SlideShare uma empresa Scribd logo

CIF16: Tor in Haskell, or How To Write Programs For Unikernels (Adam Wick, Galois Inc.)

The Linux Foundation
The Linux Foundation

You did what, in what, why? In this talk, we’ll talk about Tor, Haskell, and unikernels, and why the technologies make for such a great combination. We’ll then look a little deeper, and walk through the design and construction process of such a project. Why is the first step in building a unikernel to not build a unikernel? Why is resource measurement so important? How the heck to you debug these things? Throughout, we’ll use our Tor implementation as our running example, providing some grounding for the proceedings. Code will be shown, and the pitfalls described. And, in the end, we’ll show how building unikernels isn’t actually all that much different from building anything else … if you take some simple precautions, don’t assume too much, and remember to do things the right way.

Tecnologia
1 de 37
Baixar para ler offline
Adam Wick @ CIF16 Tor in Haskell or How to Write Programs for Unikernels
This combination is not crazy. (In fact, it makes a lot of sense.)
© 2016 Galois, Inc.3 © 2016 Galois, Inc.3 Adam Wick @ CIF16 Built the Haskell Lightweight Virtual Machine (HaLVM) Works for (a unikernel) Adam Wick
© 2016 Galois, Inc.4 © 2016 Galois, Inc.4 Why are Unikernels and Tor such a good idea? Unikernels are fundamentally designed to be Lightweight Fast Secure More nodes for the same price, or the same number of nodes for less. Fewer schedulers means lower latency. A much smaller OS stack means less code to get wrong.
So We Did This (And now I’m going to tell you about it.)
But First: Tor
© 2016 Galois, Inc.7 © 2016 Galois, Inc.7 : Anonymity Through Root Vegetables Tor is an anonymous communication layer built on TLS that prevents people from learning who you are interacting with over the Internet.* * Terms and conditions may apply.
© 2016 Galois, Inc.8 © 2016 Galois, Inc.8 Guarantees*: 1. For any single relay node, it is impossible to tell where you are in the chain. 2. The exit node cannot tell how many hops were before it. 3. The entrance node cannot tell how many hops are in front of it. * Terms and conditions may apply.
© 2016 Galois, Inc.9 © 2016 Galois, Inc.9 Terms and Conditions May Apply The security of Tor is dependent on: 1. The correctness of the protocol design. 2. The correctness of the protocol implementation. 3. Ensuring that there are enough nodes that no single entity owns a sufficient percentage of nodes to have a top level view.
And Second: Haskell
© 2016 Galois, Inc.11 © 2016 Galois, Inc.11 It is also known for being popular with people that know more category theory than is good for them, which has given it a certain … reputation. Haskell is a functional programming language: fact :: Integer -> Integer map :: (a -> b) -> [a] -> [b] fact 0 = 1 map _ [] = [] fact x = x * fact (x – 1) map f (x:r) = (f x) : map f r It is mostly known for being lazy, pure, and strongly typed. Very HelpfulHandyMeh
© 2016 Galois, Inc.12 © 2016 Galois, Inc.12 do -- "To authenticate the initiator, the responder MUST check the -- following: -- * The CERTS cell contains exactly one CerType 3 'AUTH' -- certificate. let authCert = exactlyOneAuth certs Nothing authCert' = signedObject (getSigned authCert) -- * The CERTS cell contains exactly one CerType 2 'ID' -- certificate let iidCert = exactlyOneId certs Nothing iidCert' = signedObject (getSigned iidCert) -- * Both certificates have validAfter and validUntil dates -- that are not expired. when (certExpired authCert' now) $ fail "Auth certificate expired." when (certExpired iidCert' now) $ fail "Id certificate expired." -- * The certified key in the AUTH certificate is a 1024-bit RSA -- key. unless (is1024BitRSAKey authCert) $ fail "Auth certificate key is the wrong size." -- * The certified key in the ID certificate is a 1024-bit RSA -- key. unless (is1024BitRSAKey iidCert) $ fail "Identity certificate key is the wrong size." -- * The auth certificate is correctly signed with the key in the -- ID certificate. unless (authCert `isSignedBy` iidCert') $ fail "Auth certificate not signed by identity cert."
© 2016 Galois, Inc.13 © 2016 Galois, Inc.13 I’m Not Here To Sell You Haskell, But: Type Safety + Purity + Safe Data Structures + GC = Fewer bugs per LOC = Less security advisories per LOC
Unikernels You probably know what these are by now.
So: Tor + Haskell + Unikernels?
© 2016 Galois, Inc.16 © 2016 Galois, Inc.16 Terms and Conditions May Apply The security of Tor is dependent on: 1. The correctness of the protocol design. 2. The correctness of the protocol implementation. 3. Ensuring that there are enough nodes that no single entity owns a sufficient percentage of nodes to have a top level view. Can’t really do much for this one. Except that more implementations means more eyes on the specs. Haskell limits memory issues, type safety helps correctness. Unikernels limit attack surface. Unikernels limit resource usage, which allows a lot more relay nodes for the same cost.
Cool! How Did That Work?
© 2016 Galois, Inc.18 © 2016 Galois, Inc.18 So You Want To Build A Unikernel There are five steps to building a Unikernel: 1. Don’t. 2. Test & Measure. 3. Do. 4. Test (Part II) 5. Deploy.
© 2016 Galois, Inc.19 © 2016 Galois, Inc.19 Step #1: Don’t Build a Unikernel Building a unikernel adds a number of complications to the development process (which is already complicated enough). So start by building your application as you normally would, in a language that supports unikernels. (In this case, Haskell.) Build using your normal tools, libraries, and techniques, but: 1. Try to avoid local storage. 2. Try to minimize the number of libraries you pull in. 3. Stay away from libraries that link against C. With Tor, I began by implementing the core parsing and protocol code, sufficient to anonymously look up a hostname. To avoid a linking problem, I also ended up writing my own zlib decompression library. More on that later.
© 2016 Galois, Inc.20 © 2016 Galois, Inc.20 Step #2: Measure & Test What is your application’s peak memory use? Exactly how much space do you need for configuration files, etc.? Does this space need to be writeable? Then TEST, TEST, TEST. Your goal is that in later steps, any bugs you find have to do with the unikernel translation, not your application. In measuring my work with Tor, I discovered that the zlib library I’d written earlier was very … silly ... with regard to memory use. I wish I’d found that here.
© 2016 Galois, Inc.21 © 2016 Galois, Inc.21 Step #3: Do it. Once it works well, and you know about its resource usage, now it’s time to start converting it to a unikernel. 1. Some of your libraries won’t build, and you will either need to fix or replace these. Predicting which ones is possible, but requires some experience and internal knowledge of the library. 2. Disks are expensive and slow; consider using ramdisks. For many of our uses of unikernels, and Tor can be one of them, then the only need for a disk is to pass configuration information: small bits of read-only data. Ramdisks are the way to go. 3. You will need to rewrite your start-up code. You will now need to explicitly instantiate all your devices, for example. 4. Your Edit-Compile-Test loop just got more painful. Sorry. Getting things working on the HaLVM required: • Updates to the TLS library I was using. • Updates to the x.509 library I was using. And it benefited from a bunch of previous work I’d done for other unikernels.
© 2016 Galois, Inc.22 © 2016 Galois, Inc.22 Step #4: Test (Part II) Hopefully, any bugs you hit at this point are bugs in the adaptation to the unikernel, not in your code. But here are some more questions to verify: 1. Does your system come up cleanly, every time, even with flakey device timings? 2. Are you flying safely under your memory bounds? (If so, can you lower them safely?) 3. Can you run your test suite as a unikernel? (If so, do it.) 4. Optional: Does your new unikernel survive migration? This is still in progress. (This is always in progress.)
© 2016 Galois, Inc.23 © 2016 Galois, Inc.23 Step #5: Deploy The unikernel community is working to make deployment to all the standard clouds quicker and easier, but there are documents online that you can use. There are tools for distributing to EC2, but they’re incomplete. Different unikernels are in different places with regard to EC2 and other clouds.
Let’s See Some Code
© 2016 Galois, Inc.25 © 2016 Galois, Inc.25 Let’s Run Some Tor main :: IO () main = runDefaultMain $ flags -> do (MkNS ns, logger) <- initializeSystem flags let options = defaultTorOptions{ … } tor <- startTor ns options addrs <- torResolveName tor "www.whatismypublicip.com" case addrs of [] -> putStrLn ("Could not resolve www.whatismypublicip.com!") ((addr, _ttl) : _) -> do sock <- torConnect tor addr 80 putStrLn ("Connected to " ++ show addr) torWrite sock (buildGet "/") putStrLn ("Wrote GET request.") resp <- readLoop sock putStrLn ("Response: " ++ show resp) torClose sock ReasonDone Parse command line arguments, turn them into Tor configuration options, and start up the network.Start the various daemon threads required to run a Tor entrance node. Anonymously look up a domain name, based on the options provided earlier. Create an anonymous connection and read the response.
© 2016 Galois, Inc.26 © 2016 Galois, Inc.26 Starting Means Booting initializeSystem :: [Flag] -> IO (SomeNetworkStack, String -> IO ()) initializeSystem _ = do con <- initXenConsole xs <- initXenStore ns <- newNetworkStack macstr <- findNIC xs nic <- openNIC xs macstr let mac = read macstr addDevice ns mac (xenSend nic) (xenReceiveLoop nic) deviceUp ns mac ipaddr <- dhcpDiscover ns mac return (MkNS (hansNetworkStack ns), makeLogger ( x -> writeConsole con (x ++ "n"))) Most unikernels will get your memory and such set up, but devices are all up to you. Network setup is all your responsibility.
© 2016 Galois, Inc.27 © 2016 Galois, Inc.27 Abstracting Over Your Network Stack -- |The type of a Tor-compatible network stack. The first type variable is the -- type of a listener socket, the second the type of a standard connection -- socket. data TorNetworkStack lsock sock = TorNetworkStack { connect :: String -> Word16 -> IO (Maybe sock) -- |Lookup the given hostname and return any IP6 (Left) or IP4 (Right) -- addresses associated with it. , getAddress :: String -> IO [TorAddress] , listen :: Word16 -> IO lsock , accept :: lsock -> IO (sock, TorAddress) , recv :: sock -> Int -> IO S.ByteString , write :: sock -> L.ByteString -> IO () , flush :: sock -> IO () , close :: sock -> IO () , lclose :: lsock -> IO () }
© 2016 Galois, Inc.28 © 2016 Galois, Inc.28 QuickCheck! tapHandshakeCheck :: Word32 -> RouterTAP -> TorRNG -> Bool tapHandshakeCheck circId (RouterTAP myRouter priv) g0 = let (g1, (privX, cbody)) = startTAPHandshake myRouter g0 (g2, (dcell, fenc, benc)) = advanceTAPHandshake priv circId cbody g1 Created circIdD dbody = dcell in case completeTAPHandshake privX dbody of Left err -> False Right (fenc', benc') -> (circId == circIdD) && (fenc == fenc') && (benc == benc')
© 2016 Galois, Inc.29 © 2016 Galois, Inc.29 QuickCheck! TorCell Serialization: TorAddress round-trips: [OK, passed 100 tests] TorAddress makes sensible ByteStrings: [OK, passed 100 tests] ExtendSpec serializes: [OK, passed 100 tests] DestroyReason serializes (check #1): [OK, passed 100 tests] DestroyReason serializes (check #2): [OK, passed 100 tests] HandshakeType serializes (check #1): [OK, passed 100 tests] HandshakeType serializes (check #2): [OK, passed 100 tests] RelayEndReason serializes: [OK, passed 100 tests] RelayCell serializes: [OK, passed 100 tests] RelayCell serializes w/ digest: [OK, passed 100 tests] RelayCell serializes w/ digest: [OK, passed 100 tests] Tor certificates serialize: [OK, passed 100 tests] Hybrid encryption tests: Hybrid encryption works when forced: [OK, passed 100 tests] Hybrid encryption works in general: [OK, passed 100 tests] Handshakes: TAP Handshake: [OK, passed 100 tests] NTor Handshake: [OK, passed 100 tests] Make sure we get data formats like. Next step: fuzzing to make sure we’re sufficiently defensive. Test custom crypto. Test handshakes.
What is it like developing unikernels?
© 2016 Galois, Inc.31 © 2016 Galois, Inc.31 Boring • It’s just like normal development when you start. • Then you have to be a little more rigorous about testing and evaluation. • Then you run into a wall with library support. • Except it’s not nearly as much of a problem as it used to be. • With Tor, this meant writing one additional library from scratch (zlib), and then sending patches to a few other authors. • Debugging unikernels is also now more palatable: • printf(), gdbsx, profiling • The big remaining gap: the big web frameworks don’t work. • They require all the deep device and OS integration that causes problems with unikernels. (Mostly)
© 2016 Galois, Inc.32 © 2016 Galois, Inc.32 But What You Get Is More nodes, For less money, With a better security posture. Which is great for , and perhaps your next project.
© 2016 Galois, Inc.33 © 2016 Galois, Inc.33 All trademarks, service marks, trade names, trade dress, product names and logos appearing in these slides are the property of their respective owners, including in some instances Galois, Inc. All rights are reserved. http://github.com/GaloisInc/haskell-tor Adam Wick awick@galois.com Twitter: @acwpdx Any questions?
© 2016 Galois, Inc.34 © 2016 Galois, Inc.34 Unikernels are specialised, single address space machine images constructed using library operating systems. - Wikipedia or Unikernels : Virtual Machines :: Exokernels : Physical Machines or Unikernels are single-process programs compiled to run directly on (usually virtual) hardware, rather than within a full-featured OS.
© 2016 Galois, Inc.35 © 2016 Galois, Inc.35
© 2016 Galois, Inc.36 © 2016 Galois, Inc.36 Lower operating costs Faster response to events Smaller attack surface
© 2016 Galois, Inc.37 © 2016 Galois, Inc.37 Containers and Unikernels Unikernels: The next step in separation: 1. We started with single-task code. 2. Next, we separated some of our tasks into threads. 3. Next, we separated some of our threads into processes. 4. Next, we separated some of our processes into containers. 5. Now, we separated our critical containers into unikernels. Each level provides additional separation properties, at the cost of increased complexity in creating and reasoning about new code.

Recomendados

CIF16: Rethinking Foundations for Zero-devops Clouds (Maxim Kharchenko, Cloud...
CIF16: Rethinking Foundations for Zero-devops Clouds (Maxim Kharchenko, Cloud...CIF16: Rethinking Foundations for Zero-devops Clouds (Maxim Kharchenko, Cloud...
CIF16: Rethinking Foundations for Zero-devops Clouds (Maxim Kharchenko, Cloud...The Linux Foundation
 
CIF16: Running Go on Rumprun ( Ian Eyberg, DeferPanic Founder)
CIF16: Running Go on Rumprun ( Ian Eyberg, DeferPanic Founder)CIF16: Running Go on Rumprun ( Ian Eyberg, DeferPanic Founder)
CIF16: Running Go on Rumprun ( Ian Eyberg, DeferPanic Founder)The Linux Foundation
 
CIF16: Knock, Knock: Unikernels Calling! (Richard Mortier, Cambridge University)
CIF16: Knock, Knock: Unikernels Calling! (Richard Mortier, Cambridge University)CIF16: Knock, Knock: Unikernels Calling! (Richard Mortier, Cambridge University)
CIF16: Knock, Knock: Unikernels Calling! (Richard Mortier, Cambridge University)The Linux Foundation
 
CIF16: Solo5: Building a Unikernel Base From Scratch (Dan Williams, IBM)
CIF16: Solo5: Building a Unikernel Base From Scratch (Dan Williams, IBM)CIF16: Solo5: Building a Unikernel Base From Scratch (Dan Williams, IBM)
CIF16: Solo5: Building a Unikernel Base From Scratch (Dan Williams, IBM)The Linux Foundation
 
CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...
CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...
CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...The Linux Foundation
 
CIF16: Building the Superfluid Cloud with Unikernels (Simon Kuenzer, NEC Europe)
CIF16: Building the Superfluid Cloud with Unikernels (Simon Kuenzer, NEC Europe)CIF16: Building the Superfluid Cloud with Unikernels (Simon Kuenzer, NEC Europe)
CIF16: Building the Superfluid Cloud with Unikernels (Simon Kuenzer, NEC Europe)The Linux Foundation
 
CIF16: Unikernels, Meet Docker! Containing Unikernels (Richard Mortier, Anil ...
CIF16: Unikernels, Meet Docker! Containing Unikernels (Richard Mortier, Anil ...CIF16: Unikernels, Meet Docker! Containing Unikernels (Richard Mortier, Anil ...
CIF16: Unikernels, Meet Docker! Containing Unikernels (Richard Mortier, Anil ...The Linux Foundation
 
CIF16: Unikernel.org (Amir Chaudhry, Docker Inc)
CIF16: Unikernel.org (Amir Chaudhry, Docker Inc)CIF16: Unikernel.org (Amir Chaudhry, Docker Inc)
CIF16: Unikernel.org (Amir Chaudhry, Docker Inc)The Linux Foundation
 

Mais conteúdo relacionado

Mais de The Linux Foundation

ELC2019: Static Partitioning Made Simple
ELC2019: Static Partitioning Made SimpleELC2019: Static Partitioning Made Simple
ELC2019: Static Partitioning Made SimpleThe Linux Foundation
 
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...The Linux Foundation
 
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...The Linux Foundation
 
XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...
XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...
XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...The Linux Foundation
 
XPDDS19 Keynote: Unikraft Weather Report
XPDDS19 Keynote: Unikraft Weather ReportXPDDS19 Keynote: Unikraft Weather Report
XPDDS19 Keynote: Unikraft Weather ReportThe Linux Foundation
 
XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software E...
XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software E...XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software E...
XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software E...The Linux Foundation
 
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, XilinxXPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, XilinxThe Linux Foundation
 
XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...
XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...
XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...The Linux Foundation
 
XPDDS19: Memories of a VM Funk - Mihai Donțu, Bitdefender
XPDDS19: Memories of a VM Funk - Mihai Donțu, BitdefenderXPDDS19: Memories of a VM Funk - Mihai Donțu, Bitdefender
XPDDS19: Memories of a VM Funk - Mihai Donțu, BitdefenderThe Linux Foundation
 
OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...
OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...
OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...The Linux Foundation
 
OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making...
OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making... OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making...
OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making...The Linux Foundation
 
XPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, Citrix
XPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, CitrixXPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, Citrix
XPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, CitrixThe Linux Foundation
 
XPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltd
XPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltdXPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltd
XPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltdThe Linux Foundation
 
XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...
XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...
XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...The Linux Foundation
 
XPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&D
XPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&DXPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&D
XPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&DThe Linux Foundation
 
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM SystemsXPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM SystemsThe Linux Foundation
 
XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...
XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...
XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...The Linux Foundation
 
XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...
XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...
XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...The Linux Foundation
 
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...The Linux Foundation
 
XPDDS19: Core Scheduling in Xen - Jürgen Groß, SUSE
XPDDS19: Core Scheduling in Xen - Jürgen Groß, SUSEXPDDS19: Core Scheduling in Xen - Jürgen Groß, SUSE
XPDDS19: Core Scheduling in Xen - Jürgen Groß, SUSEThe Linux Foundation
 

Mais de The Linux Foundation (20)

ELC2019: Static Partitioning Made Simple
ELC2019: Static Partitioning Made SimpleELC2019: Static Partitioning Made Simple
ELC2019: Static Partitioning Made Simple
 
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
 
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...
 
XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...
XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...
XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...
 
XPDDS19 Keynote: Unikraft Weather Report
XPDDS19 Keynote: Unikraft Weather ReportXPDDS19 Keynote: Unikraft Weather Report
XPDDS19 Keynote: Unikraft Weather Report
 
XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software E...
XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software E...XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software E...
XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software E...
 
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, XilinxXPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
 
XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...
XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...
XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...
 
XPDDS19: Memories of a VM Funk - Mihai Donțu, Bitdefender
XPDDS19: Memories of a VM Funk - Mihai Donțu, BitdefenderXPDDS19: Memories of a VM Funk - Mihai Donțu, Bitdefender
XPDDS19: Memories of a VM Funk - Mihai Donțu, Bitdefender
 
OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...
OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...
OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...
 
OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making...
OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making... OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making...
OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making...
 
XPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, Citrix
XPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, CitrixXPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, Citrix
XPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, Citrix
 
XPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltd
XPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltdXPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltd
XPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltd
 
XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...
XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...
XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...
 
XPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&D
XPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&DXPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&D
XPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&D
 
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM SystemsXPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems
 
XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...
XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...
XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...
 
XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...
XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...
XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...
 
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...
 
XPDDS19: Core Scheduling in Xen - Jürgen Groß, SUSE
XPDDS19: Core Scheduling in Xen - Jürgen Groß, SUSEXPDDS19: Core Scheduling in Xen - Jürgen Groß, SUSE
XPDDS19: Core Scheduling in Xen - Jürgen Groß, SUSE
 

Último

Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...amber724300
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Nikki Chapple
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...itnewsafrica
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Karmanjay Verma
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Digital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentDigital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentMahmoud Rabie
 

Último (20)

Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Digital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentDigital Tools & AI in Career Development
Digital Tools & AI in Career Development
 

CIF16: Tor in Haskell, or How To Write Programs For Unikernels (Adam Wick, Galois Inc.)

  • 1. Adam Wick @ CIF16 Tor in Haskell or How to Write Programs for Unikernels
  • 2. This combination is not crazy. (In fact, it makes a lot of sense.)
  • 3. © 2016 Galois, Inc.3 © 2016 Galois, Inc.3 Adam Wick @ CIF16 Built the Haskell Lightweight Virtual Machine (HaLVM) Works for (a unikernel) Adam Wick
  • 4. © 2016 Galois, Inc.4 © 2016 Galois, Inc.4 Why are Unikernels and Tor such a good idea? Unikernels are fundamentally designed to be Lightweight Fast Secure More nodes for the same price, or the same number of nodes for less. Fewer schedulers means lower latency. A much smaller OS stack means less code to get wrong.
  • 5. So We Did This (And now I’m going to tell you about it.)
  • 7. © 2016 Galois, Inc.7 © 2016 Galois, Inc.7 : Anonymity Through Root Vegetables Tor is an anonymous communication layer built on TLS that prevents people from learning who you are interacting with over the Internet.* * Terms and conditions may apply.
  • 8. © 2016 Galois, Inc.8 © 2016 Galois, Inc.8 Guarantees*: 1. For any single relay node, it is impossible to tell where you are in the chain. 2. The exit node cannot tell how many hops were before it. 3. The entrance node cannot tell how many hops are in front of it. * Terms and conditions may apply.
  • 9. © 2016 Galois, Inc.9 © 2016 Galois, Inc.9 Terms and Conditions May Apply The security of Tor is dependent on: 1. The correctness of the protocol design. 2. The correctness of the protocol implementation. 3. Ensuring that there are enough nodes that no single entity owns a sufficient percentage of nodes to have a top level view.
  • 11. © 2016 Galois, Inc.11 © 2016 Galois, Inc.11 It is also known for being popular with people that know more category theory than is good for them, which has given it a certain … reputation. Haskell is a functional programming language: fact :: Integer -> Integer map :: (a -> b) -> [a] -> [b] fact 0 = 1 map _ [] = [] fact x = x * fact (x – 1) map f (x:r) = (f x) : map f r It is mostly known for being lazy, pure, and strongly typed. Very HelpfulHandyMeh
  • 12. © 2016 Galois, Inc.12 © 2016 Galois, Inc.12 do -- "To authenticate the initiator, the responder MUST check the -- following: -- * The CERTS cell contains exactly one CerType 3 'AUTH' -- certificate. let authCert = exactlyOneAuth certs Nothing authCert' = signedObject (getSigned authCert) -- * The CERTS cell contains exactly one CerType 2 'ID' -- certificate let iidCert = exactlyOneId certs Nothing iidCert' = signedObject (getSigned iidCert) -- * Both certificates have validAfter and validUntil dates -- that are not expired. when (certExpired authCert' now) $ fail "Auth certificate expired." when (certExpired iidCert' now) $ fail "Id certificate expired." -- * The certified key in the AUTH certificate is a 1024-bit RSA -- key. unless (is1024BitRSAKey authCert) $ fail "Auth certificate key is the wrong size." -- * The certified key in the ID certificate is a 1024-bit RSA -- key. unless (is1024BitRSAKey iidCert) $ fail "Identity certificate key is the wrong size." -- * The auth certificate is correctly signed with the key in the -- ID certificate. unless (authCert `isSignedBy` iidCert') $ fail "Auth certificate not signed by identity cert."
  • 13. © 2016 Galois, Inc.13 © 2016 Galois, Inc.13 I’m Not Here To Sell You Haskell, But: Type Safety + Purity + Safe Data Structures + GC = Fewer bugs per LOC = Less security advisories per LOC
  • 14. Unikernels You probably know what these are by now.
  • 15. So: Tor + Haskell + Unikernels?
  • 16. © 2016 Galois, Inc.16 © 2016 Galois, Inc.16 Terms and Conditions May Apply The security of Tor is dependent on: 1. The correctness of the protocol design. 2. The correctness of the protocol implementation. 3. Ensuring that there are enough nodes that no single entity owns a sufficient percentage of nodes to have a top level view. Can’t really do much for this one. Except that more implementations means more eyes on the specs. Haskell limits memory issues, type safety helps correctness. Unikernels limit attack surface. Unikernels limit resource usage, which allows a lot more relay nodes for the same cost.
  • 17. Cool! How Did That Work?
  • 18. © 2016 Galois, Inc.18 © 2016 Galois, Inc.18 So You Want To Build A Unikernel There are five steps to building a Unikernel: 1. Don’t. 2. Test & Measure. 3. Do. 4. Test (Part II) 5. Deploy.
  • 19. © 2016 Galois, Inc.19 © 2016 Galois, Inc.19 Step #1: Don’t Build a Unikernel Building a unikernel adds a number of complications to the development process (which is already complicated enough). So start by building your application as you normally would, in a language that supports unikernels. (In this case, Haskell.) Build using your normal tools, libraries, and techniques, but: 1. Try to avoid local storage. 2. Try to minimize the number of libraries you pull in. 3. Stay away from libraries that link against C. With Tor, I began by implementing the core parsing and protocol code, sufficient to anonymously look up a hostname. To avoid a linking problem, I also ended up writing my own zlib decompression library. More on that later.
  • 20. © 2016 Galois, Inc.20 © 2016 Galois, Inc.20 Step #2: Measure & Test What is your application’s peak memory use? Exactly how much space do you need for configuration files, etc.? Does this space need to be writeable? Then TEST, TEST, TEST. Your goal is that in later steps, any bugs you find have to do with the unikernel translation, not your application. In measuring my work with Tor, I discovered that the zlib library I’d written earlier was very … silly ... with regard to memory use. I wish I’d found that here.
  • 21. © 2016 Galois, Inc.21 © 2016 Galois, Inc.21 Step #3: Do it. Once it works well, and you know about its resource usage, now it’s time to start converting it to a unikernel. 1. Some of your libraries won’t build, and you will either need to fix or replace these. Predicting which ones is possible, but requires some experience and internal knowledge of the library. 2. Disks are expensive and slow; consider using ramdisks. For many of our uses of unikernels, and Tor can be one of them, then the only need for a disk is to pass configuration information: small bits of read-only data. Ramdisks are the way to go. 3. You will need to rewrite your start-up code. You will now need to explicitly instantiate all your devices, for example. 4. Your Edit-Compile-Test loop just got more painful. Sorry. Getting things working on the HaLVM required: • Updates to the TLS library I was using. • Updates to the x.509 library I was using. And it benefited from a bunch of previous work I’d done for other unikernels.
  • 22. © 2016 Galois, Inc.22 © 2016 Galois, Inc.22 Step #4: Test (Part II) Hopefully, any bugs you hit at this point are bugs in the adaptation to the unikernel, not in your code. But here are some more questions to verify: 1. Does your system come up cleanly, every time, even with flakey device timings? 2. Are you flying safely under your memory bounds? (If so, can you lower them safely?) 3. Can you run your test suite as a unikernel? (If so, do it.) 4. Optional: Does your new unikernel survive migration? This is still in progress. (This is always in progress.)
  • 23. © 2016 Galois, Inc.23 © 2016 Galois, Inc.23 Step #5: Deploy The unikernel community is working to make deployment to all the standard clouds quicker and easier, but there are documents online that you can use. There are tools for distributing to EC2, but they’re incomplete. Different unikernels are in different places with regard to EC2 and other clouds.
  • 25. © 2016 Galois, Inc.25 © 2016 Galois, Inc.25 Let’s Run Some Tor main :: IO () main = runDefaultMain $ flags -> do (MkNS ns, logger) <- initializeSystem flags let options = defaultTorOptions{ … } tor <- startTor ns options addrs <- torResolveName tor "www.whatismypublicip.com" case addrs of [] -> putStrLn ("Could not resolve www.whatismypublicip.com!") ((addr, _ttl) : _) -> do sock <- torConnect tor addr 80 putStrLn ("Connected to " ++ show addr) torWrite sock (buildGet "/") putStrLn ("Wrote GET request.") resp <- readLoop sock putStrLn ("Response: " ++ show resp) torClose sock ReasonDone Parse command line arguments, turn them into Tor configuration options, and start up the network.Start the various daemon threads required to run a Tor entrance node. Anonymously look up a domain name, based on the options provided earlier. Create an anonymous connection and read the response.
  • 26. © 2016 Galois, Inc.26 © 2016 Galois, Inc.26 Starting Means Booting initializeSystem :: [Flag] -> IO (SomeNetworkStack, String -> IO ()) initializeSystem _ = do con <- initXenConsole xs <- initXenStore ns <- newNetworkStack macstr <- findNIC xs nic <- openNIC xs macstr let mac = read macstr addDevice ns mac (xenSend nic) (xenReceiveLoop nic) deviceUp ns mac ipaddr <- dhcpDiscover ns mac return (MkNS (hansNetworkStack ns), makeLogger ( x -> writeConsole con (x ++ "n"))) Most unikernels will get your memory and such set up, but devices are all up to you. Network setup is all your responsibility.
  • 27. © 2016 Galois, Inc.27 © 2016 Galois, Inc.27 Abstracting Over Your Network Stack -- |The type of a Tor-compatible network stack. The first type variable is the -- type of a listener socket, the second the type of a standard connection -- socket. data TorNetworkStack lsock sock = TorNetworkStack { connect :: String -> Word16 -> IO (Maybe sock) -- |Lookup the given hostname and return any IP6 (Left) or IP4 (Right) -- addresses associated with it. , getAddress :: String -> IO [TorAddress] , listen :: Word16 -> IO lsock , accept :: lsock -> IO (sock, TorAddress) , recv :: sock -> Int -> IO S.ByteString , write :: sock -> L.ByteString -> IO () , flush :: sock -> IO () , close :: sock -> IO () , lclose :: lsock -> IO () }
  • 28. © 2016 Galois, Inc.28 © 2016 Galois, Inc.28 QuickCheck! tapHandshakeCheck :: Word32 -> RouterTAP -> TorRNG -> Bool tapHandshakeCheck circId (RouterTAP myRouter priv) g0 = let (g1, (privX, cbody)) = startTAPHandshake myRouter g0 (g2, (dcell, fenc, benc)) = advanceTAPHandshake priv circId cbody g1 Created circIdD dbody = dcell in case completeTAPHandshake privX dbody of Left err -> False Right (fenc', benc') -> (circId == circIdD) && (fenc == fenc') && (benc == benc')
  • 29. © 2016 Galois, Inc.29 © 2016 Galois, Inc.29 QuickCheck! TorCell Serialization: TorAddress round-trips: [OK, passed 100 tests] TorAddress makes sensible ByteStrings: [OK, passed 100 tests] ExtendSpec serializes: [OK, passed 100 tests] DestroyReason serializes (check #1): [OK, passed 100 tests] DestroyReason serializes (check #2): [OK, passed 100 tests] HandshakeType serializes (check #1): [OK, passed 100 tests] HandshakeType serializes (check #2): [OK, passed 100 tests] RelayEndReason serializes: [OK, passed 100 tests] RelayCell serializes: [OK, passed 100 tests] RelayCell serializes w/ digest: [OK, passed 100 tests] RelayCell serializes w/ digest: [OK, passed 100 tests] Tor certificates serialize: [OK, passed 100 tests] Hybrid encryption tests: Hybrid encryption works when forced: [OK, passed 100 tests] Hybrid encryption works in general: [OK, passed 100 tests] Handshakes: TAP Handshake: [OK, passed 100 tests] NTor Handshake: [OK, passed 100 tests] Make sure we get data formats like. Next step: fuzzing to make sure we’re sufficiently defensive. Test custom crypto. Test handshakes.
  • 30. What is it like developing unikernels?
  • 31. © 2016 Galois, Inc.31 © 2016 Galois, Inc.31 Boring • It’s just like normal development when you start. • Then you have to be a little more rigorous about testing and evaluation. • Then you run into a wall with library support. • Except it’s not nearly as much of a problem as it used to be. • With Tor, this meant writing one additional library from scratch (zlib), and then sending patches to a few other authors. • Debugging unikernels is also now more palatable: • printf(), gdbsx, profiling • The big remaining gap: the big web frameworks don’t work. • They require all the deep device and OS integration that causes problems with unikernels. (Mostly)
  • 32. © 2016 Galois, Inc.32 © 2016 Galois, Inc.32 But What You Get Is More nodes, For less money, With a better security posture. Which is great for , and perhaps your next project.
  • 33. © 2016 Galois, Inc.33 © 2016 Galois, Inc.33 All trademarks, service marks, trade names, trade dress, product names and logos appearing in these slides are the property of their respective owners, including in some instances Galois, Inc. All rights are reserved. http://github.com/GaloisInc/haskell-tor Adam Wick awick@galois.com Twitter: @acwpdx Any questions?
  • 34. © 2016 Galois, Inc.34 © 2016 Galois, Inc.34 Unikernels are specialised, single address space machine images constructed using library operating systems. - Wikipedia or Unikernels : Virtual Machines :: Exokernels : Physical Machines or Unikernels are single-process programs compiled to run directly on (usually virtual) hardware, rather than within a full-featured OS.
  • 35. © 2016 Galois, Inc.35 © 2016 Galois, Inc.35
  • 36. © 2016 Galois, Inc.36 © 2016 Galois, Inc.36 Lower operating costs Faster response to events Smaller attack surface
  • 37. © 2016 Galois, Inc.37 © 2016 Galois, Inc.37 Containers and Unikernels Unikernels: The next step in separation: 1. We started with single-task code. 2. Next, we separated some of our tasks into threads. 3. Next, we separated some of our threads into processes. 4. Next, we separated some of our processes into containers. 5. Now, we separated our critical containers into unikernels. Each level provides additional separation properties, at the cost of increased complexity in creating and reasoning about new code.