Unikernels as a Lightweight Compatibility Layer for Microkernels

Description

Monolithic operating systems have a large Trusted Computing Base (TCB) as they run
all OS services in kernel space. Microkernels on the other hand push most services to
user space and only run the absolute minimum in the kernel itself. Capabilities are
used by microkernels to enforce a very fine-grained access control scheme to kernel
resources. This way, a high level of isolation between software components can be
realized that is attractive for mixed criticality workloads. The focus on minimality
comes at a high price for microkernels as they require a significant porting effort to
support general-purpose workloads such as Linux/POSIX applications. To circumvent
this problem, microkernels can be used as hypervisors to run the required workload
in a virtual machine. This approach negates many microkernel-related benefits and
prevents more widespread microkernel adoption. The thesis proposes a design that
utilizes unikernels as a lightweight compatibility layer to run real-world workloads
on top of microkernels. A thin interface was designed that abstracts over hardware
resources with the help of basic microkernel mechanisms to provide necessary low-level
functionality to the unikernel. This interface then allows unikernels to be executed as
normal microkernel processes, highly isolated through the utilization of capabilities
provided by the microkernel. The actual compatibility to Linux/POSIX applications
is realized by the unikernel and mostly independent of the designed interface. A
prototype system was implemented based on the Unikraft unikernel and the seL4
microkernel and evaluated for several performance benchmarks. The results compare
positively to unikernels on other platforms and confirm that unikernels can be used
as a lightweight approach to provide compatibility for microkernels. The presented
system is an attractive target for real-world mixed criticality use cases and aims to
further expand widespread microkernel adoption.