. So whenever you receive a PDF, you\Nstart your virtual machine, which is only
Dialogue: 0,0:37:38.61,0:37:48.16,Default,,0000,0000,0000,,run once and you, well which is just run to\Nopen and read your PDF. And Qubes Mirage
Dialogue: 0,0:37:48.16,0:37:54.04,Default,,0000,0000,0000,,firewall is now small or a tiny\Nreplacement for the Linux based firewall
Dialogue: 0,0:37:54.04,0:38:02.16,Default,,0000,0000,0000,,written in OCaml now. And instead of\Nroughly 300mb, you only use 32mb
Dialogue: 0,0:38:02.16,0:38:09.26,Default,,0000,0000,0000,,of memory. There's now also recently\Nsome support for dynamic firewall rules
Dialogue: 0,0:38:09.26,0:38:16.76,Default,,0000,0000,0000,,as defined by Qubes 4.0. And that is not\Nyet merged into master, but it's under
Dialogue: 0,0:38:16.76,0:38:23.48,Default,,0000,0000,0000,,review. Libraries in MirageOS yeah we have\Nsince we write everything from scratch and
Dialogue: 0,0:38:23.48,0:38:29.75,Default,,0000,0000,0000,,in OCaml we don't have now. We don't have\Nevery protocol, but we have quite a few
Dialogue: 0,0:38:29.75,0:38:35.28,Default,,0000,0000,0000,,protocols. There are also more unikernels\Nright now, which you can see here in the
Dialogue: 0,0:38:35.28,0:38:41.85,Default,,0000,0000,0000,,slides. Also online in the Fahrplan so you\Ncan click on the links later. Repeaters
Dialogue: 0,0:38:41.85,0:38:47.51,Default,,0000,0000,0000,,were built. So for security purposes we\Ndon't get shipped binaries. But I plan to
Dialogue: 0,0:38:47.51,0:38:51.54,Default,,0000,0000,0000,,ship binaries and in order to ship\Nbinaries. I don't want to ship non
Dialogue: 0,0:38:51.54,0:38:56.55,Default,,0000,0000,0000,,reputable binaries. What is reproducible\Nbuilds? Well it means that if you have the
Dialogue: 0,0:38:56.55,0:39:05.96,Default,,0000,0000,0000,,same source code, you should get the\Nbinary identical output. And issues are
Dialogue: 0,0:39:05.96,0:39:14.64,Default,,0000,0000,0000,,temporary filenames and timestamps and so\Non. In December we managed in MirageOS to
Dialogue: 0,0:39:14.64,0:39:21.27,Default,,0000,0000,0000,,get some tooling on track to actually test\Nthe reproducibility of unikernels and we
Dialogue: 0,0:39:21.27,0:39:27.84,Default,,0000,0000,0000,,fixed some issues and now all the tests in\NMirageOS unikernels reporducable, which
Dialogue: 0,0:39:27.84,0:39:34.01,Default,,0000,0000,0000,,are basically most of them from this list.\NAnother topic, a supply chain security,
Dialogue: 0,0:39:34.01,0:39:42.21,Default,,0000,0000,0000,,which is important, I think, and we have\Nthis is still a work in progress. We still
Dialogue: 0,0:39:42.21,0:39:48.86,Default,,0000,0000,0000,,haven't deployed that widely. But there\Nare some test repositories out there to
Dialogue: 0,0:39:48.86,0:39:56.87,Default,,0000,0000,0000,,provide more, to provide signatures signed\Nby the actual authors of a library and
Dialogue: 0,0:39:56.87,0:40:02.67,Default,,0000,0000,0000,,getting you across until the use of the\Nlibrary can verify that. And some
Dialogue: 0,0:40:02.67,0:40:09.39,Default,,0000,0000,0000,,decentralized authorization and delegation\Nof that. What about deployment? Well, in
Dialogue: 0,0:40:09.39,0:40:15.100,Default,,0000,0000,0000,,conventional orchestration systems such as\NKubernetes and so on. We don't yet have
Dialogue: 0,0:40:15.100,0:40:24.22,Default,,0000,0000,0000,,a proper integration of MirageOS, but we\Nwould like to get some proper integration
Dialogue: 0,0:40:24.22,0:40:31.70,Default,,0000,0000,0000,,there. If you already generate some\Nlibvirt.xml files from Mirage. So for each
Dialogue: 0,0:40:31.70,0:40:37.69,Default,,0000,0000,0000,,unikernel you get the libvirt.xml and you\Ncan do that and run that in your libvirt
Dialogue: 0,0:40:37.69,0:40:44.53,Default,,0000,0000,0000,,based orchestration system. For Xen, we\Nalso generate those .xl and .xe files,
Dialogue: 0,0:40:44.53,0:40:49.50,Default,,0000,0000,0000,,which I personally don't really\Nknow much about, but that's it. On the
Dialogue: 0,0:40:49.50,0:40:56.29,Default,,0000,0000,0000,,other side, I developed an orchestration\Nsystem called Albatross because I was a
Dialogue: 0,0:40:56.29,0:41:02.53,Default,,0000,0000,0000,,bit worried if I now have those tiny\Nunikernels which are megabytes in size
Dialogue: 0,0:41:02.53,0:41:09.09,Default,,0000,0000,0000,,and now I should trust the big Kubernetes,\Nwhich is maybe a million lines of code
Dialogue: 0,0:41:09.09,0:41:15.73,Default,,0000,0000,0000,,running on the host system with\Nprivileges. So I thought, oh well let's
Dialogue: 0,0:41:15.73,0:41:21.34,Default,,0000,0000,0000,,try to come up with a minimal\Norchestration system which allows me some
Dialogue: 0,0:41:21.34,0:41:26.63,Default,,0000,0000,0000,,console access. So I want to see the debug\Nmessages or whenever it fails to boot I
Dialogue: 0,0:41:26.63,0:41:32.10,Default,,0000,0000,0000,,want to see the output of the console.\NWant to get some metrics like the Graphana
Dialogue: 0,0:41:32.10,0:41:38.93,Default,,0000,0000,0000,,screenshot you just saw. And that's\Nbasically it. Then since I developed also
Dialogue: 0,0:41:38.93,0:41:45.33,Default,,0000,0000,0000,,a TLS stack, I thought, oh yeah, well why\Nnot just use it for remote deployment? So
Dialogue: 0,0:41:45.33,0:41:51.50,Default,,0000,0000,0000,,in TLS you have mutual authentication, you\Ncan have client certificates and
Dialogue: 0,0:41:51.50,0:41:57.46,Default,,0000,0000,0000,,certificate itself is more or less an\Nauthenticated key value store because you
Dialogue: 0,0:41:57.46,0:42:03.86,Default,,0000,0000,0000,,have those extensions and X 509 version 3\Nand you can put arbitrary data in there
Dialogue: 0,0:42:03.86,0:42:09.19,Default,,0000,0000,0000,,with keys being so-called object\Nidentifiers and values being whatever
Dialogue: 0,0:42:09.19,0:42:16.54,Default,,0000,0000,0000,,else. TLS certificates have this great\Nadvantage that or X 509 certificates have
Dialogue: 0,0:42:16.54,0:42:23.55,Default,,0000,0000,0000,,the advantage that during a TLS handshake\Nthey are transferred on the wire in not
Dialogue: 0,0:42:23.55,0:42:33.95,Default,,0000,0000,0000,,base64 or PEM encoding as you usually see\Nthem, but in basic encoding which is much
Dialogue: 0,0:42:33.95,0:42:41.05,Default,,0000,0000,0000,,nicer to the amount of bits you transfer.\NSo it's not transferred in base64, but
Dialogue: 0,0:42:41.05,0:42:45.82,Default,,0000,0000,0000,,directly in raw basically. And with\NAlabtross you can basically do a TLS
Dialogue: 0,0:42:45.82,0:42:50.77,Default,,0000,0000,0000,,handshake and in that client certificate\Nyou present, you already have the
Dialogue: 0,0:42:50.77,0:42:58.36,Default,,0000,0000,0000,,unikernel image and the name and the boot\Narguments and you just deploy it directly.
Dialogue: 0,0:42:58.36,0:43:04.23,Default,,0000,0000,0000,,You can alter an X 509. You have a chain\Nof certificate authorities, which you send
Dialogue: 0,0:43:04.23,0:43:09.15,Default,,0000,0000,0000,,with and this chain of certificate\Nauthorities also contain some extensions
Dialogue: 0,0:43:09.15,0:43:14.72,Default,,0000,0000,0000,,in order to specify which policies are\Nactive. So how many virtual machines are
Dialogue: 0,0:43:14.72,0:43:21.60,Default,,0000,0000,0000,,you able to deploy on my system? How much\Nmemory you you have access to and which
Dialogue: 0,0:43:21.60,0:43:26.93,Default,,0000,0000,0000,,bridges or which network interfaces you\Nhave access to? So Albatross is really a
Dialogue: 0,0:43:26.93,0:43:33.78,Default,,0000,0000,0000,,minimal orchestration system running as a\Nfamily of Unix processes. It's maybe 3000
Dialogue: 0,0:43:33.78,0:43:41.32,Default,,0000,0000,0000,,lines of code or so. OCaml code. But using\Nthen the TLS stack and so on. But yeah, it
Dialogue: 0,0:43:41.32,0:43:46.63,Default,,0000,0000,0000,,seems to work pretty well. I at least use\Nit for more than two dozen unikernels at
Dialogue: 0,0:43:46.63,0:43:52.19,Default,,0000,0000,0000,,any point in time. What about the\Ncommunity? Well the whole MirageOS project
Dialogue: 0,0:43:52.19,0:43:57.93,Default,,0000,0000,0000,,started around 2008 at University of\NCambridge, so it used to be a research
Dialogue: 0,0:43:57.93,0:44:03.82,Default,,0000,0000,0000,,project with which still has a lot of\Nongoing student projects at University of
Dialogue: 0,0:44:03.82,0:44:10.56,Default,,0000,0000,0000,,Cambridge. But now it's an open source\Npermissive license, mostly BSD licensed
Dialogue: 0,0:44:10.56,0:44:20.77,Default,,0000,0000,0000,,thing, where we have community event every\Nhalf a year and a retreat in Morocco where
Dialogue: 0,0:44:20.77,0:44:25.82,Default,,0000,0000,0000,,we also use our own unikernels like the\NDHTP server and the DNS resolve and so on.
Dialogue: 0,0:44:25.82,0:44:31.70,Default,,0000,0000,0000,,We just use them to test them and to see\Nhow does it behave and does it work for
Dialogue: 0,0:44:31.70,0:44:40.17,Default,,0000,0000,0000,,us? We have quite a lot of open source\Ncomputer contributors from all over and
Dialogue: 0,0:44:40.17,0:44:46.42,Default,,0000,0000,0000,,some of the MirageOS libraries have also\Nbeen used or are still used in this Docker
Dialogue: 0,0:44:46.42,0:44:51.81,Default,,0000,0000,0000,,technology, Docker for Mac and Docker for\NWindows, which emulates the guest system
Dialogue: 0,0:44:51.81,0:45:02.09,Default,,0000,0000,0000,,or which needs some wrappers. And there is\Na lot of OCaml code is used. So to finish
Dialogue: 0,0:45:02.09,0:45:07.32,Default,,0000,0000,0000,,my talk, I would like to have another\Nside, which is that Rome wasn't built in a
Dialogue: 0,0:45:07.32,0:45:14.92,Default,,0000,0000,0000,,day. So where we are is to conclude here\Nwe have a radical approach to operating
Dialogue: 0,0:45:14.92,0:45:22.09,Default,,0000,0000,0000,,systems development. We have a security\Nfrom the ground up with much fewer code
Dialogue: 0,0:45:22.09,0:45:30.08,Default,,0000,0000,0000,,and we also have much fewer attack vectors\Nbecause we use a memory safe
Dialogue: 0,0:45:30.08,0:45:39.08,Default,,0000,0000,0000,,language. So we have reduced the carbon\Nfootprint, as I mentioned in the start of
Dialogue: 0,0:45:39.08,0:45:45.62,Default,,0000,0000,0000,,the talk, because we use much less CPU\Ntime, but also much less memory. So we use
Dialogue: 0,0:45:45.62,0:45:53.19,Default,,0000,0000,0000,,less resources. MirageOS itself and O'Caml\Nhave a reasonable performance. We have
Dialogue: 0,0:45:53.19,0:45:56.98,Default,,0000,0000,0000,,seen some statistics about the TLS stack\Nthat it was in the same ballpark as
Dialogue: 0,0:45:56.98,0:46:05.52,Default,,0000,0000,0000,,OpenSSL and PolarSSL, which is nowadays\NMBed TLS, and MirageOS unikernels, since
Dialogue: 0,0:46:05.52,0:46:10.59,Default,,0000,0000,0000,,they don't really need to negotiate\Nfeatures and wait for the Scottie Pass and
Dialogue: 0,0:46:10.59,0:46:14.76,Default,,0000,0000,0000,,so on. They actually do it in\Nmilliseconds, not in seconds, so they do
Dialogue: 0,0:46:14.76,0:46:21.94,Default,,0000,0000,0000,,not hardware probing and so on. But they\Nknow that startup time what they expect. I
Dialogue: 0,0:46:21.94,0:46:27.49,Default,,0000,0000,0000,,would like to thank everybody who is and\Nwas involved in this whole technology
Dialogue: 0,0:46:27.49,0:46:32.77,Default,,0000,0000,0000,,stack because I myself I program quite a\Nbit of O'Caml, but I wouldn't have been
Dialogue: 0,0:46:32.77,0:46:39.01,Default,,0000,0000,0000,,able to do that on my own. It is just a\Nbit too big. MirageOS currently spends
Dialogue: 0,0:46:39.01,0:46:45.49,Default,,0000,0000,0000,,around maybe 200 different git\Nrepositories with the libraries, mostly
Dialogue: 0,0:46:45.49,0:46:52.50,Default,,0000,0000,0000,,developed on GitHub and open source. I\Nam at the moment working in a nonprofit
Dialogue: 0,0:46:52.50,0:46:56.89,Default,,0000,0000,0000,,company in Germany, which is called the\NCenter for the Cultivation of Technology
Dialogue: 0,0:46:56.89,0:47:02.65,Default,,0000,0000,0000,,with a project called robur. So we work in\Na collective way to develop full-stack
Dialogue: 0,0:47:02.65,0:47:08.03,Default,,0000,0000,0000,,MirageOS unikernels. That's why I'm happy\Nto do that from Dublin. And if you're
Dialogue: 0,0:47:08.03,0:47:14.45,Default,,0000,0000,0000,,interested, please talk to us. I have some\Nselected related talks, there are much
Dialogue: 0,0:47:14.45,0:47:20.87,Default,,0000,0000,0000,,more talks about MirageOS. But here is\Njust a short list of something, if you're
Dialogue: 0,0:47:20.87,0:47:29.53,Default,,0000,0000,0000,,interested in some certain aspects, please\Nhelp yourself to view them.
Dialogue: 0,0:47:29.53,0:47:31.76,Default,,0000,0000,0000,,That's all from me.
Dialogue: 0,0:47:31.76,0:47:37.38,Default,,0000,0000,0000,,{\i1}Applause{\i0}
Dialogue: 0,0:47:37.38,0:47:46.44,Default,,0000,0000,0000,,Herald: Thank you very much. There's a bit\Nover 10 minutes of time for questions. If
Dialogue: 0,0:47:46.44,0:47:50.01,Default,,0000,0000,0000,,you have any questions go to the\Nmicrophone. There's several microphones
Dialogue: 0,0:47:50.01,0:47:54.21,Default,,0000,0000,0000,,around the room. Go ahead.\NQuestion: Thank you very much for the talk
Dialogue: 0,0:47:54.21,0:47:57.21,Default,,0000,0000,0000,,-\NHerald: Writ of order. Thanking the
Dialogue: 0,0:47:57.21,0:48:01.11,Default,,0000,0000,0000,,speaker can be done afterwards. Questions\Nare questions, so short sentences ending
Dialogue: 0,0:48:01.11,0:48:05.99,Default,,0000,0000,0000,,with a question mark. Sorry, do go ahead.\NQuestion: If I want to try this at home,
Dialogue: 0,0:48:05.99,0:48:08.99,Default,,0000,0000,0000,,what do I need? Is a raspi sufficient? No,\Nit isn't.
Dialogue: 0,0:48:08.99,0:48:15.31,Default,,0000,0000,0000,,Hannes: That is an excellent question. So\NI usually develop it on such a thinkpad
Dialogue: 0,0:48:15.31,0:48:23.02,Default,,0000,0000,0000,,machine, but we actually support also\NARM64 mode. So if you have a Raspberry Pi
Dialogue: 0,0:48:23.02,0:48:28.89,Default,,0000,0000,0000,,3+, which I think has the virtualization\Nbits and the Linux kernel, which is reason
Dialogue: 0,0:48:28.89,0:48:35.25,Default,,0000,0000,0000,,enough to support KVM on that Raspberry Pi\N3+, then you can try it out there.
Dialogue: 0,0:48:35.25,0:48:41.79,Default,,0000,0000,0000,,Herald: Next question.\NQuestion: Well, currently most MirageOS
Dialogue: 0,0:48:41.79,0:48:51.72,Default,,0000,0000,0000,,unikernels are used for running server\Napplications. And so obviously this all
Dialogue: 0,0:48:51.72,0:48:58.23,Default,,0000,0000,0000,,static preconfiguration of OCaml and\Nmaybe Ada SPARK is fine for that. But what
Dialogue: 0,0:48:58.23,0:49:03.82,Default,,0000,0000,0000,,do you think about... Will it ever be\Npossible to use the same approach with all
Dialogue: 0,0:49:03.82,0:49:10.01,Default,,0000,0000,0000,,this static reconfiguration for these very\Ndynamic end user desktop systems, for
Dialogue: 0,0:49:10.01,0:49:15.22,Default,,0000,0000,0000,,example, like which at least currently use\Nquite a lot of plug-and-play.
Dialogue: 0,0:49:15.22,0:49:19.43,Default,,0000,0000,0000,,Hannes: Do you have an example? What are\Nyou thinking about?
Dialogue: 0,0:49:19.43,0:49:26.41,Default,,0000,0000,0000,,Question: Well, I'm not that much into\Nthe topic of its SPARK stuff, but you said
Dialogue: 0,0:49:26.41,0:49:32.24,Default,,0000,0000,0000,,that all the communication's paths have to\Nbe defined in advance. So especially with
Dialogue: 0,0:49:32.24,0:49:37.78,Default,,0000,0000,0000,,plug-and-play devices like all this USB\Nstuff, we either have to allow everything
Dialogue: 0,0:49:37.78,0:49:46.55,Default,,0000,0000,0000,,in advance or we may have to reboot parts\Nof the unikernels in between to allow
Dialogue: 0,0:49:46.55,0:49:54.66,Default,,0000,0000,0000,,rerouting stuff.\NHannes: Yes. Yes. So I mean if you want to
Dialogue: 0,0:49:54.66,0:50:01.12,Default,,0000,0000,0000,,design a USB plug-and-play system, you can\Nthink of it as you plug in somewhere the
Dialogue: 0,0:50:01.12,0:50:07.84,Default,,0000,0000,0000,,USB stick and then you start the unikernel\Nwhich only has access to that USB stick.
Dialogue: 0,0:50:07.84,0:50:15.32,Default,,0000,0000,0000,,But having a unikernel... Well I wouldn't\Ndesign a unikernel which randomly does
Dialogue: 0,0:50:15.32,0:50:23.57,Default,,0000,0000,0000,,plug and play with the the outer world,\Nbasically. So. And one of the applications
Dialogue: 0,0:50:23.57,0:50:30.80,Default,,0000,0000,0000,,I've listed here is at the top is a\Npicture viewer, which is a unikernel that
Dialogue: 0,0:50:30.80,0:50:37.40,Default,,0000,0000,0000,,also at the moment, I think has static\Nembedded data in it. But is able on Qubes
Dialogue: 0,0:50:37.40,0:50:43.82,Default,,0000,0000,0000,,OS or on Unix and SDL to display the\Nimages and you can think of some way we
Dialogue: 0,0:50:43.82,0:50:48.67,Default,,0000,0000,0000,,are a network or so to access the images\Nactually. So you didn't need to compile
Dialogue: 0,0:50:48.67,0:50:54.38,Default,,0000,0000,0000,,the images in, but you can have a good\Nrepository or TCP server or whatever in
Dialogue: 0,0:50:54.38,0:51:01.08,Default,,0000,0000,0000,,order to receive the images. So I am\Nsaying. So what I didn't mention is that
Dialogue: 0,0:51:01.08,0:51:05.76,Default,,0000,0000,0000,,MirageOS instead of being general purpose\Nand having a shell and you can do
Dialogue: 0,0:51:05.76,0:51:11.28,Default,,0000,0000,0000,,everything with it, it is that each\Nservice, each unikernel is a single
Dialogue: 0,0:51:11.28,0:51:16.53,Default,,0000,0000,0000,,service thing. So you can't do everything\Nwith it. And I think that is an advantage
Dialogue: 0,0:51:16.53,0:51:23.31,Default,,0000,0000,0000,,from a lot of points of view. I agree\Nthat if you have a highly dynamic system,
Dialogue: 0,0:51:23.31,0:51:27.68,Default,,0000,0000,0000,,that you may have some trouble on how to\Nintegrate that.
Dialogue: 0,0:51:27.68,0:51:38.68,Default,,0000,0000,0000,,Herald: Are there any other questions? \NNo, it appears not. In which case,
Dialogue: 0,0:51:38.68,0:51:41.11,Default,,0000,0000,0000,,thank you again, Hannes. \NWarm applause for Hannes.
Dialogue: 0,0:51:41.11,0:51:44.53,Default,,0000,0000,0000,,{\i1}Applause{\i0}
Dialogue: 0,0:51:44.53,0:51:49.44,Default,,0000,0000,0000,,{\i1}Outro music{\i0}
Dialogue: 0,0:51:49.44,0:52:12.00,Default,,0000,0000,0000,,subtitles created by c3subtitles.de\Nin the year 2020. Join, and help us!