Business Benefits
- Defined software packaged accelerates time to deployment
- Allows for software application reuse onto other programs
- Improved resiliency to cyber attack
Development Benefits
- Unikernels allow programs to link in all operating system services in a single address space obviating need to switch into kernel mode
- No context switching and not subject to being blocked by competing processes means Unikernel execution behavior is much easier to observe and characterize
- Aligned to industry standard interfaces including ARINC, FACE, and POSIX
the Lynx unikernel
LOWERING PROJECT RISKS AND COSTS THROUGH
- Simpler software component to verify system integrity and predictability
- Burden of multicore timing analysis drastically reduced
- Reduced attack space as compared withtraditional applications
WHAT IS A UNIKERNEL?
Virtualization technology, whereby multiple operating systems can be run on shared hardware, is well understood if somewhat inefficient in its use of resources. Just a few decades ago, everyone used virtual machines (VM) to host and manage the infrastructure. More recently, industries have shifted towards using containers with systems such as Docker and Kubernetes.
Containers try to achieve the same concept as virtual machines but eliminate duplication of effort between machines. Containers are easy to run on development machines and the deployment process itself is much simpler as one uploads pre-built containers to a container repository and production systems can pull the updated version. The container-based approach has its downsides. The software must be adapted for usage in containers (containerized), which can get tricky, especially with legacy codebases. Containers have many more configurations for resource allocation and interoperability capabilities, so it is quite easy to misconfigure them.
The next logical step in the progression from VMs to containers is unikernels, which try to push the concepts of containers even further. Unikernels are effectively a set of pre-built binary libraries and do not handle resource allocation. The hypervisor handles direct hardware interoperation. The unikernel architecture concept aims to deliver the security strengths of VM level partitioning with the speed and footprint size benefits attributed to containers. Unikernels are not new. There are, however, several issues associated with them which have limited their applications until now.
PLATFORM DETAILS
LynxElement runs inside a LynxSecure partition, where multiple unikernels can share a Central Processing Unit (CPU) core and LynxOS-178 re-composed into a unikernel. All applications run in supervisor mode. The unikernel supports two types of drivers:- Drivers for physical devices (Serial, Ethernet)
- Virtual drivers (paravirtualized serial and Ethernet; PVUART, PVNET)
The initial offering of LynxElement is centered on Intel and Arm architectures. As an example, a unikernel can be used to run security components like Intrusion Detection Systems (IDS) and Virtual Private Networks (VPN). In the diagram to the right, which shows how this could be implemented on a Xilinx development board, Statistical Anomaly Detectors monitor IP and 1553 traffic. Use of a data diode and filter on LynxElement enables customers to replace a Linux VM, saving memory space and drastically reducing the attack space.
