Introducing the Lynx unikernel
WHAT IS A UNIKERNEL?
Virtualization technology, whereby multiple operating systems can be run on shared hardware, is well understood if somewhat inefficient in its use of resources. Just a few decades ago, everyone used virtual machines (VM) to host and manage the infrastructure. More recently, industries have shifted towards using containers with systems such as Docker and Kubernetes.
Containers try to achieve the same concept as virtual machines but eliminate duplication of effort between machines. Containers are easy to run on development machines and the deployment process itself is much simpler as one uploads pre-built containers to a container repository and production systems can pull the updated version. The container-based approach has its downsides. The software must be adapted for usage in containers (containerized), which can get tricky, especially with legacy codebases. Containers have many more configurations for resource allocation and interoperability capabilities, so it is quite easy to misconfigure them.
The next logical step in the progression from VMs to containers is unikernels, which try to push the concepts of containers even further. Unikernels are effectively a set of pre-built binary libraries and do not handle resource allocation. The hypervisor handles direct hardware interoperation. The unikernel architecture concept aims to deliver the security strengths of VM level partitioning with the speed and footprint size benefits attributed to containers. Unikernels are not new. There are, however, several issues associated with them which have limited their applications until now.
PLATFORM DETAILSLynxElement runs inside a LynxSecure partition, where multiple unikernels can share a Central Processing Unit (CPU) core and LynxOS-178 re-composed into a unikernel. All applications run in supervisor mode. The unikernel supports two types of drivers:
- Drivers for physical devices (Serial, Ethernet)
- Virtual drivers (paravirtualized serial and Ethernet; PVUART, PVNET)
The initial offering of LynxElement is centered on Intel and Arm architectures. As an example, a unikernel can be used to run security components like Intrusion Detection Systems (IDS) and Virtual Private Networks (VPN). In the diagram to the right, which shows how this could be implemented on a Xilinx development board, Statistical Anomaly Detectors monitor IP and 1553 traffic. Use of a data diode and filter on LynxElement enables customers to replace a Linux VM, saving memory space and drastically reducing the attack space.
Get Evaluation Version
WHAT TO EXPECT
Your information is always considered completely confidential and is not shared with anyone outside of Lynx Software Technologies without your expressed permission.
We respond to these form inputs within 1-2 business days.
The information you provide will help Lynx to better understand your requirements at the high level and enable us to do research on your behalf so that we can be best prepared for our next interaction.